Spybot virus alert for v0.7.19

Report & discuss bugs found in SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
User avatar
Data1001
Newbie
Newbie
Posts: 4
Joined: November 18th, 2014, 4:07 am

Spybot virus alert for v0.7.19

Post by Data1001 »

Updated SABnzbd via the control panel this evening, and when I ran the exe file, Spybot said there was a virus in it, specifically:
win32.downloader.hicrazykA

Figuring it must be a false positive, I had it ignore the warning and run the executable anyway. However, this does give me pause. Any idea why this is happening?
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Spybot virus alert for v0.7.19

Post by sander »

On which file exactly? Because 55 other virus scanners agree there is no virus in SAB 0.7.19's sabnzbd.exe nor sabnzbd-console.exe


https://www.virustotal.com/latest-scan/ ... bb1b52d6ca
https://www.virustotal.com/latest-scan/ ... e2d1b2c34a
User avatar
shypike
Administrator
Administrator
Posts: 19774
Joined: January 18th, 2008, 12:49 pm

Re: Spybot virus alert for v0.7.19

Post by shypike »

Virus scanners make these kind of mistakes with all sorts of software.
Later on the issue disappears.
In the past we had to replace the compressed sqlite DLL with an uncompressed one
because virus scanners kept reporting it.
It's likely that there's some pattern in our software that it doesn't like.

The setup.exe is generated on an almost isolated Windows XP VMWare image running on a Mac.
The same image has been used for the last two years or so.
User avatar
jcfp
Release Testers
Release Testers
Posts: 986
Joined: February 7th, 2008, 12:45 pm

Re: Spybot virus alert for v0.7.19

Post by jcfp »

Consider informing spybot of your findings, they seem to accept reports of false positives via http://forums.spybot.info/forumdisplay.php?f=16
ALbino
Full Member
Full Member
Posts: 214
Joined: October 23rd, 2014, 12:28 am

Re: Spybot virus alert for v0.7.19

Post by ALbino »

Is it possible you downloaded it from somewhere besides the official site? Maybe upload your exe to virustotal (see sander's post) and check to see if it gets flagged. Make sure to tell it to redo the test, not use the pre-existing one.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Spybot virus alert for v0.7.19

Post by sander »

I wrote a simple script to test all SAB 0.7.19 Windows version exe files against virustotal. Result ... no viruses (duh!). So spybot is wrong, or you got an infected download (as suggested by ALbino)

Code: Select all

sander@flappie:~.../SABnzbd-0.7.19$ ../exe2virustotal-scanner.sh
   Detection ratio: 0 / 54	be6ebb6f8c6f5ad290709fd6b5e166ad  ./lib/curl.exe
   Detection ratio: 0 / 55	5cd2801681568f4bf9d59cbb1b52d6ca  ./SABnzbd-console.exe
   Detection ratio: 0 / 55	d9554adf35c8d2f28d2a47e2d1b2c34a  ./SABnzbd.exe
   Detection ratio: 0 / 55	2e3cf9183162afbc3a28e41892fbcbff  ./SABnzbd-helper.exe
   Detection ratio: 0 / 55	0b1a2691d39deea6faea04a0255ac11e  ./SABnzbd-service.exe
   Detection ratio: 0 / 55	58adaecd3cec499279780f01ab27956a  ./w9xpopen.exe
   Detection ratio: 0 / 54	e6fdbb66a816b3d1d96a811069442ac8  ./win/par2/par2-classic.exe
   Detection ratio: 0 / 54	1977f54afb662549dce68e26d6e48178  ./win/par2/par2.exe
   Detection ratio: 0 / 54	abcaf37bde149152ca8ab766736d4adc  ./win/par2/x64/par2.exe
   Detection ratio: 0 / 54	d76c614a5810fdfaa611ee673c6737ed  ./win/unrar/UnRAR.exe
   Detection ratio: 0 / 54	f6cd00942f0ab9f4ea6c51d5f5693efd  ./win/unrar/x64/UnRAR.exe
   Detection ratio: 0 / 55	564be7d7967c1ec1e6be125c013de41f  ./win/unzip/unzip.exe
Script:

Code: Select all

#!/bin/sh
# Scan exe files in working directory and subdirectories against virustotal
find . -type f -name "*.exe" | sort | awk '{ print "md5sum " $NF }' | /bin/sh > file1
cat file1 | awk '{ print "lynx --dump https://www.virustotal.com/latest-scan/" $1 " | grep -i  -e detection " }' | /bin/sh > file2
paste file2 file1
Warning: using virustotal in this way is the way it is supposed to be used.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Spybot virus alert for v0.7.19

Post by sander »

And I ran spybot on wine on Linux, and all SABnzbd 0.7.19 Windows are clean. So there must be something wrong with the OP's setup.
User avatar
Data1001
Newbie
Newbie
Posts: 4
Joined: November 18th, 2014, 4:07 am

Re: Spybot virus alert for v0.7.19

Post by Data1001 »

sander wrote:On which file exactly? Because 55 other virus scanners agree there is no virus in SAB 0.7.19's sabnzbd.exe nor sabnzbd-console.exe
Sorry, I should have been clearer — it wasn't the program's executable files but the exe file for the update itself that caused the flag. Here's where I got it from — and it was linked directly from my SABnzbd page (on localhost), so it's not like it would've been an unofficial source:

http://superb-dca2.dl.sourceforge.net/p ... -setup.exe

It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Spybot virus alert for v0.7.19

Post by sander »

Data1001 wrote: http://superb-dca2.dl.sourceforge.net/p ... -setup.exe

It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
Also that file is clean according to Spybot and to virustotal: https://www.virustotal.com/en/file/5598 ... /analysis/

What virus did your Spybot report?
User avatar
Data1001
Newbie
Newbie
Posts: 4
Joined: November 18th, 2014, 4:07 am

Re: Spybot virus alert for v0.7.19

Post by Data1001 »

sander wrote:
Data1001 wrote: http://superb-dca2.dl.sourceforge.net/p ... -setup.exe

It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
Also that file is clean according to Spybot and to virustotal: https://www.virustotal.com/en/file/5598 ... /analysis/

What virus did your Spybot report?
See my original post, above.
User avatar
Data1001
Newbie
Newbie
Posts: 4
Joined: November 18th, 2014, 4:07 am

Re: Spybot virus alert for v0.7.19

Post by Data1001 »

jcfp wrote:Consider informing spybot of your findings, they seem to accept reports of false positives via http://forums.spybot.info/forumdisplay.php?f=16
Interesting. So, after this happened the first time, I ran a full scan with Spybot, but upgraded to the new definitions first.

And just moments ago, out of curiosity, I decided to re-download that SABnzbd setup file in question, and run it as I had before. This time, I got no virus alert. So it's either one of two things, I figure: 1) Spybot is ignoring any flags this time because I told it to let it execute last time, or 2) the new Spybot definitions fixed a false positive.

In any case, I'm not going to fret about it any more. Just thought I'd bring it up initially in case anyone else had had issues, and/or knew why that was happening.

Thanks for all your responses! For now, it's back into the shadows for me... ^-^
/lurk
Post Reply