Difference between revisions of "Troubleshooting AntiVirus false positives"
(38 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
It happens occasionally, that AntiVirus software detects the regify client setup or parts of it as virus. This are false positives. | It happens occasionally, that AntiVirus software detects the regify client setup or parts of it as virus. This are false positives. | ||
− | In order to validate, if you have the correct setup, please ensure that the setup has been downloaded <u>directly from your regify provider | + | In order to validate, if you have the correct setup, please ensure that the setup has been downloaded <u>directly from your regify provider</u>. |
− | '''<span style="color: #AA0000;">Do not trust setups that have been downloaded from other pages than your regify provider (at which you signed on)!</span>''' | + | '''<span style="color: #AA0000;">Do not trust setups that have been downloaded from other pages than your regify provider (at which you signed on) or directly at www.regify.com!</span>''' |
== known false positives == | == known false positives == | ||
+ | ===Webroot Antivirus=== | ||
+ | * 2015-10 | ||
+ | ** The false positive seems on regimail. We created a support ticket and reported the false alert. Never got any response. | ||
− | + | ===f-secure=== | |
− | + | * 2015-10 | |
− | + | ** f-secure does not report a virus or trojan but complains about the setup and executable of regibox (eg regibox.exe) to be some not very often used software. Sadly, this is very penetrative during setup but you can chose to continue and after the setup finished it is quiet. We reported this as a false alert to f-secure. We never got any reaction... | |
+ | * 2018-06 | ||
+ | ** f-secure complains about regibox-1.4.3-3891_elevated.exe as malicious. This is a false alert on a valid signed executable installer file. We reported to their website. In the meantime, please temporarily disable f-secure during installation. On 21. of June 2018, f-secure sent us a note that the false positive was white-listed. | ||
− | + | ===AVG Antivirus=== | |
− | The false positive was on '' | + | * 2015-09 |
− | + | ** The first reported false positive was on ''regibox-1.2.1-3025.exe'' and also ''regify_client-4.1.2-2466.exe''. Both false positives are reported to AVG. Status pending. In order to install the regibox manager or regify client, right-click the AVG icon in the system tray next to the clock. Click ''Temporarily disable AVG protection'' and select a few minutes to install the software. Now run the downloaded regify setup. Please re-activate protection directly after successfully installation. Alternatively, if already detected, you can chose to create an exception on that file. | |
+ | ** We tested again on 16. October and AVG still reports a false positive. Sadly, now also the contained files regify_OLAddIn_x32_Setup.exe and regify_OLAddIn_x64_Setup.exe for the Outlook AddIns are triggering a false alarm. We will report this to AVG, too. Status pending. | ||
+ | * 2016-11-24 | ||
+ | ** AVG still triggers false alerts for the regify client setup (V4.2.1) and also the contained Outlook setups. Please let it ignore this false alert to continue by choosing the small "other options" link below in the alert and force it to allow the program. We are sorry for this, but AVG seem to ignore all our requests. | ||
− | '' | + | ===Trend Micro=== |
− | + | * 2015-09 | |
+ | ** The false positive was on ''regify_client_setup-4.1.2-2466_elevated.exe''. The false positive is reported to Trend Micro. Status is pending. To install, please deactivate the Trend Micro Virus scanner for the duration of the installation (before running the setup). To deactivate, right click on the Trend Micro symbol in your ToolTray (right bottom of windows desktop) and uncheck the virus-scanner. Now run the downloaded regify setup. Please re-activate protection directly after successfully installation. | ||
+ | ** Since end of November 2015 the most recent setups seem to work now without any false alert. So Trend Micro fixed it. | ||
+ | * 2011-11 | ||
+ | ** The false positive was on ''regify_client_setup_elevated.exe'' and on a ''registry key''. This is used by our MSI setup and happens directly on setup. The false positive is reported to Trend Micro. Status is pending. To install, please deactivate the Trend Micro Virus scanner for the duration of the installation (before running the setup). To deactivate, right click on the Trend Micro symbol in your ToolTray (right bottom of windows desktop) and uncheck the virus-scanner. Please re-activate directly after successfully installation. | ||
+ | |||
+ | ===Kaspersky=== | ||
+ | * 2013-02 | ||
+ | ** The Kaspersky 2012 virus scanner reports a false positive for ''regify.dll'' and classifies the file as ''Trojan-PSW.Win32.Tepfer.gevv''. The false positive was reported to Kaspersky on 25. February. The regify.dll is part of the regify client-sdk. It was gone after a few weeks.<br> | ||
+ | * 2016-12-05 | ||
+ | ** We got a customer report that regify_client.exe is detected as virus from Kaspersky. We tried to report the false alert to Kaspersky, but the submission page was out of order ('please come back later'). We now sent the false positive link to Kaspersky using [https://scan.kaspersky.com/ this link], so let's have a look...<br> | ||
+ | ** Kaspersky still detects a false positive for regify-Client.exe on virustotal.com (12. Dec 2016). We tried to report again, but the Kaspersky online scanner is displaying error "Kaspersky Online Scanner is temporarily unavailable. Please try again later." for the whole day... | ||
+ | ** The Kaspersky online scanner is back (15. Dec), but it still triggers a false positive on regify_client.exe. We re-submitted the false positive again. | ||
+ | ** Still no change (21. Dec). Reported again... | ||
+ | ** The false alert seems to be fixed on 28. December 2016. | ||
+ | |||
+ | ===Norton Internet Security=== | ||
+ | * 2011-10 | ||
+ | ** The false positive was on ''regify_client.exe''. It was reportet, acknowledged and confirmed by symantec in September 2011 and seems gone now (17. October 2011). The only way to install has been to explicitely allow and accept the file in your Norton software. | ||
+ | |||
+ | ===Avast=== | ||
+ | * 2011-07 | ||
+ | ** Sometimes, Avast suggests you to install in Sandbox. Simply answer this question with '''no''' and choose to run normally. | ||
+ | * 2017-05 | ||
+ | ** Avast complains that regify_client-4.2.4-2884.exe is a problem (IDP.Generic). We reported the false alarm on 31.05.2017 (https://www.avast.com/de-de/false-positive-file-form.php). We got a clearance reply from Avast support on 2017-06-06. Should be gone now. | ||
+ | * 2017-08 | ||
+ | ** Avast complains a false alert during setup execution of regibox-1.4.1-3850.exe. During installation, it pops up several windows saying that the files are examined (max 15 seconds). It looks like the AV scanner is blocking requests to files and registry and causes errors in the setup. We reported this behavior to Avast. Please deactivate Avast temporarily during installation (right click Avast icon in tool tray and stop protection for a few minutes). We got a clearance reply from Avast support on 2017-09-12. Should be gone now. | ||
+ | * 2018-09 | ||
+ | ** During Setup of regibox 1.5, Avast complains about possible virus and blocks the setup from doing it's job two times (setup executable and elevated executable). We reported end of September and on 1st October Avast confirmed and told us it was fixed. | ||
+ | |||
+ | ===Avira=== | ||
+ | * 2017-04 | ||
+ | ** Avira seems to detect the uninstall-tool.exe from our regify client installer as malicious trojan due to their heuristic technology. [https://analysis.avira.com/de/submit We reported as false positive on 20th April 2017]. No result yet. | ||
+ | |||
+ | ===Baidu=== | ||
+ | * 2017-11 | ||
+ | ** Baidu is the only one to classify the regipay_desktop-2.0.2-3711.exe as a virus (while 67 other don't on Virustotal.com). We tried to submit to Baidu, but all web forms of them having a defect captcha and did not allow us to upload the file or report the captcha issue. So we leave it for now. | ||
+ | |||
+ | ===Symantec Endpoint Protection=== | ||
+ | * 2021-03 | ||
+ | ** Looks like Symantec thinks that our regibox manager (''regibox-2.0.1-6344.exe'') is of bad reputation. We provide them with a false positive report on 04. May 2021. They claim to have it fixed on 5. May 2021. | ||
+ | |||
+ | ===McAfee Endpoint Security=== | ||
+ | * 2021-12 | ||
+ | ** The uninstall_tool.exe is false positive detected as a trojan (Artemis!65DCEBD76307). We use this small executable to have a separate process for uninstalling previous versions before installing the updated components. We notified McAfee on 3. Dec. 2021, 15:15. McAffee confirmed the false positive on 10. Dec 2021, therefore it should be gone. | ||
== other virusscanner issues == | == other virusscanner issues == | ||
− | ''' | + | ===ESET SSL/TLS protocol filtering=== |
+ | If your regify product is not able to connect to the internet by producing error 59 and you are running a security solution of ESET, you might need to disable the '''SSL/TLS protocol filtering'''. With this feature, ESET is trying to intercept every secured communication. This is done in such a bad way, that every software which checks the security of the established connection is detecting this as invalid. regify is creating logfile entries with the remark | ||
+ | |||
+ | Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. | ||
+ | |||
+ | Follow [http://support.eset.com/kb3126/ this ESET guide] to adapt your ESET settings. | ||
+ | |||
+ | ===McAfee VirusScan (May 2012)=== | ||
We learned, that McAfee VirusScan blocks all port 25 communication by default. It allows only well known software (Outlook) to use this port by default.<br> | We learned, that McAfee VirusScan blocks all port 25 communication by default. It allows only well known software (Outlook) to use this port by default.<br> | ||
Here ist the McAfee Knowledgebase article: [https://kc.mcafee.com/corporate/index?page=content&id=KB50707 KB50707]<br> | Here ist the McAfee Knowledgebase article: [https://kc.mcafee.com/corporate/index?page=content&id=KB50707 KB50707]<br> | ||
A quick validation is to temporary disable the virus-scanner for a short time to make your tests. | A quick validation is to temporary disable the virus-scanner for a short time to make your tests. | ||
+ | |||
+ | ===Symantec Endpoint Security (March 2013)=== | ||
+ | SEP is using some email proxy functionality that interferres especially with regipay desktop and regibill desktop SMTP sending features. We found several issues like transmission problems, timeouts and occasional RSET commands in data flow. In order to workaround these issues, you need to turn off the '''Internet Email Auto-Protect''' feature. | ||
+ | |||
+ | [[File:SEP_AutoProtect.jpg|220px]] | ||
+ | |||
+ | If you are not able to deactivate this, you might go to ''Control Panel, Programs and Features (was Add/remove Programs), Symantec, Change'' and remove the '''POP3/SMTP Scanner''' feature. | ||
+ | |||
+ | [[File:SEP_CustomSetup.jpg|220px]] |
Latest revision as of 09:21, 10 December 2021
It happens occasionally, that AntiVirus software detects the regify client setup or parts of it as virus. This are false positives.
In order to validate, if you have the correct setup, please ensure that the setup has been downloaded directly from your regify provider.
Do not trust setups that have been downloaded from other pages than your regify provider (at which you signed on) or directly at www.regify.com!
known false positives
Webroot Antivirus
- 2015-10
- The false positive seems on regimail. We created a support ticket and reported the false alert. Never got any response.
f-secure
- 2015-10
- f-secure does not report a virus or trojan but complains about the setup and executable of regibox (eg regibox.exe) to be some not very often used software. Sadly, this is very penetrative during setup but you can chose to continue and after the setup finished it is quiet. We reported this as a false alert to f-secure. We never got any reaction...
- 2018-06
- f-secure complains about regibox-1.4.3-3891_elevated.exe as malicious. This is a false alert on a valid signed executable installer file. We reported to their website. In the meantime, please temporarily disable f-secure during installation. On 21. of June 2018, f-secure sent us a note that the false positive was white-listed.
AVG Antivirus
- 2015-09
- The first reported false positive was on regibox-1.2.1-3025.exe and also regify_client-4.1.2-2466.exe. Both false positives are reported to AVG. Status pending. In order to install the regibox manager or regify client, right-click the AVG icon in the system tray next to the clock. Click Temporarily disable AVG protection and select a few minutes to install the software. Now run the downloaded regify setup. Please re-activate protection directly after successfully installation. Alternatively, if already detected, you can chose to create an exception on that file.
- We tested again on 16. October and AVG still reports a false positive. Sadly, now also the contained files regify_OLAddIn_x32_Setup.exe and regify_OLAddIn_x64_Setup.exe for the Outlook AddIns are triggering a false alarm. We will report this to AVG, too. Status pending.
- 2016-11-24
- AVG still triggers false alerts for the regify client setup (V4.2.1) and also the contained Outlook setups. Please let it ignore this false alert to continue by choosing the small "other options" link below in the alert and force it to allow the program. We are sorry for this, but AVG seem to ignore all our requests.
Trend Micro
- 2015-09
- The false positive was on regify_client_setup-4.1.2-2466_elevated.exe. The false positive is reported to Trend Micro. Status is pending. To install, please deactivate the Trend Micro Virus scanner for the duration of the installation (before running the setup). To deactivate, right click on the Trend Micro symbol in your ToolTray (right bottom of windows desktop) and uncheck the virus-scanner. Now run the downloaded regify setup. Please re-activate protection directly after successfully installation.
- Since end of November 2015 the most recent setups seem to work now without any false alert. So Trend Micro fixed it.
- 2011-11
- The false positive was on regify_client_setup_elevated.exe and on a registry key. This is used by our MSI setup and happens directly on setup. The false positive is reported to Trend Micro. Status is pending. To install, please deactivate the Trend Micro Virus scanner for the duration of the installation (before running the setup). To deactivate, right click on the Trend Micro symbol in your ToolTray (right bottom of windows desktop) and uncheck the virus-scanner. Please re-activate directly after successfully installation.
Kaspersky
- 2013-02
- The Kaspersky 2012 virus scanner reports a false positive for regify.dll and classifies the file as Trojan-PSW.Win32.Tepfer.gevv. The false positive was reported to Kaspersky on 25. February. The regify.dll is part of the regify client-sdk. It was gone after a few weeks.
- The Kaspersky 2012 virus scanner reports a false positive for regify.dll and classifies the file as Trojan-PSW.Win32.Tepfer.gevv. The false positive was reported to Kaspersky on 25. February. The regify.dll is part of the regify client-sdk. It was gone after a few weeks.
- 2016-12-05
- We got a customer report that regify_client.exe is detected as virus from Kaspersky. We tried to report the false alert to Kaspersky, but the submission page was out of order ('please come back later'). We now sent the false positive link to Kaspersky using this link, so let's have a look...
- Kaspersky still detects a false positive for regify-Client.exe on virustotal.com (12. Dec 2016). We tried to report again, but the Kaspersky online scanner is displaying error "Kaspersky Online Scanner is temporarily unavailable. Please try again later." for the whole day...
- The Kaspersky online scanner is back (15. Dec), but it still triggers a false positive on regify_client.exe. We re-submitted the false positive again.
- Still no change (21. Dec). Reported again...
- The false alert seems to be fixed on 28. December 2016.
- We got a customer report that regify_client.exe is detected as virus from Kaspersky. We tried to report the false alert to Kaspersky, but the submission page was out of order ('please come back later'). We now sent the false positive link to Kaspersky using this link, so let's have a look...
Norton Internet Security
- 2011-10
- The false positive was on regify_client.exe. It was reportet, acknowledged and confirmed by symantec in September 2011 and seems gone now (17. October 2011). The only way to install has been to explicitely allow and accept the file in your Norton software.
Avast
- 2011-07
- Sometimes, Avast suggests you to install in Sandbox. Simply answer this question with no and choose to run normally.
- 2017-05
- Avast complains that regify_client-4.2.4-2884.exe is a problem (IDP.Generic). We reported the false alarm on 31.05.2017 (https://www.avast.com/de-de/false-positive-file-form.php). We got a clearance reply from Avast support on 2017-06-06. Should be gone now.
- 2017-08
- Avast complains a false alert during setup execution of regibox-1.4.1-3850.exe. During installation, it pops up several windows saying that the files are examined (max 15 seconds). It looks like the AV scanner is blocking requests to files and registry and causes errors in the setup. We reported this behavior to Avast. Please deactivate Avast temporarily during installation (right click Avast icon in tool tray and stop protection for a few minutes). We got a clearance reply from Avast support on 2017-09-12. Should be gone now.
- 2018-09
- During Setup of regibox 1.5, Avast complains about possible virus and blocks the setup from doing it's job two times (setup executable and elevated executable). We reported end of September and on 1st October Avast confirmed and told us it was fixed.
Avira
- 2017-04
- Avira seems to detect the uninstall-tool.exe from our regify client installer as malicious trojan due to their heuristic technology. We reported as false positive on 20th April 2017. No result yet.
Baidu
- 2017-11
- Baidu is the only one to classify the regipay_desktop-2.0.2-3711.exe as a virus (while 67 other don't on Virustotal.com). We tried to submit to Baidu, but all web forms of them having a defect captcha and did not allow us to upload the file or report the captcha issue. So we leave it for now.
Symantec Endpoint Protection
- 2021-03
- Looks like Symantec thinks that our regibox manager (regibox-2.0.1-6344.exe) is of bad reputation. We provide them with a false positive report on 04. May 2021. They claim to have it fixed on 5. May 2021.
McAfee Endpoint Security
- 2021-12
- The uninstall_tool.exe is false positive detected as a trojan (Artemis!65DCEBD76307). We use this small executable to have a separate process for uninstalling previous versions before installing the updated components. We notified McAfee on 3. Dec. 2021, 15:15. McAffee confirmed the false positive on 10. Dec 2021, therefore it should be gone.
other virusscanner issues
ESET SSL/TLS protocol filtering
If your regify product is not able to connect to the internet by producing error 59 and you are running a security solution of ESET, you might need to disable the SSL/TLS protocol filtering. With this feature, ESET is trying to intercept every secured communication. This is done in such a bad way, that every software which checks the security of the established connection is detecting this as invalid. regify is creating logfile entries with the remark
Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Follow this ESET guide to adapt your ESET settings.
McAfee VirusScan (May 2012)
We learned, that McAfee VirusScan blocks all port 25 communication by default. It allows only well known software (Outlook) to use this port by default.
Here ist the McAfee Knowledgebase article: KB50707
A quick validation is to temporary disable the virus-scanner for a short time to make your tests.
Symantec Endpoint Security (March 2013)
SEP is using some email proxy functionality that interferres especially with regipay desktop and regibill desktop SMTP sending features. We found several issues like transmission problems, timeouts and occasional RSET commands in data flow. In order to workaround these issues, you need to turn off the Internet Email Auto-Protect feature.
If you are not able to deactivate this, you might go to Control Panel, Programs and Features (was Add/remove Programs), Symantec, Change and remove the POP3/SMTP Scanner feature.