The following tools were flagged during a scan (“Cain & Abel” [www.oxid.it/cain.html] & “Ophcrack” [ophcrack.sourceforge.net]). The output below is from aswBoot.txt. I assume the files marked as “[Tool]” are flagged because they are hacking/security tools used in password audits (which is what I was using them for). What scares me a bit is the file “pwservice.exe” is marked as some form of Trojan (I’m guessing “Trojan-gen” stands for trojan generator, or something).
What I’d like to know is are these real threats (especially the one marked “Trojan-gen”) or just marked as “bad” as they are used in hacking/security audits? I’d like to be able to find out detailed info on these categories of malware so I can figure out whether I have the REAL tools or some fake trojaned ones. Also it would be great if I could disable Resident Protection for this Category of “malware” (which really isn’t malware when used by security professionals) for example excluding all malware of type=Tool. Rather than just excluding the files/folders one by one. Which, for better or for worse here, is what I have done. I can attach the files listed as infected below, but I didn’t on this post for fear that some anti-virus scanner would reject the whole post and no one would read this message.
Please respond and thanks for any help in advance.
*** OUTPUT from aswBoot.txt ***
08/02/2007 11:49
Scan of C:
File C:\Program Files\Cain\Cain.exe[UPX] is infected by Win32:Cain-B [Tool]
File C:\Program Files\ophcrack\win32_tools\pwservice.exe is infected by Win32:Trojan-gen. {VC}
File C:\Program Files\ophcrack\win32_tools\samdump.dll is infected by Win32:Pwdump [Tool]
Scanning aborted
Number of searched folders: 21490
Number of tested files: 256856
Number of infected files: 3
The key in these is the suffix, [Tool] and the problem is not knowing if this tool is to be used for good or evil. Perhaps the Win32:Trojan-gen. {VC} should be Win32:PWservice [Tool] or something like that.
If you installed them to use as tools then they can probably be excluded from scans, but it is difficult to say that they shouldn’t be detected as the tool may be used for evil also and an AV can’t determine that.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive (or you are happy they are tools installed by you for a specific purpose), add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Thanks for the quick response. Yes that’s what I figured. I think it is likely that the file pwservice.exe should be marked as a tool as well, not a trojan. I have used Jotti and for the file cain.exe only Avast marks it as malware. Most scanners mark pwservice.exe as malware of differing types. Only Avast marks it as a trojan, but I’m hoping that is just overcautious or a mislabeling of the type of malware.
Either way I think it is unlikely that I downloaded trojaned files, but I hope I didn’t.
Thanks for your help, I welcome any other comments.
I much prefer VirusTotal for the reasons given above.
You could send the samples for cain and pwservice.exe for analysis with an outline of the problem and possibly a link to this topic.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can send it from the chest if it is in there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
Other than that I would say add them to the exclusions lists.
The right term for this kind of tool is riskware. If you yourself are aware of the risks involved it is not a risk, if someone else or some process installed these tools it can be risky. That is why these programs are flagged. The tools of the pentester are vital to him or her, but traced on a computer of someone else it could be used for malicious purposes. Webprobing or siteprobing programs are also sometimes flagged, for instance IntelliTamper etc. Some tools are legit to use on your own computer(s) or network, but are illegal in other countries or you must use them in a controlled educational theater (resource hacking, resource engineering).
In the old days tinkering with computers was a way to be creative and innovative, in the light of an evolving trend towards a more and more restrictive official policy (strongly lobbied for by monopolistic corporations for obvious reasons) there might even come a day that some open software might be outlawed as anti-productive (with DRM this threatened to materialize). So placing a netcat on a module can be risky, sniffing questionable, and port scanning has not been allowed in some countries for a couple of years now.