Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nmap 4.76 detected as a Trojan by BitDefender 2009
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Mon, 2 Mar 2009 15:45:50 -0000 (UTC)

Off the top of my head, it could be flagging it for a couple of
malicious-looking reasons:

 - The Nmap installer will stop/start the "npf" service (and create it).

 - The WinPcap installer (within the Nmap installer) uses a couple of
Win32 API calls (Wow64EnableWow64FsRedirection) on x64 versions of
Windows in order to stick a 64 bit file in the the right place (and
delete it in the uninstaller).

However, these shouldn't have changed between versions.

I suspect the NSIS based installer has the generic ability to restart the
computer, but I don't remember seeing anything in the NSIS file used to
create our installer that ever causes a restart. The installers can also
be run silently, but that also hasn't changed between versions.

Nmap 4.76 doesn't contain Ncat, but 4.83BETA does; I would have expected
to see the heuristics spot Ncat (which could be used to listen for a
connection, but can't execute a command yet) and flag the newer installer
as evil instead.

Aren't heuristics great? :)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]