Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!asuvax!ncar!gatech!udel!rochester!uhura.cc.rochester.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: cctr132@csc.canterbury.ac.nz (Nick FitzGerald) Newsgroups: comp.virus Subject: Re: SCANv74B false positive (PC) Message-ID: <0006.9102281544.AA01581@ubu.cert.sei.cmu.edu> Date: 28 Feb 91 17:34:22 GMT Sender: Virus Discussion List Lines: 31 Approved: krvw@sei.cmu.edu In Virus-L V4 #32 GORDON@CHMEDS.AC.NZ (Gordon Findlay) wrote: >I just downloaded the latest version of McAffee's SCAN (v74B) and >tried it. > >It gives a false positive (I HOPE it's a false positive!) on a NZ >program KILLER.COM, which is a little .COM file for removing >variations on the Stoned virus. Scanv74B reports the Invader virus. It's a false postive alright. Seems that the code sequence in the INVADER that SCAN looks for is also *legitimately* present in KILLER. My guess is that it is part of the code that does the absolute disk reads and/or writes that is likely to be present in both the virus and KILLER. Anyone who has KILLER shouldn't be using it any more. Apart from the "annoyance" value of the false SCAN report, it does not detect or fix the STONED-2 virus. NOSTONE (an update of KILLER), is aware of both strains of the STONED, and doesn't set off the false alarm when SCANned. >I assume it's a false positive as the file is only 799 bytes long, and >the Invader virus is reported as adding 4096 bytes to .COM files; >modifying the boot sector, and hooking interrupts (Thanks, Patricia >Hoffman, for your VIRSUSSUM work). None of these has happened. Sounds like good reasoning to me. As I said above, its likely the absolute disk read/write code is the same in the virus and KILLER. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337