trojan in 5.10.1 - Page 3

banana22 · 01-23-2021, 04:56 PM

Hi, I have Avira and have sent the 4 detected files to them for analysis, hopefully they will not flag them anymore. I think it will take some time though : )

JSWolf · 01-23-2021, 05:32 PM

Quote:

Originally Posted by banana22

Hi, I have Avira and have sent the 4 detected files to them for analysis, hopefully they will not flag them anymore. I think it will take some time though : )

If you insist on using Avira, then for now, disable it and use the AV that comes with Windows. You may find you don't want to go back to Avira.

But the best solution is to uninstall Avira and move to Windows Security (or Defender).

ownedbycats · 01-23-2021, 05:37 PM

Quote:

Originally Posted by JSWolf

But do you disagree with me?

I use Windows Defender, but verify downloads against available hashes and send ones from unfamiliar sources through VirusTotal.

banana22 · 01-23-2021, 06:18 PM

Quote:

Originally Posted by JSWolf

If you insist on using Avira, then for now, disable it and use the AV that comes with Windows. You may find you don't want to go back to Avira.

But the best solution is to uninstall Avira and move to Windows Security (or Defender).

Hi JSWolf, I have no intention of disabling or uninstalling Avira, all AV programs have false positives, lets hope that's what these are. I've been using it for many years and it is very good.
I remember several years ago when hackers inserted code into Ccleaner installation file and was downloaded by many people from the legitimate website. I will wait to see what Avira say

Quote:

Originally Posted by ownedbycats

I use Windows Defender, but verify downloads against available hashes and send ones from unfamiliar sources through VirusTotal.

Hi ownedbycats , uploading the installation file to VT results in no detection by Avira, it is only after execution that 4 files are detected, thankfully these files are only detected by 2 well known AV vendors, which makes me think they are FP's , these are Avira and F-Secure,,
the latter uses Aviras signatures , so they are not independent detections

JSWolf · 01-23-2021, 07:01 PM

Quote:

Originally Posted by banana22

Hi JSWolf, I have no intention of disabling or uninstalling Avira, all AV programs have false positives, lets hope that's what these are. I've been using it for many years and it is very good.
I remember several years ago when hackers inserted code into Ccleaner installation file and was downloaded by many people from the legitimate website. I will wait to see what Avira say

The rule is that if an AV finds a clean Calibre to be infected, then the AV in question i garbage and needs to be uninstalled forever. Avira is a very poor AV. Why would you want to keep using it when it thinks Calibre is infected? Give it up, Avira is not worth the hassle.

Quote:

Hi ownedbycats , uploading the installation file to VT results in no detection by Avira, it is only after execution that 4 files are detected, thankfully these files are only detected by 2 well known AV vendors, which makes me think they are FP's , these are Avira and F-Secure,,
the latter uses Aviras signatures , so they are not independent detections

The FP's are found by two of the worst AV out there.

ownedbycats · 01-23-2021, 07:12 PM

Quote:

Originally Posted by banana22

Hi ownedbycats , uploading the installation file to VT results in no detection by Avira, it is only after execution that 4 files are detected

See Post #9.

ownedbycats · 01-23-2021, 07:15 PM

Quote:

Originally Posted by JSWolf

The FP's are found by two of the worst AV out there.

No, they are neither Norton or McAFee.

JSWolf · 01-23-2021, 07:17 PM

Quote:

Originally Posted by ownedbycats

No, they are neither Norton or McAFee.

But Avia and FSecure are just as lousy.

ownedbycats · 01-23-2021, 07:29 PM

It seems that the best free AVs right now are BitDefender and Kaspersky. I've not tried either of them myself, though.

Unfortunately, Avira's seem to gone down the same adware resource hog that both AVG and Avast did a few years ago.

DiapDealer · 01-23-2021, 07:55 PM

That's what happens when Windows addon antivirus becomes unnecessary.

JSWolf · 01-23-2021, 08:36 PM

Quote:

Originally Posted by ownedbycats

It seems that the best free AVs right now are BitDefender and Kaspersky. I've not tried either of them myself, though.

Unfortunately, Avira's seem to gone down the same adware resource hog that both AVG and Avast did a few years ago.

But why bother when Microsoft supply a good AV with Windows?

kovidgoyal · 01-23-2021, 09:44 PM

Quote:

Originally Posted by ownedbycats

I wonder, though, what change was made so at least two antiviruses are flagging it.

VirusTotal notes that calibre.exe does write to a file inside of the Windows folder (udhisapi.dll, universal plug & play), which may be seen as a red flag. But I think older versions did this too.

Executable compression, perhaps? Antiviruses also like to complain about that as they're often used by bad actors.

No version of calibre including the present one has ever touched any files in any windows system folder. In fact I dont even know what udhisapi.dll is. And grepping the calibre source ode for it shows no references whatsoever.

ownedbycats · 01-24-2021, 12:05 AM

You can see it here. Under "files written."

kovidgoyal · 01-24-2021, 12:12 AM

Quote:

Originally Posted by ownedbycats

You can see it here. Under "files written."

Yeah most likely whatever system they run it on has some DLL injected that they use for instrumentation and that DLL is doing the writing when triggered by some innocuous event like calibre querying the system for connected USB devices, and they assign it to the exe, that is about the level of competence I would expect from antivirus vendors.

BetterRed · 01-24-2021, 01:10 AM

Did you upload that calibre-64bit-5.10.1.msi to VT?

I just uploaded the calibre-64bit-5.10.1.msi I got from github this morning, and I got this from VT ==>> https://www.virustotal.com/gui/file/...c1797/behavior

Nothing written to Windows only user Local\Temp

Note - I didn't get the Microsoft Sysinternals Sysmon option (the one your link goes to), I only got the VirusTotal Jujubox option. I have no idea why.

The only malware I've had in a decade came with Piriform's CCleaner soon AFTER it was bought by Avast, VT didn't find it, MS Defender found it. And it wasn't a false alarm, the CEO of Avast published a mea-culpa - speculation was it was put there by a disgruntled Piriform exec who didn't get to keep their job.

BTW check out the Registry Keys opened (there's a down arrow expander) - 300 of the beggars

BR

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Trojan in Calibre portable 4.91?	Kefir	Calibre	44	01-28-2020 01:15 AM
Trojan detected in 3.2.1	stretch	Devices	0	07-06-2017 04:39 AM
Android Trojan Horse	sjarrel	enTourage Archive	3	01-02-2011 11:58 AM
New Android Trojan	kennyc	Android Devices	0	12-30-2010 03:38 PM
trojan in calibre 0.5.11?	BookLoverToo	Calibre	5	05-10-2009 01:49 AM

01-23-2021, 04:56 PM	#31
banana22 Junior Member Posts: 4 Karma: 10 Join Date: Jan 2021 Device: nook	Hi, I have Avira and have sent the 4 detected files to them for analysis, hopefully they will not flag them anymore. I think it will take some time though : )

01-23-2021, 07:29 PM	#39
ownedbycats Custom User Title Posts: 10,973 Karma: 75337983 Join Date: Oct 2018 Location: Canada Device: Kobo Libra H2O, formerly Aura HD	It seems that the best free AVs right now are BitDefender and Kaspersky. I've not tried either of them myself, though. Unfortunately, Avira's seem to gone down the same adware resource hog that both AVG and Avast did a few years ago.

01-23-2021, 07:55 PM	#40
DiapDealer Grand Sorcerer Posts: 28,569 Karma: 204127028 Join Date: Jan 2010 Device: Nexus 7, Kindle Fire HD	That's what happens when Windows addon antivirus becomes unnecessary.

01-24-2021, 12:05 AM	#43
ownedbycats Custom User Title Posts: 10,973 Karma: 75337983 Join Date: Oct 2018 Location: Canada Device: Kobo Libra H2O, formerly Aura HD	You can see it here. Under "files written."

01-24-2021, 01:10 AM	#45
BetterRed null operator (he/him) Posts: 21,724 Karma: 29711016 Join Date: Mar 2012 Location: Sydney Australia Device: none	Did you upload that calibre-64bit-5.10.1.msi to VT? I just uploaded the calibre-64bit-5.10.1.msi I got from github this morning, and I got this from VT ==>> https://www.virustotal.com/gui/file/...c1797/behavior Nothing written to Windows only user Local\Temp Note - I didn't get the Microsoft Sysinternals Sysmon option (the one your link goes to), I only got the VirusTotal Jujubox option. I have no idea why. The only malware I've had in a decade came with Piriform's CCleaner soon AFTER it was bought by Avast, VT didn't find it, MS Defender found it. And it wasn't a false alarm, the CEO of Avast published a mea-culpa - speculation was it was put there by a disgruntled Piriform exec who didn't get to keep their job. BTW check out the Registry Keys opened (there's a down arrow expander) - 300 of the beggars BR

Advert

Advert