Symatec Antivirus reports mchInjDrv.sys as virus thread
Symatec Antivirus reports mchInjDrv.sys as virus thread
Hi,
We're running Symantec Antivirus 10.0.2.2000 with definition file version 3/7/2006 rev.9. It reports mchInjDrv.sys as a virus. Is the file part of madCodeHook library? If it's, how do I go about resolving the problem?
Regards,
Patrick
We're running Symantec Antivirus 10.0.2.2000 with definition file version 3/7/2006 rev.9. It reports mchInjDrv.sys as a virus. Is the file part of madCodeHook library? If it's, how do I go about resolving the problem?
Regards,
Patrick
6 results turned up in their AV database when I queried "mchinjdrv"
http://search.symantec.com/custom/updat ... v&x=16&y=6
I think Symantec is slacking and needs to get their stuff straight. Madshi haven't you complained to them before? I would submit a copy of madinjdrv.sys to them so they can diagnose it themselves, either that or hire an independent researcher to clear the files name. After that I doubt they would dare call it something stupid like that again.
--Iconic
http://search.symantec.com/custom/updat ... v&x=16&y=6
I think Symantec is slacking and needs to get their stuff straight. Madshi haven't you complained to them before? I would submit a copy of madinjdrv.sys to them so they can diagnose it themselves, either that or hire an independent researcher to clear the files name. After that I doubt they would dare call it something stupid like that again.
--Iconic
Please let me know if there's anything more than I can do to help. The problem is that I'm in a bad position to complain. I can say "my API hooking library is falsely detected as a virus", but Symantec can say "it's being used by a trojan". Then I can say "my API hooking library is used by lots of good software". Then Symantec might say "which?". And then I have a problem, cause I'm usually not giving out information about my customers. If you complain directly at Symantec, the chance is higher that they'll remove the faulty detection quickly.
Sorry for the inconvenience!!
Sorry for the inconvenience!!
Madshi some AV companies allow you to submit a file for examination. If your driver is being flagged as something it is not you can dispute it and submit a copy of the file for them to analyze and come to a verdict whether they feel it's harmless or a threat. I'm not sure if Symantec will allow for personal submissions such as this but it's certainly worth looking into once you get their contact information.
--Iconic
--Iconic
Re: Symatec Antivirus reports mchInjDrv.sys as virus thread
There are two possible scenarios that immediately spring to mind: either Symantec Antivirus has found that mchInjDrv.sys has been infected by a virus or it has decided that mchInjDrv.sys is itself a virus. If it's the former, then I'd suggest you sending the file to Madshi so that he can compare it with his original version.pto wrote:It reports mchInjDrv.sys as a virus.
What is quite likely is that the file in question has tripped a "false positive" identification. Increasingly anti-virus companies don't use binary signatures any longer to identify malware because malware can be disguised by encryption or self-modification (polymorphism) - or a combination of the two. Therefore they test files by heuristic analysis - does the file exhibit characteristics that would be, or has been, employed by a virus/trojan writer.
There is a third scenario. It could be that a virus/trojan writer has obtained a copy - maybe he bought it - of MCH and has used it in the commission of his crime.
If either of the first two scenarios is true, then representations to Symantec might help and might result in the section of heuristic analysis that identified this file might be revised to prevent future false-positives. But I'm afraid if the third scenario is true, then you may stand less chance of convincing Symantec of its innocence.
Having said all this, all the major the anti-virus vendors do co-operate closely with one another and I'd suggest having the library as a whole given a clean bill of health by either F-Secure or Frisk International who are the industry leaders as far as investigation and analysis is concerned.
Mark
Symantec and mchinjdrv
My Symantec started detecting mchinjdrv as a trojan on the the 8th - I think there was a virus update around then.
Long, boring post born of frustration follows...
As is my policy, having received useless support from Symantec I am going to publicise it: I emailed symantec with the Norton threat logs, the other checks and fixes I had tried (rootkit revealer, complete sweeps with Norton and Steganos anti-spyware and afterwards sbybot 1.4, system restore to before first detection...), and all sorts of other information and received from Jagjeet Singh (Symantec Authorized Technical Support) an email that showed my message hadn't been read, recomending as it did stuff I had already done and told them about.
Since no other threat is notified, I don't *think* there is a problem... BUT... I don't know whose app it came with, and it seems very odd that the file itself is not found anywhere on the system - I guess it is memory resident (Norton says it is in windows\system32\drivers - but it doesn't show up there and rootkit revealer shows that it isn't there but hidden from the API).
I am very very annoyed with the Norton antivirus support - it's useless, and I shall be VERY angry if this is just bad detection (there being nothing around that seems to exploit mchinjdrv) as I have been tearing my hair out about this... last thing I want is some keylogger grabbing passwords... and the less I can see the more paranoid I'm getting [backstory - I did actually encounter one of the first ever "wild" viruses... good old nVir on the Macintosh back in '84 or '85 I think... no one believed me at first - viruses were almost unheard of then!]
However, whilst I know there are good uses for it (is there a list of which legitimate apps use it?) I think I'd like to get rid of it for the time being.
The question is - how? Not on disk, can't delete the reg key.
I tried another www.sysinternals.com utility to move/delete files at boot time, but that didn't seem to work either (maybe user error?).
<sigh> the joys of technology.
Kudos for some very clever programming, nil-points for those who are too blase about the way they use such a powerful and potentially exploitable mechanism.
Thanks for listening to the whinge,
Jules
FYI here's the Norton threat log...
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
09/03/2006 08:52:12,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200603070009,11.0.16.2,SYSTEM,myHPLaptop,Source: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Half an hour earlier the virus detection version was 200603060006 - and no mchinjdrv warning.
Long, boring post born of frustration follows...
As is my policy, having received useless support from Symantec I am going to publicise it: I emailed symantec with the Norton threat logs, the other checks and fixes I had tried (rootkit revealer, complete sweeps with Norton and Steganos anti-spyware and afterwards sbybot 1.4, system restore to before first detection...), and all sorts of other information and received from Jagjeet Singh (Symantec Authorized Technical Support) an email that showed my message hadn't been read, recomending as it did stuff I had already done and told them about.
Since no other threat is notified, I don't *think* there is a problem... BUT... I don't know whose app it came with, and it seems very odd that the file itself is not found anywhere on the system - I guess it is memory resident (Norton says it is in windows\system32\drivers - but it doesn't show up there and rootkit revealer shows that it isn't there but hidden from the API).
I am very very annoyed with the Norton antivirus support - it's useless, and I shall be VERY angry if this is just bad detection (there being nothing around that seems to exploit mchinjdrv) as I have been tearing my hair out about this... last thing I want is some keylogger grabbing passwords... and the less I can see the more paranoid I'm getting [backstory - I did actually encounter one of the first ever "wild" viruses... good old nVir on the Macintosh back in '84 or '85 I think... no one believed me at first - viruses were almost unheard of then!]
However, whilst I know there are good uses for it (is there a list of which legitimate apps use it?) I think I'd like to get rid of it for the time being.
The question is - how? Not on disk, can't delete the reg key.
I tried another www.sysinternals.com utility to move/delete files at boot time, but that didn't seem to work either (maybe user error?).
<sigh> the joys of technology.
Kudos for some very clever programming, nil-points for those who are too blase about the way they use such a powerful and potentially exploitable mechanism.
Thanks for listening to the whinge,
Jules
FYI here's the Norton threat log...
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
09/03/2006 08:52:12,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200603070009,11.0.16.2,SYSTEM,myHPLaptop,Source: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Half an hour earlier the virus detection version was 200603060006 - and no mchinjdrv warning.
Jules,
The Log you posted would seem to indicate that mchinjdrv.sys was prevented from being loaded by the resident portion of Symantec Anti-Virus - i.e. its "active protection". This is potentially bad news for any application that requires its use - and you may well have such an application installed on your PC such as a security app. Have you noticed any of your programs failing to work as expected?
I can assure you that Frisk Software's F-Prot does not detect this file as being risky, even with its latest update received yesterday. Throughout most of the 1990s, I made a living by independently testing all anti-virus programs at very regular intervals. F-Prot is a product I trust to give accurate results, SAV (NAV) is one that I don't.
I am not at all surprised by your experiences with Symantec's technical support. In fairness to the individual concerned, he probably has to support all Symantec's programs and may have to rely on crib-sheets which could be somewhat out of date. It's quite likely that you know more about the problem than he does. If you were the IT director of a major corporate customer, you could expect to enjoy a somewhat more competant level of support.
Mark
The Log you posted would seem to indicate that mchinjdrv.sys was prevented from being loaded by the resident portion of Symantec Anti-Virus - i.e. its "active protection". This is potentially bad news for any application that requires its use - and you may well have such an application installed on your PC such as a security app. Have you noticed any of your programs failing to work as expected?
I can assure you that Frisk Software's F-Prot does not detect this file as being risky, even with its latest update received yesterday. Throughout most of the 1990s, I made a living by independently testing all anti-virus programs at very regular intervals. F-Prot is a product I trust to give accurate results, SAV (NAV) is one that I don't.
I am not at all surprised by your experiences with Symantec's technical support. In fairness to the individual concerned, he probably has to support all Symantec's programs and may have to rely on crib-sheets which could be somewhat out of date. It's quite likely that you know more about the problem than he does. If you were the IT director of a major corporate customer, you could expect to enjoy a somewhat more competant level of support.
Mark
-
- Posts: 9
- Joined: Thu Jan 06, 2005 4:33 am
Symantec address to complain to?
Any info on where\who to contact at Symantec? Hopefully we can get a quick resolution on this!!