|
Druuge Posts: 3
01/08/2016
|
I downloaded it from a few mirrors (majorgeeks, etc) and got same result:
Here's a link to info about the trojan: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Skeeyah.A!rfn
Thoughts? Ideas? Concerns?
|
|
|
link
|
|
Gianluca Administrator Posts: 1274
01/08/2016
|
My idea? False positive.
MS idea's? The same 
https://www.microsoft.com/en-us/security/portal/submission/SubmissionHistory.aspx?SubmissionId=ad17b39d-947f-43bc-be08-b698e6ac8c62
|
|
|
link
|
|
otz Posts: 3
02/08/2016
|
Another AV idea`s? Not the same))
https://www.virustotal.com/ru/file/a3fcff6acbd06dd442a888a84e0785707c8f287429da41ff344bdbc9c151a4e5/analysis/
|
|
|
link
|
|
Gianluca Administrator Posts: 1274
02/08/2016
|
Guys if you trust SyMenu please report the false positive to your AV producers otherwise uninstall SyMenu.
Sorry but I'm unarmed in front of a false positive report.
|
|
|
link
|
|
KoolPal Posts: 16
17/08/2016
|
Windows Defender removed SyMenu.exe and Chrome does not download a fresh file stating Failed - Virus detected
Please review and advise how to use this awesome app!
|
|
|
link
|
|
cristov Posts: 4
17/08/2016
|
Seems that also Bitdefender 2016 is blocking SyMenu.exe (says it found Trojan.GenericKD.3472878). Chrome and Edge are blocking access to the http://www.ugmfree.it/SyMenuDownload.aspx. There is also warning on http://alternativeto.net/software/symenu/.
edited by cristov on 17/08/2016
|
|
|
link
|
|
lupusbalo Posts: 76
19/08/2016
|
Guys, I have a clue for you:
JUST REMOVE YOUR STUPID AVs  (1)
AND INSTALL SYMENU 
(1) or add an exclusion to prevent symenu from being scanned
edited by lupusbalo on 19/08/2016
|
|
|
link
|
|
timrray Posts: 24
19/08/2016
|
I find it strange that only certain builds have this problem. It has happened to me as well before using Avast and Symantec Endpoint Protection. Currently, only the latest build is being detected as a virus. Gianluca, could you try re-compiling it again or something and sending me an updated version? The latest version is consistently being flagged as a virus for me but only when I do the update from 5.03.6014
|
|
|
link
|
|
Gianluca Administrator Posts: 1274
22/08/2016
|
Hi guys.
This false positive issue is totally crazy.
I've just recompiled the same exactly code for the 5.04 and released it again to the web site and incredibly the VirusTotal report is now completely ok:
https://www.virustotal.com/en/file/ce7738efc9ba1d4a67e0c1d1f4e587278a2576802f739b6ab3c9740157308bf5/analysis/
My guess is that in some days the AV software start again to consider SyMenu the most wanted threat on earth and put it in their blacklists.
Guys it's a problem for conspiracy fans here... or for AV experts.
I've tried to ask for tips to some AV support contacts but it seems they have better things to do.
Indeed me too.
So let's see the next evolution and please give me any suggestion to workaround this problem.
Thanks!
|
|
|
link
|
|
eson Posts: 46
22/08/2016
|
I have seen this happen before and I know it is very hard to get rid of a FP. Some years ago I was involved with another "FP take down", and the only way to fix it permanently, is to make the major AV company's fix their signatures. The smaller company's will follow as they are either buying or "borrowing" their signatures from the major ones (or at least watching them closely).
Sure, recompiling will work for a day or two, as you get new hashes for every recompile, but that is hardly the final solution.
Gian, do you have any idea about what component in SyMeny is causing this mess?
edited by eson on 22/08/2016
|
|
|
link
|
|
Gianluca Administrator Posts: 1274
22/08/2016
|
Not at all.
The problem started with version 5.03 and I didn't introduce anything suspect in that version.
I'm enquiring some AV to understand which particular byte sequence is activating the alert. From a byte sequence I can reverse engineer my software to understand which part of the source code is responsible for that. But I strongly doubt that someone will reply.
|
|
|
link
|
|
eson Posts: 46
22/08/2016
|
I just received an answer from Symantec. Forwarding it to you. Maybe you can respond from that answer.
|
|
|
link
|
|
Druuge Posts: 3
23/08/2016
|
IIRC it's triggering alarms for being a "Keylogger". So perhaps there is something to do with the top-level "start search" command or maybe an issue with the search form in the "get new apps" section. Either way, I would wager the fields requiring user-keyboard-input are the root cause that's triggering AVs heuristics.
EDIT: eson wrote:
I just received an answer from Symantec. Forwarding it to you. Maybe you can respond from that answer.
Would this response be inappropriate to share on here? I would be interested in reading it even though Symantec isn't necessarily the top authority in this space.
edited by Druuge on 23/08/2016
|
|
|
link
|
|
eson Posts: 46
23/08/2016
|
Druuge wrote:
Would this response be inappropriate to share on here? I would be interested in reading it even though Symantec isn't necessarily the top authority in this space.
No, I can share. I just wanted to avoid feeding the trolls, because the answer I got wasn't very encouraging,
Well, today (after sending a response in pretty harsh terms) I got another responding email about the same issue, where they apparently changed their mind, so I'll just share them both.
First answer 22-08-2014:
In relation to submission [3987131].
Upon further analysis and investigation we have determined that the following file(s) meet the necessary criteria to be detected by our products and, as such, the detection(s) cannot be revoked:
Filename: SyMenu.exe
MD5: 1E368E21909456F52B8CC7EB3F5B0B6C
SHA256: 57D16BC4F7A14C788783DB112D73B38F36F4B6A227EF8DDC49C681DFE6336285
Second answer 23-08-2014:
In relation to submission [3987131].
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:
Filename: SyMenu.exe
MD5: 1E368E21909456F52B8CC7EB3F5B0B6C
SHA256: 57D16BC4F7A14C788783DB112D73B38F36F4B6A227EF8DDC49C681DFE6336285
Result:
Whitelisting for above file is available in Rapid Release definitions with a sequence number of 180095 or greater.
edited by eson on 23/08/2016
|
|
|
link
|