Old 9th August 2004, 16:09   #1
ferec
Junior Member
 
Join Date: Aug 2004
Posts: 4
Exclamation nsisdl.dll contains Download.Trojan

Symantec is telling me that the nsisdl.dll contains the Download.Trojan virus.

I also just clicked on the link to download the nightly build ZIP file and it also comes up with the trojan.

Is this correct or does the download code in nsisdl look like the trojan?

Last edited by ferec; 9th August 2004 at 16:28.
ferec is offline   Reply With Quote
Old 9th August 2004, 16:20   #2
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 679
just a hoax

http://forums.winamp.com/showthread....hreadid=172956
http://forums.winamp.com/showthread....hreadid=170766

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 9th August 2004, 16:29   #3
ferec
Junior Member
 
Join Date: Aug 2004
Posts: 4
So, is this something new that we should alert Symantec of? The links you posted reference other viruses, but not Download.Trojan.
ferec is offline   Reply With Quote
Old 9th August 2004, 16:44   #4
razor_x
Member
 
Join Date: Feb 2004
Posts: 58
Quote:
Originally posted by ferec
So, is this something new that we should alert Symantec of? The links you posted reference other viruses, but not Download.Trojan.

download.trojan is a generic TYPE not a specific.Alot of code may fit the "profile" of download.trojan for example...nsisdl.dll may be loosly associated merely because attemps connections.This is called a "false positive".
razor_x is offline   Reply With Quote
Old 9th August 2004, 16:46   #5
Joel
Debian user
(Forum King)
 
Joel's Avatar
 
Join Date: Jan 2003
Location: Arch land
Posts: 4,900
I also have Norton AV and I don't have that alert....


* PC: Intel Core 2 DUO E6550 @ 2.33 GHz with 2 GB RAM: Archlinux w/ xfce4.
* Laptop: Intel Core 2 DUO T6600 @ 2.20 GHz with 4 GB RAM: Debian unstable w/ xfce4.
Joel is offline   Reply With Quote
Old 9th August 2004, 16:50   #6
ferec
Junior Member
 
Join Date: Aug 2004
Posts: 4
I only get it if I manually kick off a scan of that directory. We are using the Symantec AV Corporate Edition.

So - sounds like the consensus is that this is a false-positive.
ferec is offline   Reply With Quote
Old 9th August 2004, 17:40   #7
razor_x
Member
 
Join Date: Feb 2004
Posts: 58
Quote:
Originally posted by ferec
I only get it if I manually kick off a scan of that directory. We are using the Symantec AV Corporate Edition.

So - sounds like the consensus is that this is a false-positive.
well i have been using nsisdl.dll for some time..while it has some issues,being a trojan isnt one of them
razor_x is offline   Reply With Quote
Old 10th August 2004, 00:31   #8
screff
Junior Member
 
Join Date: Aug 2004
Posts: 4
The same thing happens to me. If I try to compile any NSI scripts Symantec AV quarantines the dll saying that it is Download.Trojan.

I'm using Symantec Anti-Virus Corporate Edition 9.0.0.338 Scan engine 1.2.0.13 with defs at 8/9/2004 rev. 37.

I think the definitions that came out today started detecting it.

I posted to Symantec's support forum in the hopes that they will fix this in their next virus definition upgrades. The post is available here: http://*******.com/6csvr

Last edited by screff; 10th August 2004 at 01:22.
screff is offline   Reply With Quote
Old 10th August 2004, 14:08   #9
Joel
Debian user
(Forum King)
 
Joel's Avatar
 
Join Date: Jan 2003
Location: Arch land
Posts: 4,900
Is the nsisdll the only file infected according to Symantec scan engine?


* PC: Intel Core 2 DUO E6550 @ 2.33 GHz with 2 GB RAM: Archlinux w/ xfce4.
* Laptop: Intel Core 2 DUO T6600 @ 2.20 GHz with 4 GB RAM: Debian unstable w/ xfce4.
Joel is offline   Reply With Quote
Old 10th August 2004, 16:10   #10
ferec
Junior Member
 
Join Date: Aug 2004
Posts: 4
Yes, that was the only one quarantined.
ferec is offline   Reply With Quote
Old 10th August 2004, 16:57   #11
shins
Senior Member
 
shins's Avatar
 
Join Date: Feb 2003
Posts: 157
Here's a screenshot of the alert if anyone is interested.
Attached Images
File Type: jpg nsis_trojan2.jpg (24.6 KB, 1251 views)
shins is offline   Reply With Quote
Old 10th August 2004, 21:01   #12
ekiller200
Junior Member
 
Join Date: May 2004
Posts: 2
I don't know why Norton is flagging this dll now? I could be wrong but I do belive norton comes out with new virus defs on tuesdays. A dll that can fetch a file from the internet along with a dll to execute a the downloaded file could beconsidered dangerous.. But it is also a great tool.

Nevertheless.. I fixed this Norton problem by rebuilding nsisdl.dll from source. I don't know the detail on why this works, but I am going to look into this more.(to make sure it doesn't happen again)

unfortunately I think all clients who are using our old install will have this problem if they are running norton antivirus..
ekiller200 is offline   Reply With Quote
Old 11th August 2004, 12:19   #13
zimsms
Senior Member
 
zimsms's Avatar
 
Join Date: Jan 2004
Location: London, Ontario, Canada
Posts: 272
Hello All,

I have quite a few installers, that worked fine yesterday, now the same binary a day later is popping up the Norton Virus Quarantine as posted above. Has anyone found a resolution to this?
zimsms is offline   Reply With Quote
Old 11th August 2004, 13:27   #14
pengyou
Major Dude
 
Join Date: Mar 2003
Posts: 570
Quote:
Has anyone found a resolution to this?
It seems that updating to the latest definitions (10 August or later) will stop Symantec/Norton AntiVirus from quarantining nsisdl.dll:

http://sourceforge.net/tracker/index...49&atid=373085
pengyou is offline   Reply With Quote
Old 11th August 2004, 13:32   #15
zimsms
Senior Member
 
zimsms's Avatar
 
Join Date: Jan 2004
Location: London, Ontario, Canada
Posts: 272
Live update says there are no new defs. How do I get the ones for August 10th?

[EDIT]
N/m I got it. Why can't they just get live update to do it as well! Thanks!
[/EDIT]
zimsms is offline   Reply With Quote
Old 11th August 2004, 18:28   #16
screff
Junior Member
 
Join Date: Aug 2004
Posts: 4
I can confirm the 8/10/2004 rev. 23 definitions fix the problem. woohoo!
screff is offline   Reply With Quote
Old 26th August 2004, 16:47   #17
go_jesse
Junior Member
 
Join Date: Aug 2004
Location: Portland, OR, USA
Posts: 1
Send a message via ICQ to go_jesse Send a message via AIM to go_jesse Send a message via Yahoo to go_jesse
Mcafee is now doing the same thing, defs version 4388

[doh] i should have read the other thread

Last edited by go_jesse; 26th August 2004 at 17:20.
go_jesse is offline   Reply With Quote
Old 26th August 2004, 19:20   #18
coopey247
Junior Member
 
Join Date: Dec 2002
Posts: 11
I've got McAfee 7.1, Virus Definitions 4388, created on Aug 25th. It is calling nsisdl.dll a "Downloader-OG" trojan. How dare they mess with my NSIS, i oughta......
coopey247 is offline   Reply With Quote
Old 27th August 2004, 12:19   #19
VegetaSan
Senior Member
 
VegetaSan's Avatar
 
Join Date: Jan 2004
Location: The Netherlands
Posts: 260
I dont have that problem (using Mcafee). This is kinda weird....
VegetaSan is offline   Reply With Quote
Old 27th August 2004, 14:00   #20
zimsms
Senior Member
 
zimsms's Avatar
 
Join Date: Jan 2004
Location: London, Ontario, Canada
Posts: 272
Hello McAfee users,

It states right on the McAfee Customer Support Knowledge Base page that the virus definition files 4388, are incorrectly identifying nsisdl.dll as being a virus. They also state that this has been addressed in the 4389 definitions. However, they haven't released the 4389 definitions as of yet.
zimsms is offline   Reply With Quote
Old 27th August 2004, 16:12   #21
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 679
@mcafee users - define "nsisdl.dll" as exception rule (file/folder) for read&write. (access and manually scan)
no target folder needed, just the name cause this dll is mostly used in a nsis-tmp-folder.

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 20th May 2006, 11:22   #22
MarkEWaite
Junior Member
 
Join Date: May 2006
Posts: 1
Symantec's virus definition file dated 18 May 2006 version 17 again shows NSISdl.dll from NSIS 2.16 as infected with Trojan.Download. http://nsis.sourceforge.net has a new version, 2.17, that Symantec does not report as virus infected, but we've manufactured 1500 CD's that include NSISdl.dll and don't want to destroy those CD's because Symantec has a false positive in their definition file.

Any suggestions on the best way to persuade Symantec that their flagging is a false positive?
MarkEWaite is offline   Reply With Quote
Old 20th May 2006, 11:27   #23
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,342
Use their own tools to report it or the submission form. There is no need to destroy any CDs, they'll fix it.

More at: http://sourceforge.net/tracker/index...49&atid=373085

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Reply
Go Back   Winamp Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump