cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Ayres G.J. <g.j.ayres AT swansea.ac.uk>
- To: "Tomasz Wolniewicz <twoln@umk. pl>" <twoln AT umk.pl>
- Cc: "cat-users AT geant.net" <cat-users AT geant.net>, Chris Quy <cq201 AT uis.cam.ac.uk>
- Subject: Re: [cat-users] False positives on eduroam exe
- Date: Thu, 24 Jul 2014 20:35:44 +0000
- Accept-language: en-GB, en-US
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
The false positives spotted were both based on auotoit signatures. So its probably the case that the autoit code in CAT is the problem unfortunately.
http://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/
Sadly Autoit has been used by malware like Zeus recently so its getting misclassified as a precaution by some antivirus software.
Maybe we need to rewrite that bit in another language if this becomes a big problem.
Or as mentioned, if there was one instance of the installer this would not be a problem after the first false positive I presume.
Gareth.
On 24 Jul 2014 20:19, Tomasz Wolniewicz <twoln AT umk.pl> wrote:
>
>
> W dniu 24.07.2014, 20:53, A.L.M.Buxey AT lboro.ac.uk pisze:
> > Hi,
> >
> >> These things just keep popping up. There is not much that we can do
> >> about them as indeed they are false positives.
> > it would be interesting if they thought that YOUR installer was an infection
> > and others werent - ie whether they are picking up some of eg the embedded
> > certificate data as part of the fingerprint. i'll throw our installers at the usual
> > online testers.
> I have tested the installer for my university and the same problems as
> fo Cambridge popped up.
> >
> > PS having an installer that then downloads other material is likely to trigger issues
> > in other malware systems and next generation firewalls :-)
> The installer could bind itself to a given MIME type and file extension.
> This way we could use a browser to download the profile from CAT and the
> installer would get started as it's default application. Of course the
> downside of this approach is that has two steps, but we will need this
> for Android anyway. We already have a CAT module that produces a
> "generic" XML profile.
>
> Tomasz
>
> >
> > alan
>
> --
> Tomasz Wolniewicz
> twoln AT umk.pl http://www.umk.pl/~twoln
>
> Uczelniane Centrum Informatyczne Information&Communication
> Technology Centre
> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
>
>
- [cat-users] False positives on eduroam exe, Chris Quy, 07/24/2014
- Re: [cat-users] False positives on eduroam exe, Tomasz Wolniewicz, 07/24/2014
- Re: [cat-users] False positives on eduroam exe, A . L . M . Buxey, 07/24/2014
- Re: [cat-users] False positives on eduroam exe, Tomasz Wolniewicz, 07/24/2014
- Re: [cat-users] False positives on eduroam exe, A . L . M . Buxey, 07/24/2014
- Re: [cat-users] False positives on eduroam exe, A . L . M . Buxey, 07/24/2014
- <Possible follow-up(s)>
- Re: [cat-users] False positives on eduroam exe, Ayres G . J ., 07/24/2014
- Re: [cat-users] False positives on eduroam exe, Tomasz Wolniewicz, 07/24/2014
Archive powered by MHonArc 2.6.19.