[jitsi-dev] Virus-Warning on jmsoutlookaddrbook.dll


#1

Hello

One of our users reported a virus warning on jmsoutlookaddrbook.dll (current rev. 8309). Looking at it with VirusTotal [1] indicates that it is most probably a false positive. I'm not sure if you can do anything about that because it's the heuristics that kick in - very likely on the involved MAPI code. But as some very popular products like AntiVir are part of the alerters it should still be worth to take a look.

Regards,
Ingo

[1] http://www.virustotal.com/file-scan/report.html?id=d41a9195ba0063759cdfa46f1bcb8cfe2558229fc2cf4eedc2bdadc7408882c2-1299250712


#2

Thank you, Ingo. As far as my experience goes, Avira AntiVir and
Microsoft Security Essentials still haven't complained about it. I'll
switch its compiler from mingw-w64 to mingw.

···

On Fri, Mar 4, 2011 at 5:19 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

One of our users reported a virus warning on jmsoutlookaddrbook.dll


#3

Ingo, I rebuilt jmsoutlookaddrbook.dll for Windows x86 and x64 using
tdm-gcc instead of mingw-w64 and I committed them in r8343. Please let
us know if any of them continues to be reported as a virus.

···

On Fri, Mar 4, 2011 at 5:19 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

One of our users reported a virus warning on jmsoutlookaddrbook.dll (current rev. 8309).


#4

Hi all,

I wanted to report that I still stumbled into this issue on Win 7
(32-bit), running the latest nightly builds of Jitsi. Avira AntiVir is
the antivirus software in question.

Cheers,
Johannes


#5

Hey

I wanted to report that I still stumbled into this issue on Win 7
(32-bit), running the latest nightly builds of Jitsi. Avira AntiVir is
the antivirus software in question.

The file hasn't changed since March 4th. But as [1] shows, the Virus signatures obviously have: now 11 of 43 scanners report the 32bit dll as a threat. I don't think a recompile with yet another compiler will resolve this, as it's the heuristics which seem to kick in.

Ideas from looking at the source:
- Accessing outlook.exe's FileAttributes
- Dynamically loading mapi32 (could possibly be resolved by statically linking an intermediate native lib to mapi32 and load the intermediary dynamically)
- Well, MAPI in general... since MS blocks Scripting CDO even the Malware has to resort to MAPI...

Regards,
Ingo


#6

Hello Ingo,

- Accessing outlook.exe's FileAttributes
- Dynamically loading mapi32 (could possibly be resolved by statically linking an intermediate native lib to mapi32 and load the intermediary dynamically)

I'd really like to read anything on the subject. Could you please
point us to references which, for example, deem specific Win32 API
calls such as GetFileAttributes suspicious?

- Well, MAPI in general... since MS blocks Scripting CDO even the Malware has to resort to MAPI...

Generally, are you aware of any way to receive any feedback from the
anti-virus software (developers) with respect to what is causing the
false positive?

Thank you very much,
Lyubomir

···

On Tue, Mar 15, 2011 at 10:00 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:


#7

Hey

I'd really like to read anything on the subject. Could you please
point us to references which, for example, deem specific Win32 API
calls such as GetFileAttributes suspicious?

That was just a wild guess. If I was to develop an AntiVirus-Heuristic, I'd definitely watch for activities on Outlook.

- Well, MAPI in general... since MS blocks Scripting CDO even the
Malware has to resort to MAPI...

Generally, are you aware of any way to receive any feedback from the
anti-virus software (developers) with respect to what is causing the
false positive?

I did a quick search on the Name McAfee uses as the threat name - Artemis - and came up with a forum post [1] that seems somewhat helpful. I have some contacts to the Swiss subsidiary of Norman, but Norman doesn't cause an alarm (at least for now, [2]).

I doubt that contacting the vendors might help. There just too many of them and they probably won't reveal their "super secure marketing hyped patented supadupa engine" details. Some uploads to VirusTotal of an older (closed source) project I worked on years ago that heavily interacts with MAPI didn't cause any alarm. I try to get my old dev-environment working again so I can compile the Addressbook-DLL myself and check various versions, but I can't work on that before the weekend.

Regards,
Ingo

[1] https://community.mcafee.com/thread/2016
[2] http://www.virustotal.com/file-scan/report.html?id=96162c14817f63a57fe10fa674251ec383a5caf854846f963283eb67965161cd-1300218282


#8

It seems great minds do think alike :wink: I read this thread and sent an
e-mail to Virus_Research@avertlabs.com before receiving your pointer
to it. I'll keep you posted if there's a response whatsoever.

···

On Wed, Mar 16, 2011 at 10:37 AM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

[1] https://community.mcafee.com/thread/2016


#9

In addition to McAfee, I submitted reports for a false positive on
jmsoutlookaddrbook.dll to Avast and F-Secure. If things go according
to plan, neither of them will respond. Anyway, miracles will be
welcomed.


#10

I submitted a false-positive report to Avira; let's hope they react as the others miraculously did. At VirusTotal we're back down to 5 alerts.

Ingo

···

-----Original Message-----
From: Lyubomir Marinov [mailto:lubo@sip-communicator.org]
Sent: Mittwoch, 16. März 2011 11:32
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: Virus-Warning on jmsoutlookaddrbook.dll
In addition to McAfee, I submitted reports for a false positive on
jmsoutlookaddrbook.dll to Avast and F-Secure. If things go according
to plan, neither of them will respond. Anyway, miracles will be
welcomed.


#11

Here's the answer of Avira. Now let's hope that a future recompile won't trigger their alarms again...

Regards,
Ingo

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00705173.
A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
26077708 jmsoutlookaddrbook.dll 17 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:
Filename Result
jmsoutlookaddrbook.dll FALSE POSITIVE

The file 'jmsoutlookaddrbook.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/details.php?uniqueid=d1Gg29BKMKI8MyI5w1UykUDY3h3kFvX6&incidentid=705173

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/details.php?uniqueid=d1Gg29BKMKI8MyI5w1UykUDY3h3kFvX6
Please note: If you have specific questions please address them to support@avira.com
Kind regards
Avira Virus Lab

···

---------------------------------------------
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Phone: +49 (0) 7542-500 0
Fax: +49 (0) 7542-525 10
Internet: http://www.avira.com

CEO: Tjark Auerbach
Headquarter: Tettnang
Commercial register: AG Ulm HRB 630992
---------------------------------------------

-----Original Message-----
From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
Sent: Freitag, 18. März 2011 14:27
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: Virus-Warning on jmsoutlookaddrbook.dll
I submitted a false-positive report to Avira; let's hope they react as the
others miraculously did. At VirusTotal we're back down to 5 alerts.

Ingo

-----Original Message-----
From: Lyubomir Marinov [mailto:lubo@sip-communicator.org]
Sent: Mittwoch, 16. März 2011 11:32
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: Virus-Warning on jmsoutlookaddrbook.dll
In addition to McAfee, I submitted reports for a false positive on
jmsoutlookaddrbook.dll to Avast and F-Secure. If things go according
to plan, neither of them will respond. Anyway, miracles will be
welcomed.