On Tuesday 23 Jul 2013 16:56:03 Rom. wrote: > > > AV's are capable of reading inside zip (and probably other common > archives). Hence, if freenet.exe is flagged, the archive will probably > be flagged too. I have some doubts about the fact that if AV's have seen > the file before they will be less susceptible to complain. It's more a > deal with file patterns (and heuristics, like juiceman said). As > AutoHotKey Exes contain the script interpreter, which is a common > pattern (and this pattern appears in true malwares written in AHK). But > AV's behavior seems to be erratic for this point.
Both are true. Most modern AV's will complain on files that they haven't seen before. For example, a recent user gave up when he got this: http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99 It's a good idea in principle - especially if the file has been substituted, it may even has a bogus signature, which is very hard to detect as there are so many SSL providers. It's an even better idea if like Freenet it's not signed at all - we can fix that though. > > Some reading if you are interested (a bit old, but still regularly true) : > AutoIt : > http://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/ > AutoHotKey: http://www.donationcoder.com/forum/index.php?topic=15210.0 > AutoHotKey: > http://www.autohotkey.com/board/topic/29203-an-open-letter-for-antiviral-software-companies/ > That looks like what we've been seeing so far. :(
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
