Jump to content

Norton Antivirus Tags 0 A.D. 0.0.15 Alpha uninstall.exec as a Trojan.


Theokritos
 Share

Recommended Posts

What:

Norton Antivirus (21.1.0.18) reports the 0 A.D (0.0.15 alpha) uninstall.exe is a Trojan and quarantines the module.

When:

Saturday, January 4th, 2014

Where:

Windows 7 Ultimate (64 bit - 6.1.7601 Service Pack 1 Build 7601)

How:

Visited the 0 A.D. website (play0ad.com) and clicked on the Windows download link. Downloaded 0ad-0.0.15-alpha-win32 and manually scanned for viruses. Opened 0ad-0.0.15-alpha-win32, redirected the output to an external hard disk (f:\) and then monitored the installation process. Nothing unusual happened until towards the very end of the installation when Norton Antivirus reported that f:\user\avalon\appdata\local\0 a.d. alpha\uninstal.exe was a Trojan (Suspicious.Cloud.9) and quarantined the file. The installation process continued running for a short time longer and displayed the 'Finish' message. The process was finished without starting 0 A.D. and research began into the Trojan report.

Link to comment
Share on other sites

I doubt there's anything we can do about this, however there should be some kind of function in the Antivirus software where you can "Report false positive"/Send in file to be evaluated or something similar so they can change their detection so it doesn't falsely report 0 A.D. as a virus.

Link to comment
Share on other sites

Antivirus-companies have whitelisting programs for removing false positives. For Norton whitelisting request can be made at https://submit.symantec.com/whitelist/isv/

From what I have heard, unless some special procedure is gone through (probably with digital signatures), whitelisting will only apply to one specific version (installer, exe, etc) and for subsequent versions whitelisting needs to be done again (on Norton's whitelisting page it also says: 'If your file/software changes or updates then you will need to re-submit the request for your updated software.')

Someone with windows version could upload 0 A.D. binaries (executable files) to https://www.virustotal.com/en/ and see how many tools report them as positive for viruses.

Link to comment
Share on other sites

Antivirus-companies have whitelisting programs for removing false positives. For Norton whitelisting request can be made at https://submit.symantec.com/whitelist/isv/

From what I have heard, unless some special procedure is gone through (probably with digital signatures), whitelisting will only apply to one specific version (installer, exe, etc) and for subsequent versions whitelisting needs to be done again (on Norton's whitelisting page it also says: 'If your file/software changes or updates then you will need to re-submit the request for your updated software.')

Someone with windows version could upload 0 A.D. binaries (executable files) to https://www.virustotal.com/en/ and see how many tools report them as positive for viruses.

Did it just for fun seems that Norton hasn't improved in years...

1388952790-fail-2.png

Link to comment
Share on other sites

I don't know them unless its a joke ;)

CMD is fun for autoruns (ie : attrib -s -h) ;)

I like Security Essential, can be shut down when he needs to. MalwareBytes is good to although that's not really an anti-virus.

cmd = Command Prompt aka Windows terminal.

Encase is for forensics, in other words I don't use an AV, I don't need one ;)

Edited by Romulous
Link to comment
Share on other sites

Maybe it's doing something similar to Avast, which has a kind of "cloud"-based protection system that will flag every executable as suspicious and possibly dangerous until it has been scanned enough and reported back to their servers (unless the app is whitelisted by the user). With Avast, probably only the first few people to run the game will encounter that. In fact it launches the game in a sandbox and causes an error, which we should troubleshoot sometime.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...