False positive of Naomi filter

[Lisandro]

For sure a false positive. I've sent this to you a long time ago. This is the an Internet filter software. Please, correct the detection. I've sent the file twice to you. One more than one month ago...

http://www.radiance.m6.net/

At least, the Portuguese (Brazilian) version is being detected as having Win32: Trojan-gen{Other}

[DavidR]

Most strange as this has been around for some time and DrWeb doesn't find anything in the English setup file.

I hope what Maxx_original said about filtering submissions from the chest (which I already though was happening) will get more prompt action as they are on peoples systems, especially when they are False Positives.

It would be nice if we could submit a URL to VT or Jotti for scanning instead of having to upload it.

OK I paused the web shield and downloaded setup-en.exe from the URL you gave and no detection by ashQuick.exe (all my downloads are scanned) and detection by Standard Shield. So this doesn't seem to be a problem with the English installation file.

What is the exact file it is alerting on ?

[Lisandro]

I'll post the VirusTotal result later...

[Lisandro]

I've tried to download it and avast caught it again...
http:  //  www . radiance . m6 . net  /  setup-br.exe (the link for it).

[Lisandro]

File Naomi_3.2.90_Br.exe received on 10.20.2007 20:14:35 (CET)
Result: 15/32 (46.88%)

Antivirus    Version    Last Update    Result
AntiVir   7.6.0.27   2007.10.20   DR/Agent.ajz
Authentium   4.93.8   2007.10.19   is a security risk or a \"backdoor\" program
Avast   4.7.1051.0   2007.10.19   Win32:Trojan-gen {Other}
BitDefender   7.2   2007.10.20   Trojan.Agent.AWZ
eSafe   7.0.15.0   2007.10.15   Win32.Agent.ajz
Fortinet   3.11.0.0   2007.10.19   W32/Agent.AJZ!tr
F-Prot   4.3.2.48   2007.10.19   W32/Malware!bfa3
F-Secure   6.70.13030.0   2007.10.19   Trojan.Win32.Agent.ajz
Ikarus   T3.1.1.12   2007.10.20   Trojan.Win32.Agent.ajz
Kaspersky   7.0.0.125   2007.10.20   Trojan.Win32.Agent.ajz
Panda   9.0.0.4   2007.10.20   Trj/Downloader.MDW
Rising   19.45.52.00   2007.10.20   Trojan.Win32.Agent.ajz
Sophos   4.22.0   2007.10.20   Mal/Generic-A
VBA32   3.12.2.4   2007.10.19   Trojan.Win32.Agent.ajz
VirusBuster   4.3.26:9   2007.10.20   -
Webwasher-Gateway   6.6.1   2007.10.19   Trojan.Agent.ajz

Additional information
File size: 1434947 bytes
MD5: 765a23907ae8a8752618526865158e1c
SHA1: 596bfbc9390b7e2d6e24fa16b8bc4769a5ed98dc
packers: Yoda, ASPack, ASPack, ASPack, ASPack

Do not detect is as infected:
Antivirus     Version     Last Update     Result
AhnLab-V3   2007.10.20.0   2007.10.19   -
AVG   7.5.0.488   2007.10.20   -
CAT-QuickHeal   9.00   2007.10.20   -
ClamAV   0.91.2   2007.10.20   -
DrWeb   4.44.0.09170   2007.10.20   -
eTrust-Vet   31.2.5225   2007.10.20   -
Ewido   4.0   2007.10.20   -
FileAdvisor   1   2007.10.20   -
McAfee   5145   2007.10.19   -
Microsoft   1.2908   2007.10.20   -
NOD32v2   2604   2007.10.19   -
Norman   5.80.02   2007.10.19   -
Prevx1   V2   2007.10.20   -
Sunbelt   2.2.907.0   2007.10.20   -
Symantec   10   2007.10.20   -
TheHacker   6.2.9.101   2007.10.20   -
VirusBuster   4.3.26:9   2007.10.20   -

I'm sure it's a false positive...

[oldman]

I'm sure you are right, but it seems no one likes that particular file.   

[DavidR]

I too would think it is an FP however, there is most certainly something that they don't like in that file. The strange thing is such a wide range of names, that could be a different type of trojan infection, malware, backdoor, agent, downloader, weird.

I would suggest a message to Naomi (if you haven't already) to see if they are aware of it and if there is anything that differs from the other language versions.

[Lisandro]

The developer stopped his work due to lack of budget and financial support.
They tried to buy and make Naomi shareware. He resisted bravely.
I'll try to find a way to say this to him.

[DavidR]

Which makes it even more strange if there has been no development since 2006 then nothing should have changed.

[Lisandro]

False positive not corrected (yet).

[Lisandro]

One month later and the false positive was not yet corrected. 


Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: Naomi 3.2.90 Br.exe
FileID: 8
Virus Description: Win32:Trojan-gen {Other}

[Maxx_original]

ooh, sorry for this overlooked one... i'm quite busy in last few weeks

[Lisandro]

ooh, sorry for this overlooked one... i'm quite busy in last few weeks

You must have some more good boys working with you... what about hiring more

[Maxx_original]

Tech: we already did it, but he must get more experience first..

[misak]

All language mutation of Naomi filter was added to our "clean set". False positive alert was found in file naomf.exe in these setup files: setup-br.exe, setup-tr.exe.
FP alert will be corrected in next VPS update.