Author Topic: Virus?  (Read 22277 times)

dsktopflyr

  • Newbie
  • *
  • Posts: 4
Re: Virus?
« Reply #15 on: September 04, 2009, 05:42:11 pm »
I also have McAfee and are dealing with this problem which I understand is not a FSDreamteam problem. I have sent the file couatl.exe to McAfee (virus_reasearch@advertlabs.com) for them to analyze and hopefully add to their DAT file definitions so that it will be avoided in future scans. I have had luck in the past using this service to correct some files from Flight1 software that were being detected and have them added to the DAT definitions.

Below is the latest email correspondence from McAfee I recieved today with my reply. We will see where this goes next... Maybe I can get a contact for Virtuali.

If I understand correctly this file will not be added to a future DAT version to avoid being detected as a virus. Again this file is part of an add on scenery package for Microsoft Flight Simulator X by FSDreamteam.com which is a reputable company and the file is also digitally signed. If this is so what are my options to get this corrected (added to a new DAT version) aside from disabling Virus Scan ever time.

Thanks,

Gideon

-----Original Message-----
From: virus_research@avertlabs.com [mailto:virus_research@avertlabs.com]
Sent: Thursday, September 03, 2009 10:30 PM
Subject: Escalation: 5492852


Avert™ Sample Analysis

McAfee Avert™ Labs, Automation

Thank you for submitting your suspicious file(s). We have determined that the following submissions are handled by our AV signature DAT files.

        Analysis Id: 5492852
        --------------------
         
        File Name                    Findings            Detection               Type               
        =========                    ========            =========               ====               
        couatl.exe                   detected            w32/induc               virus   

DAT version 5730 provides cover against all of the submissions shown above.

KPryor

  • Newbie
  • *
  • Posts: 9
Re: Virus?
« Reply #16 on: September 04, 2009, 06:04:26 pm »
I submitted it to Sunbelt Software, which makes Vipre antivirus and they still insist it's not a false positive since other AV companies are also identifying it as a trojan.  I'll just have to deactivate my AV every time I install an FSDT scenery and exclude the folders the files are in from AV scans, which is no big deal.
KP

virtuali

  • Administrator
  • Hero Member
  • *****
  • Posts: 51452
    • VIRTUALI Sagl
Re: Virus?
« Reply #17 on: September 04, 2009, 07:59:53 pm »
I submitted it to Sunbelt Software, which makes Vipre antivirus and they still insist it's not a false positive since other AV companies are also identifying it as a trojan.

Well, this is the most laughable answer you could ever get from an antivirus company. Basically, they are telling you that they don't have the means to check if a program is *really* dangerous or not but, it must be, because other A/V products are detecting it as well...

Which is also funny because, considering that many antivirus are just using the McAfee engine they license, whenever McAfee gets into a false positive problem, many 3rd party antivirus will act just the same so, would this prove their point about "other AV companies are identifying it as a trojan" ???

KPryor

  • Newbie
  • *
  • Posts: 9
Re: Virus?
« Reply #18 on: September 05, 2009, 06:32:48 pm »
I agree, it's ridiculous that none of the AV companies seem interested in fixing this problem.  The good thing about Vipre is it's easy to exclude the FSDT folders from scans so I don't have to worry about it quarantining the file; I just have to disable Vipre temporarily doing scenery installs so it doesn't kill couatl during the install.
KP

HiFlyer

  • Newbie
  • *
  • Posts: 35
Re: Virus?
« Reply #19 on: September 07, 2009, 10:40:42 am »
The problem is that users of FSdreamteam products who also have anti virus, are being intermittently inconvenienced by these episodes (My products have stopped working again) and a quick scan of the forums shows the problem as being fairly widespread over time.

Isn't there any way for Coautl to do whatever its doing in such a fashion as to not cause so many false positives? Surely there are other products that are "protecting" themselves in ways that do not cause these issues?

There are a few more airports I want to buy, but I find myself feeling hesitant because of this.
i7 920 @ 3.8ghz \ Coolermaster V8 Cpu Cooler \ Asus P6T Deluxe
Nvidia 280 Gpu \ 6 Gigs Corsair Ram \ Vista 64
X-Fi Extreme Music Audio
AntecTruepower Quattro 850w Psu \ Klipsch Thx Audio Speakers
Gateway FPD2485w 24' Monitor

virtuali

  • Administrator
  • Hero Member
  • *****
  • Posts: 51452
    • VIRTUALI Sagl
Re: Virus?
« Reply #20 on: September 07, 2009, 11:57:11 am »
The problem is that users of FSdreamteam products who also have anti virus, are being intermittently inconvenienced by these episodes

The issue is, you are seeing it backward: the problematic software is not FSDT, it's the antivirus that, after a certain update, has decided that a software (the SAME software) that was ok up to last week, has now suddendly become a virus, without this being changed at all.

So, it's clearly the antivirus fault. The job of an antivirus should be protecting from a virus WITHOUT interfering with the software, and the onus of trying to be reliable at this, it's on the antivirus developers.


Quote
Isn't there any way for Coautl to do whatever its doing in such a fashion as to not cause so many false positives?

Think about it: if it was possible to conceal from the antivirus from our side, real virus could it just the same. This is what real viruses usually do as well, which is what the antivirus tries to prevent.  

The more real viruses become smarter avoiding to be detected (in a sense, you are suggestiong we should become smarter at that too...), the more the antivirus has to use wild guesses of what could be a threat, and the more false positive you'll get.

That's why it's important being able to manually exclude files from scanning, since the whole process is *inherently* unreliable.

Quote
Surely there are other products that are "protecting" themselves in ways that do not cause these issues?

No, see this post at Flight1 forum:

http://www.simforums.com/forums/forum_posts.asp?TID=24061

They have exactly the same problem with their wrapper, and the solution proposed is exactly the same as ours: manually exclude the affected files from scanning or, if the antivirus doesn't allow it (like McAfee Home edition), switch to a different product.
« Last Edit: September 07, 2009, 12:02:18 pm by virtuali »

dsktopflyr

  • Newbie
  • *
  • Posts: 4
Re: Virus?
« Reply #21 on: September 07, 2009, 09:03:13 pm »
I have appealed to McAfee's reply to this file being identified as a virus. The type of virus couatl.exe is being associated with w32/induc!a has something to do with files programed with Delphi (http://vil.nai.com/vil/content/v_204731.htm). Again, I believe this to be a McAfee problem and before I consider to get rid of McAfee I am using all channels available to get the problem resolved.

virtuali

  • Administrator
  • Hero Member
  • *****
  • Posts: 51452
    • VIRTUALI Sagl
Re: Virus?
« Reply #22 on: September 08, 2009, 11:21:18 am »
You can try to update to the latest version (just run any scenery installer again), we have done some changes, that will hopefully improve compatibility with McAfee now.

dsktopflyr

  • Newbie
  • *
  • Posts: 4
Re: Virus?
« Reply #23 on: September 08, 2009, 12:33:41 pm »
Thanks Umberto I will give it a try. Just a heads up my appeal to McAfee appears to be working it's way through the process. They returned my email this morning at 2:36AM EST. The file couatl.exe is now identified as inconlusive. Hopefully the will come to their senses and update the DAT file now in the next few days.

Avert(tm) Sample Analysis
Issue Number: 5492852
Virus Research Analyst: Neha Chattopadhyay
Identified: Inconclusive

McAfee Avert(tm) Labs, Bangalore, India

Thank you for submitting your suspicious file.

Synopsis

http://vil.nai.com/vil/content/v_204731.htm

We currently have, in our latest engine and DAT files, detection for over 120,000 viruses and trojans.  Though we are now making a concerted effort to get a description of every virus in the wild in our Virus Information Library, we have not yet reached that point.  We appreciate your patience and your request for this information.
« Last Edit: September 08, 2009, 12:36:57 pm by dsktopflyr »

HiFlyer

  • Newbie
  • *
  • Posts: 35
Re: Virus?
« Reply #24 on: September 09, 2009, 02:03:29 am »
You can try to update to the latest version (just run any scenery installer again), we have done some changes, that will hopefully improve compatibility with McAfee now.

(Heaves Huge sigh of relief)

Thank you! This was driving me crazy. I hope it works for a good long while!
i7 920 @ 3.8ghz \ Coolermaster V8 Cpu Cooler \ Asus P6T Deluxe
Nvidia 280 Gpu \ 6 Gigs Corsair Ram \ Vista 64
X-Fi Extreme Music Audio
AntecTruepower Quattro 850w Psu \ Klipsch Thx Audio Speakers
Gateway FPD2485w 24' Monitor

gdavej

  • Newbie
  • *
  • Posts: 41
Re: Virus?
« Reply #25 on: October 23, 2009, 10:23:17 pm »
I've been pushing McAfee to resolve this issue, and now they're saying that the file couatl.exe is definitely infected. All I want from them is a way to force McAfee to not scan this file, but instead they keep throwing back results of their virus scan on the file. They've now told me that their Director of Malware Research will be contacting FSDreamteam to discuss this "infected" file. Hopefully, this will finallly get this matter resolved. I've attached some of the correspondence between me and them...

« Last Edit: October 24, 2009, 04:28:27 pm by virtuali »

virtuali

  • Administrator
  • Hero Member
  • *****
  • Posts: 51452
    • VIRTUALI Sagl
Re: Virus?
« Reply #26 on: October 24, 2009, 04:58:32 pm »
I've edited your message, because I don't think it's appropriate to post on a public forum an email exchange. I've got your email though.

However, reading McAfee reply, really makes me wonder if the guy that wrote it REALLY knows *anything* about security, which is quite shocking, considering it supposed to be their main business.

Stating "even Microsoft has determined this file to be infected", and posting results from virustotal.com (which we routinely use, btw), as if they were proving anything, seems a way to say "we don't know what this threat does but, if others say it's a virus, it might be true". Really comforting explanation.

Posting results of other virus scanners is entirely useless because the whole POINT of letting the user choose which files exclude from scanning, is because false positive DO happen! There's no such thing as a perfect scanning engine, that will be able to protect you from every threat and will not interfere with legit programs at the same time, that's why almost every other A/V product out there HAS that option.

Even McAfee itself has it, but only in the Enterprise version of their products, which is quite logical: try to sell that BS to someone that has maybe thousands of users cut out from work, because their engine suddendly decides to flag a legit program as a virus. This fact alone, should be ample proof that McAfee itself aknowledges the importance of this option: they just decided it's not something that users of the cheaper versions are entitled to have.

This should give anyone still using McAfee more than enough reasons to switch to another product.