mailing list archives
Re: Nmap 4.76 detected as a Trojan by BitDefender 2009
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Mon, 2 Mar 2009 15:45:50 -0000 (UTC)
Off the top of my head, it could be flagging it for a couple of
- The Nmap installer will stop/start the "npf" service (and create it).
- The WinPcap installer (within the Nmap installer) uses a couple of
Win32 API calls (Wow64EnableWow64FsRedirection) on x64 versions of
Windows in order to stick a 64 bit file in the the right place (and
delete it in the uninstaller).
However, these shouldn't have changed between versions.
I suspect the NSIS based installer has the generic ability to restart the
computer, but I don't remember seeing anything in the NSIS file used to
create our installer that ever causes a restart. The installers can also
be run silently, but that also hasn't changed between versions.
Nmap 4.76 doesn't contain Ncat, but 4.83BETA does; I would have expected
to see the heuristics spot Ncat (which could be used to listen for a
connection, but can't execute a command yet) and flag the newer installer
as evil instead.
Aren't heuristics great? :)
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org