Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[chrisr]

A virus in this build too. That's twice.  The virus is in:

c:\users\...\appdata\local\temp\\7zs6036.tmp\media jukebox\jrtelevision.dll

Virus name: Gen: Variant.Barys.2102

[andrevi]

Tried upgrading to 19.0.49 from build 45.

I get this error message

Install wizard could not copy necessary files to the destination folder.

Please ensure that the file C:\Program Files (x86)\J River\Media Center 19\JRTelevision.dll' is not in use.

Also my anti virus deletes this file because it is identified as a virus called Gen:Variant.Barys.2102.

Please help.

Thanks.

Andrevi

[MrC]

Test the file here:

   http://virusscan.jotti.org/en

You'll likely find it is a false positive with your AntiVirus.  Report the problem using their false positive reporting mechanism (probably on their support site somewhere).

[Maxxwire]

I don't use an antivirus so I downloaded MC 19.0.49 into Sandboxie and scanned it while in the sandbox. In the past everything has always gone well and there has never been a single problem, but in this instance Hitman Pro 3.7.7 Build 203 found 12 threats upon which it quarantined and then removed MC 19.0.49. Thinking there must have been some mistake I downloaded and scanned it again, but the results were the same.

http://i468.photobucket.com/albums/rr44/Maxxwire_Photos/Comodo/JRiverMC12Threats.png

[MrC]

These are the services that seem to indicate an issue (see attached):

http://virusscan.jotti.org/en/scanresult/84f01589d286cfda5c70c333e565f5c0f33f6b66

https://www.virustotal.com/en/file/802fe8c2afa8c9695fe3b3e8c5f689ae8b475a5d4dd81cad550798e33b90c289/analysis/1380694733/

Not necessarily the front runners in A/V.  But since quite a few have flagged the file, it might be worth submitting it to each.

[astromo]

Test the file here:

   http://virusscan.jotti.org/en

You'll likely find it is a false positive with your AntiVirus.  Report the problem using their false positive reporting mechanism (probably on their support site somewhere).

Ugghhhh ... done for bitdefender ...
http://forum.bitdefender.com/index.php?showtopic=49018

Others in the same boat, please raise tickets with BD and build momentum.

[MrC]

Two more AV's are declaring a problem:

[JimH]

I think that a lot of antivirus companies use the Kaspersky engine.

[Matt]

Two more AV's are declaring a problem:

Thanks MrC.  Am I reading that right that they're each reporting totally different problems?

I wonder if renaming our DLLs to JDL or something might get virus checkers to leave them alone?  We're the only program loading them, so don't really care what they're called.

(ps. I'm only speaking about false positives here.  We make every effort to ensure the build machines and builds are clean.  Every build goes through a virus check as part of packaging.  We've never had a build that had an issue in 10+ years and thousands of builds.  So I'm not trying to side-step virus checkers, only side-step false positives.)

[MrC]

Many of the A/V companies share a reporting mechanism, and some, naming scheme.  When one hits, the name/defs are shared with other A/V vendors.  And it can take a little while for the FP to propagate back.

The Gen.Variant.Barys.2012 reported by Emisoft, BitDefender, F-Secure, and GData seems like a case for the shared FP, and was probably heuristically detected.

The Ikrarus Win32.SuspectCrc might yield a clue that the file's CRC matched a currently suspected file, so a simple change of the file will produce a new (and likely safe) CRC.  Panda may be detecting the same way.

I don't know what Symantec's "WS.Reputation.1" means, other than the file was flagged as suspect, and JRiver may not have a reputation in Symtantec's database (they probably use a point scoring system in their heuristics).  This is why a vendor doing its own reporting is useful in the long run - you build up a reputation.

I know nothing about Bkav.

McAfee, Trend, and Panda obviously are using their own naming and heuristics, so probably they should be reported as FP's to each site.

I'll report as FPs a few now.

[MrC]

I've reported to Symantec, McAfee, Trend Micro, and F-Secure.  I tried to submit to Panda, but their site would not accept the zipped file per their request.

I forged the submission under Matt's name / email.

[jmschnur]

How about Avast?

[MrC]

Why would I have reported a clean file to Avast?  :-)

The two scans came up clean for Avast.

[jmschnur]

Must have been earlier versions and clearly they have fixed their IDs.

[astromo]

Thanks MrC.  Am I reading that right that they're each reporting totally different problems?

I wonder if renaming our DLLs to JDL or something might get virus checkers to leave them alone?  We're the only program loading them, so don't really care what they're called.

(ps. I'm only speaking about false positives here.  We make every effort to ensure the build machines and builds are clean.  Every build goes through a virus check as part of packaging.  We've never had a build that had an issue in 10+ years and thousands of builds.  So I'm not trying to side-step virus checkers, only side-step false positives.)

Why not try this with an offline build and see whether it's got a chance of working? I'd expect that a half decent AV program would be wise to the tactic of an extension change. With a problem like this, where an issue is being flagged across a range of AV programs, it would be useful to know what the root cause is (what's the trigger?) so that you've got a chance of dealing with the issue within MC's code. [Was Captain Obvious just speaking? oops   ]

For BitDefender, this is the 2nd false positive in a month and a half. I'm happy that security is erring on the side of caution and this is also what can happen with a fresh release but there must be something that's stopping MC and BD from not playing nicely together. Hopefully it's sorted out soon. The effort in the background to address this is appreciated. Keep up the good work..  

[MrC]

Read how common FPs are:

    http://www.av-comparatives.org/wp-content/uploads/2013/03/avc_fp_mar2013.pdf

[Scolex]

I think the best solution to this may be for the updates to extract to a specific folder every time.
Instead of C:\Users\*username*\AppData\Local\Temp\7zs....tmp use C:\Users\*username*\AppData\Local\Temp\J River\7zs....tmp
We can then create an exclusion for the ...\Temp\J River folder.

[Scolex]

I wonder if renaming our DLLs to JDL or something might get virus checkers to leave them alone?  We're the only program loading them, so don't really care what they're called.

That would be great because Bitdefender has the option to exclude a specific file extension.

[MrC]

Changing the file suffix will have no affect in general.  A/V scanners do not rely on this  (long ago, it was a common malware technique to pass email gateways and other cheap, but weak heuristics).

Although it might help a user or two who can configure their A/Vs, it isn't worth any time or energy since the vast majority of folks will not do this.

[MrC]

It is interesting to watch a False Positive spread and recede as vendor's virus defs pickup the shared "intelligence".

While there are still 11 products reporting the file, Symantec importantly no longer reports it (maybe my FP report to Symantec helped, maybe not), but MicroWorld-eScan now reports the file (not a major player, and also using the shared reporting mechanism).

[astromo]

BitDefender is telling me that the file is clean:
http://forum.bitdefender.com/index.php?s=&showtopic=49018&view=findpost&p=199422
but I can't get a functional update sorted.

I'd add that MC19.0.50 is falsely on the nose as well.

Chipping away.

[MrC]

And the fog clears: