Is Hybrid PhysX mod v1.03 a virus?
in [Anti-Virus]
|
Prev: Ant To Raid/Cook:
Next: Forged
From: FromTheRafters on 31 May 2010 21:13 "VanguardLH" <V(a)nguard.LH> wrote in message news:hu11jn$ipp$1(a)news.albasani.net... > FromTheRafters wrote: > >> Man-wai Chang wrote ... >> >>> Avira (forgot when) had once reported it as a virus.... >> >> No, it was probably a false positive detection at one time - since >> corrected. You could submit the program to virustotal.com, jotti.org, >> or >> virscan.org to see what some other scanners have to report. >> >> ...better safe than sorry. > > Until the AV program quarantines system files for the OS. A false > positive on a system file could render your OS unbootable or > inoperable. Those are file submission scanners, no danger of that.
From: VanguardLH on 31 May 2010 22:23 FromTheRafters wrote: > VanguardLH wrote ... > >> FromTheRafters wrote: >> >>> No, it was probably a false positive detection at one time - since >>> corrected. You could submit the program to virustotal.com, >>> jotti.org, or virscan.org to see what some other scanners have to >>> report. >>> >>> ...better safe than sorry. >> >> Until the AV program quarantines system files for the OS. A false >> positive on a system file could render your OS unbootable or >> inoperable. > > Those are file submission scanners, no danger of that. I thought you meant "better safe than sorry ... to allow false positives". I have my AV program alert my on *everything* it thinks is bad; i.e., no automatic actions. I'll be able to figure out if the file belongs to an app or to the OS and then investigate what that file should really contain to determine if it was a false positive. I've hit far more false positives in a variety of AV programs than I have ever discovered for infections on my host. Letting the AV program automatically dump files into its quarantine area (which means not even the OS can get at it) could result in a dead OS or app. Quarantining is usually an automatic action performed by the AV program. I don't believe in allowing automatic quarantines; however, that also means the user needs some education regarding their OS and have some inititative to investigate the claim of an infection. The online scanner make a good backup to get more opinions regarding the good/bad status of a file. However, since only an on-demand scan is performed against the uploaded file, only the current signatures can be tested against the uploaded file. None of the heuristics can be used against the behavior of the functions performed by execution of the file or any libraries it happened to call. So the online scanners are only good for a signature test against known malware. Zero-day malware won't be caught that way.
From: FromTheRafters on 31 May 2010 22:38 "VanguardLH" <V(a)nguard.LH> wrote in message news:hu1quu$onr$1(a)news.albasani.net... > FromTheRafters wrote: > >> VanguardLH wrote ... >> >>> FromTheRafters wrote: >>> >>>> No, it was probably a false positive detection at one time - since >>>> corrected. You could submit the program to virustotal.com, >>>> jotti.org, or virscan.org to see what some other scanners have to >>>> report. >>>> >>>> ...better safe than sorry. >>> >>> Until the AV program quarantines system files for the OS. A false >>> positive on a system file could render your OS unbootable or >>> inoperable. >> >> Those are file submission scanners, no danger of that. > > I thought you meant "better safe than sorry ... to allow false > positives". I have my AV program alert my on *everything* it thinks > is > bad; i.e., no automatic actions. I'll be able to figure out if the > file > belongs to an app or to the OS and then investigate what that file > should really contain to determine if it was a false positive. I've > hit > far more false positives in a variety of AV programs than I have ever > discovered for infections on my host. Letting the AV program > automatically dump files into its quarantine area (which means not > even > the OS can get at it) could result in a dead OS or app. > > Quarantining is usually an automatic action performed by the AV > program. > I don't believe in allowing automatic quarantines; however, that also > means the user needs some education regarding their OS and have some > inititative to investigate the claim of an infection. > > The online scanner make a good backup to get more opinions regarding > the > good/bad status of a file. However, since only an on-demand scan is > performed against the uploaded file, only the current signatures can > be > tested against the uploaded file. None of the heuristics can be used > against the behavior of the functions performed by execution of the > file > or any libraries it happened to call. So the online scanners are only > good for a signature test against known malware. Zero-day malware > won't > be caught that way. All good points.
From: Man-wai Chang to The Door (33600bps) on 1 Jun 2010 06:20 > But you already knew all of this. So what is your question *NOW* about > PhysX? I was/am just not sure whether Avira was trying to protect Nvidia's interests... :) -- @~@ Might, Courage, Vision, SINCERITY. / v \ Simplicity is Beauty! May the Force and Farce be with you! /( _ )\ (x86_64 Ubuntu 9.10) Linux 2.6.34 ^ ^ 18:20:01 up 13 days 21:31 2 users load average: 0.00 0.00 0.00 不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA): http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa
From: VanguardLH on 1 Jun 2010 09:49
Man-wai Chang wrote: >> But you already knew all of this. So what is your question *NOW* about >> PhysX? > > I was/am just not sure whether Avira was trying to protect Nvidia's > interests... :) Avira, as well as other anti-virus vendors, don't want their products generating ANY false positives regardless of whose software is installed on your host. I'm not sure that any AV product hasn't had false positives in the past and why you have to do some investigation when any malware gets reported on your host. For example, I've had false alerts on the .vhd files for virtual machines where they contained a pristine install of Windows XP. Somewhere in the huge file was a string of bytes that happened to match on a malware signature. Avira may have falsely alerted on PhysX in the past but it is likely that it didn't false alert before that, happened to include a signature that matched on a byte string after some update to Avira's signatures, and then users reported the false positive and Avira updated the signature database or extended the signature to ensure it looked at more bytes than before so it wouldn't match on the PhysX file anymore. If it is a *false* alert then it usually does get fixed but can be several updates later. Some false positives never get fixed by some AV vendors, like many continually alert on Nirsoft's utilities on your host. |