porksmuggler wrote on 2024-06-05, 21:52:

Thought I'd test that same file again today, Defender on Win 10 with updates as of today, hits for Backdoor:Win32/Bladabindi!ml , which is a severe threat level. This is on the linked SB0220.7z

http://vogonsdrivers.com/getfile.php?fileid=809&menustate=0

Which file specifically? I formally studied malware/did malware reverse engineering in grad school. I'll disassemble it in IDA and take a look.

douglar wrote on 2024-06-05, 23:37:

https://www.microsoft.com/en-us/wdsi/threats/ … tId=-2147219148 […]
Show full quote

porksmuggler wrote on 2024-06-05, 21:52:

Thought I'd test that same file again today, Defender on Win 10 with updates as of today, hits for Backdoor:Win32/Bladabindi!ml , which is a severe threat level. This is on the linked SB0220.7z

http://vogonsdrivers.com/getfile.php?fileid=809&menustate=0

https://www.microsoft.com/en-us/wdsi/threats/ … tId=-2147219148

“Bladabindi!m” was first identified in 2019. That file was uploaded to vogondrivers in 2015.

Seems likely that thisis a false positive.

Agree it's most likely a false positive, but those dates don't give that conclusion. Malware is in the wild for a time before first detected. Sometimes for a decade.

It's the same .7z I ran Defender on 3 weeks ago in the thread, linked twice now. I'm not unzipping it, or running code. Same responses from the same forum members saying "likely" a false positive isn't inspiring at this point. I'd agree on it being a false positive, except this is twice now, weeks apart, with updated Defender each time. Someone even replied back saying they tested it negative while I still had it testing positive the first time, which is even more suspect. The site appears unsecured, and using the honor system for uploads, what is going on here?

What's going on here is likely false positives caused by Defender or a reputation check defender does that's based on someone else flagging the file, see here: https://learn.microsoft.com/en-us/defender-xd … ubmission-guide

This isn't new. If you aren't using what everyone else is using then you'll encounter false positives. Even if you are using what everyone else uses and the definitions get updated and the AV triggers on something you'll get false positives. If you can find out why it was identified as such and have the ability to modify and recompile the code then there are things you can do to reduce the likelihood of false positives but for everyone else all you can do is submit samples and hope it's resolved in the next defintion update and hope it won't get flagged again.

This has nothing to do with https BS (https does not mean the site is secure) or people uploading files (What do you propose that people not share files?), stop contributing to FUD.

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

Same Defender as what or whom?
Have you verified that your Defender executable versions matches everyone else where the file isn't being flagged?
Have you verified that your Definitions, engine, platform match everyone else where the file isn't being flagged?
Have you verified that your Defender configuration match everyone else where the file isn't being flagged?
Have you verified that communication to MS URLs for Defender communication aren't being blocked?

Without doing the above then yes something may be different or unique.

Have you replied back to a previous post asking which file is being flagged?

I can say with 100% certainty that nothing is wrong with my "tone".

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

porksmuggler wrote on 2024-06-06, 22:02:

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

I've offered to disassemble and examine the file for malware features, something I have both academic and professional training in. Yet you refuse to give a filename despite rescanning the archive multiple times. Then you immediately start giving attitude and trolling. This is all seeming a bit suspicious to be quite honest.

porksmuggler wrote on 2024-06-06, 22:39:

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

With all due respect, I would personally prefer that you don't.

kingcake wrote on 2024-06-07, 02:23:

porksmuggler wrote on 2024-06-06, 22:02:

Nothing in your response changes the facts that I'm using the same Defender, nothing different or unique, and the definitions were updated each time. Watch your tone, your post count or involvement in the site give you no air of expertise to me.

I've offered to disassemble and examine the file for malware features, something I have both academic and professional training in. Yet you refuse to give a filename despite rescanning the archive multiple times. Then you immediately start giving attitude and trolling. This is all seeming a bit suspicious to be quite honest.

Thanks for that again, I've linked the .7z in both replies, and mentioned the file name, SB0220.7z. The scans and hits are on the archive, I'm not extracting or testing further on individual files, if that is what you're asking.

appiah4 wrote on 2024-06-07, 06:13:

porksmuggler wrote on 2024-06-06, 22:39:

I may not be active on the site, but have seen enough of your posts to call out the unprofessional tone you frequently take in responses. Ban me or whatever, I could care less. I'm not spreading FUD, or whatever else you're sensitive about.

Maybe check out the link, and see what you find? All of the above you listed are current, the most recent, and latest for Windows 10 on my end. So far you've added nothing to the discussion, except playing bad cop mod.

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

With all due respect, I would personally prefer that you don't.

Maybe check out the link and see what you find, since you have time to reply to get that post count up.

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

myne wrote on 2024-06-07, 14:06:

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

Same to you I guess, maybe scan the .7z and see what you find. The detection was on the .7z. Why in the world would I need to extract and scan each file just to report an issue? What is going on with this forum, that replies like yours are even allowed?

I'm assuming what comes next is all these posts are deleted, right?

This guy couldn't replicate your problem with that file. They went further than you're willing to.
Why should anyone else bother?

Re: VOGONS Driver Library

I will go check it again after dinner on the Win10 box and give specifics if it does or does not find anything....
As for:

porksmuggler wrote on 2024-06-06, 22:39:

Edit: This is my last response to you, if I'm not banned I'll keep posting here though in this thread about files uploaded, that seem to have issues.

If you checked this topic, only twice have files here been reported as possibly infected since it was started in 2011.
Not just anyone can post files to the library and the file you question is from a well known long time member.
You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

There are multiple archive code execution exploits in the wild, I will not be debating that point further. Take whatever steps you feel is sufficient. I've done exactly what I set out to do (report a possible issue) and the responses were exactly what was expected, here on Vogons at least.

Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

As long as you are not using a compression tool that has an exploit ….
https://www.cvedetails.com/vulnerability-list … 787/Winzip.html

I remember one submission that had the stoned virus that was caught before it was uploaded, one curious driver that had an easter egg/trojan left in it by the developer that was flagged as malware but was harmless if used on brand name hardware ( https://www.f-secure.com/v-descs/cmd640x.shtml ) and a handful of false positives because modern anti virus vendors dont always test their software on binaries that are more than 20 years old. But not all of those posts were in this thread.

Usually those false positives disappear after a couple weeks when someone reports them back to the developers.

porksmuggler wrote on 2024-06-07, 14:13:

I'm assuming what comes next is all these posts are deleted, right?

You probably won’t be that lucky.

porksmuggler wrote on 2024-06-08, 02:36:

Horun wrote on 2024-06-08, 02:22:

You can unzip, unrar, etc any fileset archive without infecting your computer. It takes launching an .EXE, .COM, or using a infected DLL to actually infect a system under nearly all circumstances with files..

There are multiple archive code execution exploits in the wild, I will not be debating that point further. Take whatever steps you feel is sufficient. I've done exactly what I set out to do (report a possible issue) and the responses were exactly what was expected, here on Vogons at least.

The response is exactly what you expected ? What does that mean ?
I have done every thing on my end to find a virus in that archive to confirm your report.And I am not the uploader of that file, but am trying to help.
I just re-ran the 7zip on my Windows 10 v22H2 box (From CMD: ver = Windows 10 version 10.0.19045.4412).
Last Defender update is 6/02/2024 (rechecked for newer, that was it).
And Nothing found on the archive like before.
I then extracted the files to a folder and scanned all files again, and again nothing found.

So what version of 10 are you running and the date of the Defender update ?

porksmuggler wrote on 2024-06-07, 14:13:

myne wrote on 2024-06-07, 14:06:

Quit being a douche.

Unzip the damn file and tell what one is being flagged. No one's going to disassemble every fucking executable in a driver zip to please one obstinate asshole who can't be fucked doing the most basic thing to help substantiate their allegations.

Same to you I guess, maybe scan the .7z and see what you find. The detection was on the .7z. Why in the world would I need to extract and scan each file just to report an issue? What is going on with this forum, that replies like yours are even allowed?

I'm assuming what comes next is all these posts are deleted, right?

No what comes next is welcoming you to my ignore list.

Horun wrote on 2024-06-08, 04:00:

So what version of 10 are you running and the date of the Defender update ?

Thanks, it's 22H2 .4412 Defender is 6/06 as of the testing, on three separate systems. Maybe check your SI ver. I'm on 1.413.1450.