Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

virus programs blocking chunk

Simple, Free, Open Source UltraVNC Wrapper Supporting Windows and Mac OSX
Post Reply
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

virus programs blocking chunk

Post by exclusivebiz »

There seems to be some new virus definitions that are blocking chunkvnc.
It has been working great until this week.
I have ChunkVNC 3.2 in a linux repeater environment.
My clients have had to disable there antivirus programs in order for this to work. Is anyone experiencing the same? Thanks for your time.
Last edited by exclusivebiz on 2011-03-30 21:51, edited 2 times in total.
User avatar
supercoe
400
400
Posts: 1732
Joined: 2009-07-20 21:27
Location: Walker, MN
Contact:

Re: virus programs blocking chunck

Post by supercoe »

What antivirus program are they using?
Usually there isn't much you can do besides add InstantSupport as an exception or contact the virus scanner company about a false detection.
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

Re: virus programs blocking chunck

Post by exclusivebiz »

Thanks for the quick reply. Its AVG right now and I will look into if there are others. It just started this past week. It was fine with AVG previously.
User avatar
supercoe
400
400
Posts: 1732
Joined: 2009-07-20 21:27
Location: Walker, MN
Contact:

Re: virus programs blocking chunck

Post by supercoe »

AVG 2011 was a problem for other users a few months ago as well, here is a fix that worked for them.
After a few try-and-error, I think I found the problem (or a way to avoid it at least).

In the file InstantSupport.au3 replace

FileCopy( @ScriptFullPath, $WorkingPath & "\InstantSupport.exe", 9 )

with

FileCopy( @ScriptDir & "\" & @ScriptName, $WorkingPath & "\InstantSupport.exe", 9 )

This avoid some AVG signature detection replacing a few bytes in the executable.
From thread: [topic=27023][/topic]
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

Re: virus programs blocking chunck

Post by exclusivebiz »

Thank you for the link. I remember those posts and actually modified the code back then. I checked the code again now and its the correct one.

I will try to gather some more details on which other AV software and versions.
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

Re: virus programs blocking chunk

Post by exclusivebiz »

This is from McAfee


Tojan detected

McAfee has detected an infected item in a shared folder on your network. To remove the threat, right-click the folder, change its properties to allow full access, and then click Scan.

About this Trojan

Detected Artemis!04972A5F0742 (Trojan)

Quarantined From: \Device\HarddiskVolumeShadowCopy9\Users\Jim\Downloads\remote (1).exe

We cannot remove a Trojan while the infected file is in a shared folder on your network. Allowing full access to the folder frees up the infected file allowing McAfee to fix the issue.



Then AVG:

Threat was Blocked!
File name: remote.exe
Virus identified Worm/Autoit.AMXK
User avatar
supercoe
400
400
Posts: 1732
Joined: 2009-07-20 21:27
Location: Walker, MN
Contact:

Re: virus programs blocking chunk

Post by supercoe »

False detections, this happens a lot with programs created in AutoIT.
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

Re: virus programs blocking chunk

Post by exclusivebiz »

That I understand, question is why didnt it happen 2-3 months earlier when it was used no problem, suddenly now AVG and McAfee decided to make it a virus.
exclusivebiz
8
8
Posts: 8
Joined: 2011-02-04 02:06

Re: virus programs blocking chunk

Post by exclusivebiz »

I have just updated AutoIT and tested with virustotal.
Seems that some entries have been eliminated, AVG and McAfee doesnt detect it as a virus anymore. So perhaps the AutoIT was the issue.
Netzvamp
8
8
Posts: 9
Joined: 2011-04-06 15:20

Re: virus programs blocking chunk

Post by Netzvamp »

I've changed some things to get our Remotesupporttool running on machines with Kaspersky Internet Security in ChunkVNC 3.2.

1. I've change the extraction directory at Line 44 to

Code: Select all

Global $WorkingPath = @AppDataDir & "\MyCompany-Instantsupport"
(Replace my Company with your Company ;) )
That helped a lot, cause the previous directory with an random name and in the temp-folder got Kaspersky to think it's a malware (Userrating 0,5, thats bad ;) ). And without that change there was no way to set the exe-file as an trusted program, cause everytime the trusted vnc-exe was on another place.
That change switched the Kaspersky-Rating from malware to an automatic trusted program (Userrating of 4,5, a very trusted program), so the user has nothing to do, it just works :) It looks like Kaspersky is not against UltraVNC, it's against an potential malware path like the temppath with an remoteadmintool inside.

2. I've removed the automatic remove of the vnc-files after the end of the remote-exe. That was helpfull, cause i've like to just manual add an shortcut to the Instantsupport.exe on the desktop. I've added on line 407 (first line under "Func _DeleteSelf( $Path, $iDelay = 5 )")

Code: Select all

$DeleteFiles = False
The second change is optional, but i think the first change is very helpfull against false detection. If there would be an inputarea on the compiler.exe for the "MyCompany"-part of the path, it should be no problem to use Appdata for extraction ...

EDIT: All changes in "src/InstantSupport.au3", if you like to repeat it ^^
Last edited by Netzvamp on 2011-04-06 15:53, edited 2 times in total.
B
800
800
Posts: 2338
Joined: 2009-09-09 14:05

Re: virus programs blocking chunk

Post by B »

Sounds like good work, Netzvamp! Thanks. I wonder if Kaspersky would mind if the directory name were auto-incrementing instead of random, like "ChunkInstall1" and "ChunkInstall2".

I'm not on board with the step 2, because it goes against Chunk's in-and-out-and-gone-unless-you-install-the-service philosophy.
Netzvamp
8
8
Posts: 9
Joined: 2011-04-06 15:20

Re: virus programs blocking chunk

Post by Netzvamp »

B wrote:Sounds like good work, Netzvamp! Thanks. I wonder if Kaspersky would mind if the directory name were auto-incrementing instead of random, like "ChunkInstall1" and "ChunkInstall2".

I'm not on board with the step 2, because it goes against Chunk's in-and-out-and-gone-unless-you-install-the-service philosophy.
That with the auto-increment foldernames should be no problem. The main reason for the false detection is the tempfolder. From the view of an heuristic it's right: There starts an vnc.exe extracted from another exe in an temppath, that looks clearly like an trojan :D
Step 2 is only for me, if you don't like it, you don't need it ;)
B
800
800
Posts: 2338
Joined: 2009-09-09 14:05

Re: virus programs blocking chunk

Post by B »

Well, that's not true -- you could say that about ANY installer that wrote programs to anywhere but Program Files.

The real trojans have no problem writing to non-%TMP% directories -- in fact I've never found one there, but plenty in IE cache directories and user AppData folders and Windows subdirectories. So I hear you, but it's still not terrifically smart on KAV's part (and yet they're among the best at this).
Netzvamp
8
8
Posts: 9
Joined: 2011-04-06 15:20

Re: virus programs blocking chunk

Post by Netzvamp »

B wrote:Well, that's not true -- you could say that about ANY installer that wrote programs to anywhere but Program Files.
There aren't much installer who use autoit to extract and start an winvnc.exe in the tempfolder, it's just an bad combination for Kaspersky :roll: I also don't like that behavior from Kaspersky, it's just wrong :P

Trojan-Discussion is a bit outside of the topic, but your right, most of the malware runs from the temporary internet files ...
Post Reply