Skip to Content.

cat-users - Re: [[cat-users]] setEAPCred.exe detected as malware

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] setEAPCred.exe detected as malware


Chronological Thread 
    < Chronological >      < Thread >
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: "Baumann Niklaus (PSI)" <niklaus.baumann AT psi.ch>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] setEAPCred.exe detected as malware
  • Date: Fri, 23 Dec 2016 11:15:01 +0100
Hi,
   I have looked at these reports. The binary difference can be easily explained. One of these files is not signed, the other is.
I have run the Virus Total tests on my own copies, and they are the same files that you have looked at.

The file currently distributed from eduroamCAT has been digitally signed by me in September this year. I hoped that the signature on the component might lower the chance of heuristic alerts being displayed. Probably this did not work.

There is something in that file that bothers some of the scanners, one theory is that it is the way they were generated - with the AutoIt tool. I have a plan to replace this utility with another one, kindly made available by Simon Rozman, which is compiled directly from source and at least today does not raise any alarms. I hope that this will be a cure, but the change requires proper testing before we can put it in production.

Cheers
Tomasz


W dniu 2016-12-12 o 16:21, Baumann Niklaus (PSI) pisze:

Dear eduroam CAT users/admins,

 

Since this week some versions of setEAPCred.exe (0.14) are being detected as malware by McAfee (and other AV-products).

I found the same version 0.14 of the file with binary differences on the clients. The affected sample was stored in %userprofile%\appdata\local\temp\.

 

Scan results on virustotal:

 

setEAPcred.exe:

virustotal (2/56): https://www.virustotal.com/en/file/b73cb8c78cecc47d34d02d3249e356b68e0d49332ce8f97f279ad453cbd5fe96/analysis/1481554589/

SETEAPCRED.EXE
virustotal (5/56): https://www.virustotal.com/en/file/c5999f7b7510ba7c49255dbb0a9ef66d31de1245778b3937294eaee3ea478fdc/analysis/

 

From the analysis in a sandbox I think it is a false positive and we’re going to report it as such to McAfee.

Did someone else run into similar issues with AV scanners before with setEAPcred.exe?

 

Best regards,

Nik

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users 
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME


Archive powered by MHonArc 2.6.19.

Top of Page