Driverpack Finisher detected as Virus...

Scanned the files on another machine, different platform and same results - another screenshot with all the info I can give you:

http://img404.imageshack.us/img404/551/dpacksmf5.jpg

I don't know how Symantec works, but it would seem it's flagging these files as the MSN.FLOODER virus, but their help docs on that virus just say: "MSN.Flooder is a generic name for all malware intended to flood MSN Chat channels."

I understand that it's obviously a false positive and I can set Symantec to ignore it in the future, but as the driverpacks finisher runs unattended-ly as Windows installs itself unattended-ly, there's no chance to setup this ignore rule before Symantec's Auto-Protect flags and deletes them before they ever have a chance to execute....

Thanks for any ideas you may have.

While I do agree with you that it is highly unlikely to get infected if you use some common sense in the net, I'd still advise using some AV scanner.
Granted, you must not feel 100% save by using that because no software whatsoever can guarantee you that.
However, you may get files from someone else that you deem save and if they do not use a scanner themselves, these files could already be infected (for all you know is they may not be as careful as you!).
The only solution would be not to accept any outside files but that kind of defeats the purpose of the net as a whole.

Also, a NAT FW is definately recommended BUT WILL NOT save you from any viruses!
While using a router makes any PFW (personal fire wall, such as Zone Alarm) obsolete (PFWs suck anyway because they can't protect you at all), this does not apply to viruses!
You will be save from worms but not viruses, trojans and other malware (UNLESS your router is one of these company-level models for some $10,000+).

Just my €0.02 on that matter

Coming up next - useful links:
• If you like this project, please support it with your donation!      • Grab your HW info (HWIDs) here!     
• If you are a newbie, be sure to check out the DriverPacks tutorial!     • Here's how to create your own DP!

Hahaha, that's fine, I know we have already lost you to the dark side of Mac

Ah, ok, then it's probabaly a matter of terminology.

To me, a virus always requires user input (unless you have autostart on... ), be it in form of an EXE or a corrupted multimedia file that causes a buffer overflow.

What attacks your PC through the net on unsecured ports is a worm in my book.
This is what NAT will protect you from, of course

The user input thing is certainly debatable (using your idiot reference), however, the only way to properly protect you from that is to only open/execute files you created yourself on a system that 100% wasn't infected at that time.
That means, w/o a scanner, you could even use the DriverPacks as they could potentially (from someone on the team who is unknowlingly compromised - I am not assuming anyone would deliberately do this!) be infected...
Of course, that doesn't mean you won't get false positives - but that is what common sense is for to sort them out.

Coming up next - useful links:
• If you like this project, please support it with your donation!      • Grab your HW info (HWIDs) here!     
• If you are a newbie, be sure to check out the DriverPacks tutorial!     • Here's how to create your own DP!

No, I'm not running a scan during setup - I'm not crazy

I have SAV install itself during runoncexec... and by the time it gets around to doing the driverpacks finisher, SAV has already updated itself with the latest defs and then catches the driverpack files with it's auto-protect feature.

The working solution is just to unplug the ethernet to these computers during setup.

Is this issue something we could bring to Symantec's attention?  Or more likely the driverpacks files would need to be altered/recompiled?

Thanks.

Agreed.

For my home network, I use a Linksys 802.11b (old, but reliable) router for wired/wireless connectivity and Symantec Client Security 3.1.6 (corporate SAV + soft-firewall).
The router (with IP stealthing/masking) takes care of shielding my machines from all but the determined idiots out there.  The PFW protects my machines from each other in the event one PC gets compromised from behind the router (within the network).
It's a good setup that's saved me at least once.

I also install SCS 3.1.6 during ROE and SAV has NEVER reported a virus before/during/after install/logon or anytime for that matter.  My SCS installer has the (5/30) vdef updates integrated and doesn't need to update from the internet after install.
My guess is the problem is on your end.  Scan your sources before building your ISO (something I need to get into the habit of doing myself )

Last edited by mr_smartepants (2007-06-01 19:49:38)

Read BEFORE you post.  HWID tool   DriverPacks Tutorial   DONATE!

Not all heroes wear capes, some wear Kevlar!

Bâshrat:

First, thanks for the great tool.  This is my first post, luckily I think I can help on this.  I understand that there's some usage (not sure how much yet) of AutoIT, which I also work on.

I ran into this exact same issue on another AutoIt script I wrote, and it was chewed up by Symantec Antivirus by those same definitions.  I was able to fix the problem by updating to the new AutoIt version (dated 5/25/07 I believe?).  Specifically, all I did was upgrade, then recompile the original .au3, and then SAV stopped eating the .exe's.

Anyhow, my two cents.  I think this would resolve the problem.  Thanks again!