Discussion:
POW! Trojan detection
(too old to reply)
Bill Leary
2010-02-15 15:28:41 UTC
Permalink
I've been tinkering with POW! and tried compiling the "hello" example to
start.

When it's linking, I get this from Avira AntiVir Guard:

C:\Program Files\Oberon-2\Examples\Opal\Hello\hello.exe is the
TR/Crypt.XPACK.Gen Trojan.

I'm thinking it's a false detection. I've tried a few of the others
examples and don't get this from them. Anyone else seen this? And is it a
false positive?

- Bill
Chris Burrows
2010-02-15 22:42:28 UTC
Permalink
Post by Bill Leary
I've been tinkering with POW! and tried compiling the "hello" example to
start.
C:\Program Files\Oberon-2\Examples\Opal\Hello\hello.exe is the
TR/Crypt.XPACK.Gen Trojan.
I'm thinking it's a false detection. I've tried a few of the others
examples and don't get this from them. Anyone else seen this? And is it
a false positive?
We use AVG anti-virus and have never had any reports of problems with POW!
programs. As you have just built the EXE it is highly unlikely but the
possibility should not be totally discounted. For example, there is a virus
that infects one of the system object files in old versions of Delphi (v4 -
v7, 1998 - 2002) which then results in the virus being propagated by the
resulting linked EXE files:

http://edn.embarcadero.com/article/39851

You should report it as a suspected false positive to Avira for
confirmation:

http://analysis.avira.com/samples/index.php

--
Chris Burrows
CFB Software
Armaide: ARM Oberon-07 Integrated Development Environment
http://www.armaide.com
Bill Leary
2010-02-16 13:26:58 UTC
Permalink
Post by Chris Burrows
Post by Bill Leary
I've been tinkering with POW! and tried compiling the "hello" example to
start.
C:\Program Files\Oberon-2\Examples\Opal\Hello\hello.exe is the
TR/Crypt.XPACK.Gen Trojan.
I'm thinking it's a false detection. I've tried a few of the others
examples and don't get this from them. Anyone else seen this? And is it
a false positive?
We use AVG anti-virus and have never had any reports of problems with POW!
programs. As you have just built the EXE it is highly unlikely but the
possibility should not be totally discounted. For example, there is a
virus that infects one of the system object files in old versions of
Delphi (v4 - v7, 1998 - 2002) which then results in the virus being
http://edn.embarcadero.com/article/39851
Yes, I've heard of that incident.
Post by Chris Burrows
You should report it as a suspected false positive to Avira for
http://analysis.avira.com/samples/index.php
Great idea. Thanks for the link.

I don't get a detect with either McAfee or Avast, so I'm figuring it's a
false positive for the moment. Still, certainly worth reporting.
Post by Chris Burrows
Chris Burrows
CFB Software
Armaide: ARM Oberon-07 Integrated Development Environment
http://www.armaide.com
I wish I'd know about you guys back when I was still working with ARM
processors (few years back). I don't know if I could have sold the rest of
the guys on Oberon, but it would have been worth the attempt.

- Bill
Bill Leary
2010-02-19 22:07:36 UTC
Permalink
I got a response from Avira:

----BEGIN QUOTATION----
Please find a detailed report concerning each individual sample below:

Filename Result
hello.exe FALSE POSITIVE

The file 'hello.exe' has been determined to be 'FALSE POSITIVE'. In
particular this means that this file is not malicious but a false alarm.
Detection will be removed from our virus definition file (VDF) with one of
the next updates.
----END QUOTATION----

And that's that.

- Bill
Post by Bill Leary
Post by Chris Burrows
Post by Bill Leary
I've been tinkering with POW! and tried compiling the "hello" example to
start.
C:\Program Files\Oberon-2\Examples\Opal\Hello\hello.exe is the
TR/Crypt.XPACK.Gen Trojan.
I'm thinking it's a false detection. I've tried a few of the others
examples and don't get this from them. Anyone else seen this? And is
it a false positive?
We use AVG anti-virus and have never had any reports of problems with
POW! programs. As you have just built the EXE it is highly unlikely but
the possibility should not be totally discounted. For example, there is a
virus that infects one of the system object files in old versions of
Delphi (v4 - v7, 1998 - 2002) which then results in the virus being
http://edn.embarcadero.com/article/39851
Yes, I've heard of that incident.
Post by Chris Burrows
You should report it as a suspected false positive to Avira for
http://analysis.avira.com/samples/index.php
Great idea. Thanks for the link.
I don't get a detect with either McAfee or Avast, so I'm figuring it's a
false positive for the moment. Still, certainly worth reporting.
Post by Chris Burrows
Chris Burrows
CFB Software
Armaide: ARM Oberon-07 Integrated Development Environment
http://www.armaide.com
I wish I'd know about you guys back when I was still working with ARM
processors (few years back). I don't know if I could have sold the rest
of the guys on Oberon, but it would have been worth the attempt.
- Bill
Chris Burrows
2010-02-19 23:13:03 UTC
Permalink
Great! Thanks for tying up the loose ends.

Chris.

Loading...