Topic: Driverpack Finisher detected as Virus...

Hi All,

I just stumbled upon DriverPacks a few weeks ago while on my quest for a unified unattended XP install disc and love it!  That said, as of this morning, Symantec Corporate Client (with 5/30 virus defs) has been detecting the various driverpack finisher .exe files as viruses!  I took a screenshot of the info:

http://img442.imageshack.us/img442/5360 … rusqp8.png

I also downloaded a fresh copy of the driverpacks base and extracted these files on a separate machine (with 5/30 defs) and it also finds them infected.  The 5/29 definitions do not catch them.

Any idea what's going on?

Thanks.

Re: Driverpack Finisher detected as Virus...

need more info from you it doesn't say why it considered them a risk?
(what rule did it flag them on)

the short answer is to tell SAV to ignore them.

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: Driverpack Finisher detected as Virus...

Scanned the files on another machine, different platform and same results - another screenshot with all the info I can give you:

http://img404.imageshack.us/img404/551/dpacksmf5.jpg

I don't know how Symantec works, but it would seem it's flagging these files as the MSN.FLOODER virus, but their help docs on that virus just say: "MSN.Flooder is a generic name for all malware intended to flood MSN Chat channels."

I understand that it's obviously a false positive and I can set Symantec to ignore it in the future, but as the driverpacks finisher runs unattended-ly as Windows installs itself unattended-ly, there's no chance to setup this ignore rule before Symantec's Auto-Protect flags and deletes them before they ever have a chance to execute....

Thanks for any ideas you may have.

Re: Driverpack Finisher detected as Virus...

My opinion - which you might just have to ignore - don't use an AV. When I was still on Windows, I used none for more than 2 years and never had a single virus. You only get viruses if you're 1) not behind a router (NAT FTW) or 2) if you're an idiot/noob.

EDIT:

And those pesky AV software writers should get their software right.... this is the third time already!

Founder of DriverPacks.net — wimleers.com

Re: Driverpack Finisher detected as Virus...

Bâshrat the Sneaky wrote:

My opinion - which you might just have to ignore - don't use an AV. When I was still on Windows, I used none for more than 2 years and never had a single virus. You only get viruses if you're 1) not behind a router (NAT FTW) or 2) if you're an idiot/noob.

While I do agree with you that it is highly unlikely to get infected if you use some common sense in the net, I'd still advise using some AV scanner.
Granted, you must not feel 100% save by using that because no software whatsoever can guarantee you that.
However, you may get files from someone else that you deem save and if they do not use a scanner themselves, these files could already be infected (for all you know is they may not be as careful as you!).
The only solution would be not to accept any outside files but that kind of defeats the purpose of the net as a whole.

Also, a NAT FW is definately recommended BUT WILL NOT save you from any viruses!
While using a router makes any PFW (personal fire wall, such as Zone Alarm) obsolete (PFWs suck anyway because they can't protect you at all), this does not apply to viruses!
You will be save from worms but not viruses, trojans and other malware (UNLESS your router is one of these company-level models for some $10,000+).


Just my €0.02 on that matter smile

Re: Driverpack Finisher detected as Virus...

Helmi wrote:
Bâshrat the Sneaky wrote:

My opinion - which you might just have to ignore - don't use an AV. When I was still on Windows, I used none for more than 2 years and never had a single virus. You only get viruses if you're 1) not behind a router (NAT FTW) or 2) if you're an idiot/noob.

While I do agree with you that it is highly unlikely to get infected if you use some common sense in the net, I'd still advise using some AV scanner.
Granted, you must not feel 100% save by using that because no software whatsoever can guarantee you that.
However, you may get files from someone else that you deem save and if they do not use a scanner themselves, these files could already be infected (for all you know is they may not be as careful as you!).
The only solution would be not to accept any outside files but that kind of defeats the purpose of the net as a whole.

Also, a NAT FW is definately recommended BUT WILL NOT save you from any viruses!
While using a router makes any PFW (personal fire wall, such as Zone Alarm) obsolete (PFWs suck anyway because they can't protect you at all), this does not apply to viruses!
You will be save from worms but not viruses, trojans and other malware (UNLESS your router is one of these company-level models for some $10,000+).


Just my €0.02 on that matter smile

Yeah okay, I've just had Yet Some More Bad Windows Experiences and can't stand even just looking at the OS, let alone talking about its many blatant failures, of which it's virus vulnerability is one.

P.S.: viruses that don't require user interaction (i.e. that exploit secholes in Windows or other apps) don't stand a chance if you're behind a NAT router (I don't care about the FW, it's simply that nobody can address a pc behind a NAT-router directly), at least in my experience.

Founder of DriverPacks.net — wimleers.com

Re: Driverpack Finisher detected as Virus...

Bâshrat the Sneaky wrote:

[Yeah okay, I've just had Yet Some More Bad Windows Experiences and can't stand even just looking at the OS, let alone talking about its many blatant failures, of which it's virus vulnerability is one.

Hahaha, that's fine, I know we have already lost you to the dark side of Mac wink tongue

P.S.: viruses that don't require user interaction (i.e. that exploit secholes in Windows or other apps) don't stand a chance if you're behind a NAT router (I don't care about the FW, it's simply that nobody can address a pc behind a NAT-router directly), at least in my experience.

Ah, ok, then it's probabaly a matter of terminology.

To me, a virus always requires user input (unless you have autostart on... roll ), be it in form of an EXE or a corrupted multimedia file that causes a buffer overflow.

What attacks your PC through the net on unsecured ports is a worm in my book.
This is what NAT will protect you from, of course smile

The user input thing is certainly debatable (using your idiot reference), however, the only way to properly protect you from that is to only open/execute files you created yourself on a system that 100% wasn't infected at that time.
That means, w/o a scanner, you could even use the DriverPacks as they could potentially (from someone on the team who is unknowlingly compromised - I am not assuming anyone would deliberately do this!) be infected...
Of course, that doesn't mean you won't get false positives - but that is what common sense is for to sort them out.

Re: Driverpack Finisher detected as Virus...

hi
Your cellphone can be a carrier. (there are wild bluetooth viri around)
Your thumbstick can be a carrier. (they are known to install rootkit infections)
Yesterday I saw a request for a critical Dell update, for WLAN.
I was told (by experts) most home routers have a DMZ which is not really a DMZ.

I Wish the Antivirus makers never threw false positives as much as anybody else, but there will be a false from time to time.
Too bad this affects the tools we use here.

As an aside, are you scanning files during windows SETUP? HUH?

...but as the driverpacks finisher runs unattended-ly as Windows installs itself unattended-ly, there's no chance to setup this ignore rule before Symantec's Auto-Protect flags and deletes them before they ever have a chance to execute....

The answer was 42?
Kind regards, Jaak.

Re: Driverpack Finisher detected as Virus...

No, I'm not running a scan during setup - I'm not crazy smile

I have SAV install itself during runoncexec... and by the time it gets around to doing the driverpacks finisher, SAV has already updated itself with the latest defs and then catches the driverpack files with it's auto-protect feature.

The working solution is just to unplug the ethernet to these computers during setup.

Is this issue something we could bring to Symantec's attention?  Or more likely the driverpacks files would need to be altered/recompiled?

Thanks.

Re: Driverpack Finisher detected as Virus...

Mr. Dub wrote:

Is this issue something we could bring to Symantec's attention?  Or more likely the driverpacks files would need to be altered/recompiled?

Symantec, it's their false alert.
(I haven't had any reports with NOD32, btw, so it doesn't appear to be "common" to false detect these files).

Then again, that hide CMD (or what it was called) the DriverPacks used was replaced by Bâshrat the Sneaky when it caused about the same rucus.
At least it wasn't so much a "false" detection because the AVS comlplained about it hiding the CMD window (which is exactly what it does, meh)...

jtdoom wrote:

I was told (by experts) most home routers have a DMZ which is not really a DMZ.

That's true.
However, how many home users (not counting any of you (semi-)pros here, obviously) will make use of that feature?
For the ususal guy, port forwarding will do.
Of course, then there's a certain risk with this one port, but if you want total security, unplug from the net neutral

Re: Driverpack Finisher detected as Virus...

Helmi wrote:
jtdoom wrote:

I was told (by experts) most home routers have a DMZ which is not really a DMZ.

That's true.
However, how many home users (not counting any of you (semi-)pros here, obviously) will make use of that feature?
For the ususal guy, port forwarding will do.
Of course, then there's a certain risk with this one port, but if you want total security, unplug from the net neutral

Agreed.

For my home network, I use a Linksys 802.11b (old, but reliable) router for wired/wireless connectivity and Symantec Client Security 3.1.6 (corporate SAV + soft-firewall).
The router (with IP stealthing/masking) takes care of shielding my machines from all but the determined idiots out there.  The PFW protects my machines from each other in the event one PC gets compromised from behind the router (within the network).
It's a good setup that's saved me at least once.

Mr. Dub wrote:

I have SAV install itself during runoncexec... and by the time it gets around to doing the driverpacks finisher, SAV has already updated itself with the latest defs and then catches the driverpack files with it's auto-protect feature.

I also install SCS 3.1.6 during ROE and SAV has NEVER reported a virus before/during/after install/logon or anytime for that matter.  My SCS installer has the (5/30) vdef updates integrated and doesn't need to update from the internet after install.
My guess is the problem is on your end.  Scan your sources before building your ISO (something I need to get into the habit of doing myself smile )

Last edited by mr_smartepants (2007-06-01 19:49:38)

Read BEFORE you post.  HWID tool   DriverPacks Tutorial   DONATE!
http://driverpacks.net/userbar/admin-1.png
Not all heroes wear capes, some wear Kevlar!

Re: Driverpack Finisher detected as Virus...

Had this problem myself using SCS 3.1.6 with vdefs from 30/05.  reporting that DP_Base was infected with MSN.Flooder it also reported the same with all the AutoIT exe files that I use.  But I did notice that Symantec threw a quick update to those vdefs and looks like they've got rid of the false positive.

http://d1syubgj0w3cyv.cloudfront.net/cdn/farfuture/ajoHKH618C_cS2O6V00_aY3Cse0ggjzP4uxI8Hk5viw/perpetual:forever/userbar/donator-3.png

Re: Driverpack Finisher detected as Virus...

Bâshrat:

First, thanks for the great tool.  This is my first post, luckily I think I can help on this.  I understand that there's some usage (not sure how much yet) of AutoIT, which I also work on.

I ran into this exact same issue on another AutoIt script I wrote, and it was chewed up by Symantec Antivirus by those same definitions.  I was able to fix the problem by updating to the new AutoIt version (dated 5/25/07 I believe?).  Specifically, all I did was upgrade, then recompile the original .au3, and then SAV stopped eating the .exe's.

Anyhow, my two cents.  I think this would resolve the problem.  Thanks again!

Re: Driverpack Finisher detected as Virus...

@OverFlow: it seems DietCoke (welcome btw smile) has the solution! And it's an easy one smile

Founder of DriverPacks.net — wimleers.com