False virus detections in Slideshow

A minority of antivirus products, especially Symantec and McAfee products, have a predilection for claiming the download is infected with a virus from time to time.

This is a recurring problem about which I am notified every so often by concerned users. So far, these detections have always been false positives and are a result of faulty antivirus heuristics. McAfee in particular is notorious for false positives: just search for “mcafee false positive” on any search engine and you’ll see what I mean.

If in doubt, check the MD5 or SHA-1 checksums of the download against those listed on the download page, or test the download before running using the Jotti malware scanner. If past results are anything to go by, a couple of the less popular antivirus scanners used on Jotti will report a problem – all of them mysteriously different. Past detections claimed to be in this file include:

Gen:Trojan
Gen.Trojan!IK
Gen:Trojan.Heur.FG0@tnHF6Yli
W32/Trojan-Gypikon-based.DE!Maximus
Infostealer.Bancos
PWS-Banker!dmh
TrojanSpy:Win32/Mafod!rts
Trojan.Win32.Generic.pak!cobra
Win-Trojan/Xema.variant
TROJ_GEN.RCBH1KU

Neither TrendMicro OfficeScan nor Microsoft Security Essentials report any problem as of the time of writing in March 2010.

The original .exe file on my computer, compiled from the source, gets the same results when scanned online. Furthermore, the virus Symantec claim it is infected with is a quite specific Trojan that “mimics the interface of certain Brazilian banks in an attempt to collect passwords and other sensitive information”. There is nothing in the Slideshow program that looks like a Brazilian bank.

Symantec have recently reviewed this problem and sent the following response:

“We are writing in relation to your submission through Symantec’s on-line False Positive Submission form in relation to the Slideshow software being detected by Symantec Software. In light of further investigation and analysis, Symantec is happy to remove this detection from within its products.

The changes will be distributed in forthcoming updates to our definition sets. The availability and timing will depend upon the product version used.”

Microsoft have determined the same:

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 3/27/2010 3:59:29 AM Pacific Time.

Below is the determination for your submission.

Submission ID MMPC10032736064923

Submitted Files

=============================================

Slideshow.exe [Not Malware]

Analyst Comments

================

— 3/29/2010 6:10:17 PM —

Detection has been removed and automation rules amended. Thank you.

As have Sunbelt:

Thank you for your submission. This is indeed a false positive and will be corrected in the next definitions update later today.

From: Security Response

Sent: Thursday, February 17, 2011 3:19 AM

Subject: False Positive Report

A developer has submitted information about their product which may be flagged as malware.

Sunbelt Product: Vipre®

Contact name: James Schlackman

Product name affected: In-house developed software (Slideshow)

Product versions affected: 1.3.3a

Product is detected as: Trojan.Win32.Generic.pak!cobra

McAfee do not have a false positive dispute system that I have been able to locate; hardly surprising given that a few years ago when a false positive at a customer site was wreaking havoc, the agent I spoke with at McAfee support didn’t even understand the concept of a false positive. If you are a McAfee customer, I strongly suggest switching to an antivirus program that is not as prone to paranoid delusions and is supported by people who aren’t entirely ignorant of their field.