VOGONS


VOGONS Driver Library

Topic actions

Reply 1480 of 1514, by kingcake

User metadata
Rank Oldbie
Rank
Oldbie
porksmuggler wrote on 2024-06-05, 21:52:

Thought I'd test that same file again today, Defender on Win 10 with updates as of today, hits for Backdoor:Win32/Bladabindi!ml , which is a severe threat level. This is on the linked SB0220.7z

http://vogonsdrivers.com/getfile.php?fileid=809&menustate=0

Which file specifically? I formally studied malware/did malware reverse engineering in grad school. I'll disassemble it in IDA and take a look.

Reply 1481 of 1514, by kingcake

User metadata
Rank Oldbie
Rank
Oldbie
douglar wrote on 2024-06-05, 23:37:
https://www.microsoft.com/en-us/wdsi/threats/ … tId=-2147219148 […]
Show full quote
porksmuggler wrote on 2024-06-05, 21:52:

Thought I'd test that same file again today, Defender on Win 10 with updates as of today, hits for Backdoor:Win32/Bladabindi!ml , which is a severe threat level. This is on the linked SB0220.7z

http://vogonsdrivers.com/getfile.php?fileid=809&menustate=0

https://www.microsoft.com/en-us/wdsi/threats/ … tId=-2147219148

“Bladabindi!m” was first identified in 2019. That file was uploaded to vogondrivers in 2015.

Seems likely that thisis a false positive.

Agree it's most likely a false positive, but those dates don't give that conclusion. Malware is in the wild for a time before first detected. Sometimes for a decade.

Reply 1482 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie

It's the same .7z I ran Defender on 3 weeks ago in the thread, linked twice now. I'm not unzipping it, or running code. Same responses from the same forum members saying "likely" a false positive isn't inspiring at this point. I'd agree on it being a false positive, except this is twice now, weeks apart, with updated Defender each time. Someone even replied back saying they tested it negative while I still had it testing positive the first time, which is even more suspect. The site appears unsecured, and using the honor system for uploads, what is going on here?

Reply 1483 of 1514, by DosFreak

User metadata
Rank l33t++
Rank
l33t++

What's going on here is likely false positives caused by Defender or a reputation check defender does that's based on someone else flagging the file, see here: https://learn.microsoft.com/en-us/defender-xd … ubmission-guide

This isn't new. If you aren't using what everyone else is using then you'll encounter false positives. Even if you are using what everyone else uses and the definitions get updated and the AV triggers on something you'll get false positives. If you can find out why it was identified as such and have the ability to modify and recompile the code then there are things you can do to reduce the likelihood of false positives but for everyone else all you can do is submit samples and hope it's resolved in the next defintion update and hope it won't get flagged again.

This has nothing to do with https BS (https does not mean the site is secure) or people uploading files (What do you propose that people not share files?), stop contributing to FUD.

Last edited by DosFreak on 2024-06-06, 22:02. Edited 1 time in total.

How To Ask Questions The Smart Way
Make your games work offline

Reply 1484 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

Reply 1485 of 1514, by DosFreak

User metadata
Rank l33t++
Rank
l33t++

Same Defender as what or whom?
Have you verified that your Defender executable versions matches everyone else where the file isn't being flagged?
Have you verified that your Definitions, engine, platform match everyone else where the file isn't being flagged?
Have you verified that your Defender configuration match everyone else where the file isn't being flagged?
Have you verified that communication to MS URLs for Defender communication aren't being blocked?

Without doing the above then yes something may be different or unique.

Have you replied back to a previous post asking which file is being flagged?

I can say with 100% certainty that nothing is wrong with my "tone".

How To Ask Questions The Smart Way
Make your games work offline

Reply 1486 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

Reply 1487 of 1514, by kingcake

User metadata
Rank Oldbie
Rank
Oldbie
porksmuggler wrote on 2024-06-06, 22:02:

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

I've offered to disassemble and examine the file for malware features, something I have both academic and professional training in. Yet you refuse to give a filename despite rescanning the archive multiple times. Then you immediately start giving attitude and trolling. This is all seeming a bit suspicious to be quite honest.

Reply 1488 of 1514, by appiah4

User metadata
Rank l33t++
Rank
l33t++
porksmuggler wrote on 2024-06-06, 22:39:

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

With all due respect, I would personally prefer that you don't.

Retronautics: A digital gallery of my retro computers, hardware and projects.

Reply 1489 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie
kingcake wrote on 2024-06-07, 02:23:
porksmuggler wrote on 2024-06-06, 22:02:

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

I've offered to disassemble and examine the file for malware features, something I have both academic and professional training in. Yet you refuse to give a filename despite rescanning the archive multiple times. Then you immediately start giving attitude and trolling. This is all seeming a bit suspicious to be quite honest.

Thanks for that again, I've linked the .7z in both replies, and mentioned the file name, SB0220.7z. The scans and hits are on the archive, I'm not extracting or testing further on individual files, if that is what you're asking.

Reply 1490 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie
appiah4 wrote on 2024-06-07, 06:13:
porksmuggler wrote on 2024-06-06, 22:39:

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

With all due respect, I would personally prefer that you don't.

Maybe check out the link and see what you find, since you have time to reply to get that post count up.

Reply 1491 of 1514, by myne

User metadata
Rank Member
Rank
Member

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

Things I built:
Mechwarrior 2 installer for Windows 10/11 Re: A comprehensive guide to install and play MechWarrior 2 on new versions on Windows.
Dos+Windows 3.11 auto-install iso template (for vmware)
Script to backup Win9x\ME drivers from a working install

Reply 1492 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie
myne wrote on 2024-06-07, 14:06:

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

Same to you I guess, maybe scan the .7z and see what you find. The detection was on the .7z. Why in the world would I need to extract and scan each file just to report an issue? What is going on with this forum, that replies like yours are even allowed?

I'm assuming what comes next is all these posts are deleted, right?

Reply 1493 of 1514, by myne

User metadata
Rank Member
Rank
Member

This guy couldn't replicate your problem with that file. They went further than you're willing to.
Why should anyone else bother?

Re: VOGONS Driver Library

Things I built:
Mechwarrior 2 installer for Windows 10/11 Re: A comprehensive guide to install and play MechWarrior 2 on new versions on Windows.
Dos+Windows 3.11 auto-install iso template (for vmware)
Script to backup Win9x\ME drivers from a working install

Reply 1494 of 1514, by Horun

User metadata
Rank l33t++
Rank
l33t++

I will go check it again after dinner on the Win10 box and give specifics if it does or does not find anything....
As for:

porksmuggler wrote on 2024-06-06, 22:39:

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

If you checked this topic, only twice have files here been reported as possibly infected since it was started in 2011.
Not just anyone can post files to the library and the file you question is from a well known long time member.
You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

Hate posting a reply and then have to edit it because it made no sense 😁 First computer was an IBM 3270 workstation with CGA monitor. Stuff: https://archive.org/details/@horun

Reply 1495 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie
Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

There are multiple archive code execution exploits in the wild, I will not be debating that point further. Take whatever steps you feel is sufficient. I've done exactly what I set out to do (report a possible issue) and the responses were exactly what was expected, here on Vogons at least.

Reply 1496 of 1514, by douglar

User metadata
Rank Oldbie
Rank
Oldbie
Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

As long as you are not using a compression tool that has an exploit ….
https://www.cvedetails.com/vulnerability-list … 787/Winzip.html

I remember one submission that had the stoned virus that was caught before it was uploaded, one curious driver that had an easter egg/trojan left in it by the developer that was flagged as malware but was harmless if used on brand name hardware ( https://www.f-secure.com/v-descs/cmd640x.shtml ) and a handful of false positives because modern anti virus vendors dont always test their software on binaries that are more than 20 years old. But not all of those posts were in this thread.

Usually those false positives disappear after a couple weeks when someone reports them back to the developers.

porksmuggler wrote on 2024-06-07, 14:13:

I'm assuming what comes next is all these posts are deleted, right?

You probably won’t be that lucky.

Reply 1497 of 1514, by Horun

User metadata
Rank l33t++
Rank
l33t++
porksmuggler wrote on 2024-06-08, 02:36:
Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

There are multiple archive code execution exploits in the wild, I will not be debating that point further. Take whatever steps you feel is sufficient. I've done exactly what I set out to do (report a possible issue) and the responses were exactly what was expected, here on Vogons at least.

The response is exactly what you expected ? What does that mean ?
I have done every thing on my end to find a virus in that archive to confirm your report.And I am not the uploader of that file, but am trying to help.
I just re-ran the 7zip on my Windows 10 v22H2 box (From CMD: ver = Windows 10 version 10.0.19045.4412).
Last Defender update is 6/02/2024 (rechecked for newer, that was it).
And Nothing found on the archive like before.
I then extracted the files to a folder and scanned all files again, and again nothing found.

So what version of 10 are you running and the date of the Defender update ?

Hate posting a reply and then have to edit it because it made no sense 😁 First computer was an IBM 3270 workstation with CGA monitor. Stuff: https://archive.org/details/@horun

Reply 1498 of 1514, by appiah4

User metadata
Rank l33t++
Rank
l33t++
porksmuggler wrote on 2024-06-07, 14:13:
myne wrote on 2024-06-07, 14:06:

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

Same to you I guess, maybe scan the .7z and see what you find. The detection was on the .7z. Why in the world would I need to extract and scan each file just to report an issue? What is going on with this forum, that replies like yours are even allowed?

I'm assuming what comes next is all these posts are deleted, right?

No what comes next is welcoming you to my ignore list.

Retronautics: A digital gallery of my retro computers, hardware and projects.

Reply 1499 of 1514, by porksmuggler

User metadata
Rank Newbie
Rank
Newbie
Horun wrote on 2024-06-08, 04:00:

So what version of 10 are you running and the date of the Defender update ?

Thanks, it's 22H2 .4412 Defender is 6/06 as of the testing, on three separate systems. Maybe check your SI ver. I'm on 1.413.1450.