Updated SABnzbd via the control panel this evening, and when I ran the exe file, Spybot said there was a virus in it, specifically:
win32.downloader.hicrazykA
Figuring it must be a false positive, I had it ignore the warning and run the executable anyway. However, this does give me pause. Any idea why this is happening?
Spybot virus alert for v0.7.19
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Re: Spybot virus alert for v0.7.19
On which file exactly? Because 55 other virus scanners agree there is no virus in SAB 0.7.19's sabnzbd.exe nor sabnzbd-console.exe
https://www.virustotal.com/latest-scan/ ... bb1b52d6ca
https://www.virustotal.com/latest-scan/ ... e2d1b2c34a
https://www.virustotal.com/latest-scan/ ... bb1b52d6ca
https://www.virustotal.com/latest-scan/ ... e2d1b2c34a
Re: Spybot virus alert for v0.7.19
Virus scanners make these kind of mistakes with all sorts of software.
Later on the issue disappears.
In the past we had to replace the compressed sqlite DLL with an uncompressed one
because virus scanners kept reporting it.
It's likely that there's some pattern in our software that it doesn't like.
The setup.exe is generated on an almost isolated Windows XP VMWare image running on a Mac.
The same image has been used for the last two years or so.
Later on the issue disappears.
In the past we had to replace the compressed sqlite DLL with an uncompressed one
because virus scanners kept reporting it.
It's likely that there's some pattern in our software that it doesn't like.
The setup.exe is generated on an almost isolated Windows XP VMWare image running on a Mac.
The same image has been used for the last two years or so.
Re: Spybot virus alert for v0.7.19
Consider informing spybot of your findings, they seem to accept reports of false positives via http://forums.spybot.info/forumdisplay.php?f=16
Re: Spybot virus alert for v0.7.19
Is it possible you downloaded it from somewhere besides the official site? Maybe upload your exe to virustotal (see sander's post) and check to see if it gets flagged. Make sure to tell it to redo the test, not use the pre-existing one.
Re: Spybot virus alert for v0.7.19
I wrote a simple script to test all SAB 0.7.19 Windows version exe files against virustotal. Result ... no viruses (duh!). So spybot is wrong, or you got an infected download (as suggested by ALbino)
Script:
Warning: using virustotal in this way is the way it is supposed to be used.
Code: Select all
sander@flappie:~.../SABnzbd-0.7.19$ ../exe2virustotal-scanner.sh
Detection ratio: 0 / 54 be6ebb6f8c6f5ad290709fd6b5e166ad ./lib/curl.exe
Detection ratio: 0 / 55 5cd2801681568f4bf9d59cbb1b52d6ca ./SABnzbd-console.exe
Detection ratio: 0 / 55 d9554adf35c8d2f28d2a47e2d1b2c34a ./SABnzbd.exe
Detection ratio: 0 / 55 2e3cf9183162afbc3a28e41892fbcbff ./SABnzbd-helper.exe
Detection ratio: 0 / 55 0b1a2691d39deea6faea04a0255ac11e ./SABnzbd-service.exe
Detection ratio: 0 / 55 58adaecd3cec499279780f01ab27956a ./w9xpopen.exe
Detection ratio: 0 / 54 e6fdbb66a816b3d1d96a811069442ac8 ./win/par2/par2-classic.exe
Detection ratio: 0 / 54 1977f54afb662549dce68e26d6e48178 ./win/par2/par2.exe
Detection ratio: 0 / 54 abcaf37bde149152ca8ab766736d4adc ./win/par2/x64/par2.exe
Detection ratio: 0 / 54 d76c614a5810fdfaa611ee673c6737ed ./win/unrar/UnRAR.exe
Detection ratio: 0 / 54 f6cd00942f0ab9f4ea6c51d5f5693efd ./win/unrar/x64/UnRAR.exe
Detection ratio: 0 / 55 564be7d7967c1ec1e6be125c013de41f ./win/unzip/unzip.exe
Code: Select all
#!/bin/sh
# Scan exe files in working directory and subdirectories against virustotal
find . -type f -name "*.exe" | sort | awk '{ print "md5sum " $NF }' | /bin/sh > file1
cat file1 | awk '{ print "lynx --dump https://www.virustotal.com/latest-scan/" $1 " | grep -i -e detection " }' | /bin/sh > file2
paste file2 file1
Re: Spybot virus alert for v0.7.19
And I ran spybot on wine on Linux, and all SABnzbd 0.7.19 Windows are clean. So there must be something wrong with the OP's setup.
Re: Spybot virus alert for v0.7.19
Sorry, I should have been clearer — it wasn't the program's executable files but the exe file for the update itself that caused the flag. Here's where I got it from — and it was linked directly from my SABnzbd page (on localhost), so it's not like it would've been an unofficial source:sander wrote:On which file exactly? Because 55 other virus scanners agree there is no virus in SAB 0.7.19's sabnzbd.exe nor sabnzbd-console.exe
http://superb-dca2.dl.sourceforge.net/p ... -setup.exe
It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
Re: Spybot virus alert for v0.7.19
Also that file is clean according to Spybot and to virustotal: https://www.virustotal.com/en/file/5598 ... /analysis/Data1001 wrote: http://superb-dca2.dl.sourceforge.net/p ... -setup.exe
It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
What virus did your Spybot report?
Re: Spybot virus alert for v0.7.19
See my original post, above.sander wrote:Also that file is clean according to Spybot and to virustotal: https://www.virustotal.com/en/file/5598 ... /analysis/Data1001 wrote: http://superb-dca2.dl.sourceforge.net/p ... -setup.exe
It was Spybot's "resident protection" that popped up when I ran the executable file, not from a direct scan. (I don't know if that makes a difference.)
What virus did your Spybot report?
Re: Spybot virus alert for v0.7.19
Interesting. So, after this happened the first time, I ran a full scan with Spybot, but upgraded to the new definitions first.jcfp wrote:Consider informing spybot of your findings, they seem to accept reports of false positives via http://forums.spybot.info/forumdisplay.php?f=16
And just moments ago, out of curiosity, I decided to re-download that SABnzbd setup file in question, and run it as I had before. This time, I got no virus alert. So it's either one of two things, I figure: 1) Spybot is ignoring any flags this time because I told it to let it execute last time, or 2) the new Spybot definitions fixed a false positive.
In any case, I'm not going to fret about it any more. Just thought I'd bring it up initially in case anyone else had had issues, and/or knew why that was happening.
Thanks for all your responses! For now, it's back into the shadows for me...
/lurk