FYI: Avira detects "Shutdown Windows" servers" by special signature for this tool

FYI: Avira detects "Shutdown Windows" servers" by special signature for this tool

am 07.08.2006 21:43:40 von Volker Birk

Hi,

Avira's AntiVir does not detect "Shutdown Windows' servers" as malware
because of generic detection algorithms.

It detects "Shutdown Windows' servers" because of a special signature
for this tool.

We did a small testing to proof that: I created a small test program:

http://www.dingens.org/servicetest.c
http://www.dingens.org/servicetest.exe

This program contains a copy of the code of "Shutdown Windows' servers",
which shutdowns one single service, Universal PnP. If AntiVir detects
with generic signatures, it has to detect this, too.

Then Markus Steinborn testet, if AntiVir realliy detects this. It does not:



Now it's clear, that Avira created a special signature for "Shutdown
Windows' servers", and that they're not detecting "by accident" or
something like that.

It's not necessary to whitelist for Avira, they just have to stop
blacklisting my tool.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de