Symatec Antivirus reports mchInjDrv.sys as virus thread

c++ / delphi package - dll injection and api hooking
pto
Posts: 15
Joined: Wed Oct 20, 2004 5:21 pm

Symatec Antivirus reports mchInjDrv.sys as virus thread

Post by pto »

Hi,

We're running Symantec Antivirus 10.0.2.2000 with definition file version 3/7/2006 rev.9. It reports mchInjDrv.sys as a virus. Is the file part of madCodeHook library? If it's, how do I go about resolving the problem?

Regards,
Patrick
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

it's the NT dll injection driver so yes it's part of MCH. Madshi will have to dispute it with the AV company I guess. Which file does it detect and was it one of Madshi's demos, anyhow it's certainly NOT a virus so dont be worried. The file is harmless and used internally by his library.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

It's a false alarm. Do you have a contact address at Symantec where we can complain? The more people complain the better.

:(
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

6 results turned up in their AV database when I queried "mchinjdrv"

http://search.symantec.com/custom/updat ... v&x=16&y=6

I think Symantec is slacking and needs to get their stuff straight. Madshi haven't you complained to them before? I would submit a copy of madinjdrv.sys to them so they can diagnose it themselves, either that or hire an independent researcher to clear the files name. After that I doubt they would dare call it something stupid like that again.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

iconic wrote:or hire an independent researcher to clear the files name.
What do you mean with that?
pto
Posts: 15
Joined: Wed Oct 20, 2004 5:21 pm

Post by pto »

I'm using the commercial license of the madCodehook library. We currently have some of our users complaining about it.

Also I don't have Symantec contact information yet. I'll let you know once I have it.

I hope that we can get it resolved soon before we start getting more complains.

Patrick
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Please let me know if there's anything more than I can do to help. The problem is that I'm in a bad position to complain. I can say "my API hooking library is falsely detected as a virus", but Symantec can say "it's being used by a trojan". Then I can say "my API hooking library is used by lots of good software". Then Symantec might say "which?". And then I have a problem, cause I'm usually not giving out information about my customers. If you complain directly at Symantec, the chance is higher that they'll remove the faulty detection quickly.

Sorry for the inconvenience!! :sorry:
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Madshi some AV companies allow you to submit a file for examination. If your driver is being flagged as something it is not you can dispute it and submit a copy of the file for them to analyze and come to a verdict whether they feel it's harmless or a threat. I'm not sure if Symantec will allow for personal submissions such as this but it's certainly worth looking into once you get their contact information.

--Iconic
Markham
Posts: 26
Joined: Wed Nov 02, 2005 11:46 am

Re: Symatec Antivirus reports mchInjDrv.sys as virus thread

Post by Markham »

pto wrote:It reports mchInjDrv.sys as a virus.
There are two possible scenarios that immediately spring to mind: either Symantec Antivirus has found that mchInjDrv.sys has been infected by a virus or it has decided that mchInjDrv.sys is itself a virus. If it's the former, then I'd suggest you sending the file to Madshi so that he can compare it with his original version.

What is quite likely is that the file in question has tripped a "false positive" identification. Increasingly anti-virus companies don't use binary signatures any longer to identify malware because malware can be disguised by encryption or self-modification (polymorphism) - or a combination of the two. Therefore they test files by heuristic analysis - does the file exhibit characteristics that would be, or has been, employed by a virus/trojan writer.

There is a third scenario. It could be that a virus/trojan writer has obtained a copy - maybe he bought it - of MCH and has used it in the commission of his crime.

If either of the first two scenarios is true, then representations to Symantec might help and might result in the section of heuristic analysis that identified this file might be revised to prevent future false-positives. But I'm afraid if the third scenario is true, then you may stand less chance of convincing Symantec of its innocence.

Having said all this, all the major the anti-virus vendors do co-operate closely with one another and I'd suggest having the library as a whole given a clean bill of health by either F-Secure or Frisk International who are the industry leaders as far as investigation and analysis is concerned.


Mark
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I've sent a mail to Symantec and hope they'll react as soon as possible.

Fortunately there are a wide number of security applications out there using madCodeHook. So I don't have a lot of trouble to prove that madCodeHook is not bad in itself.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Great

Post by iconic »

Sounds promising Madshi. Good luck! :D

--Iconic
Jules
Posts: 1
Joined: Sat Mar 11, 2006 8:24 am

Symantec and mchinjdrv

Post by Jules »

My Symantec started detecting mchinjdrv as a trojan on the the 8th - I think there was a virus update around then.

Long, boring post born of frustration follows...

As is my policy, having received useless support from Symantec I am going to publicise it: I emailed symantec with the Norton threat logs, the other checks and fixes I had tried (rootkit revealer, complete sweeps with Norton and Steganos anti-spyware and afterwards sbybot 1.4, system restore to before first detection...), and all sorts of other information and received from Jagjeet Singh (Symantec Authorized Technical Support) an email that showed my message hadn't been read, recomending as it did stuff I had already done and told them about.

Since no other threat is notified, I don't *think* there is a problem... BUT... I don't know whose app it came with, and it seems very odd that the file itself is not found anywhere on the system - I guess it is memory resident (Norton says it is in windows\system32\drivers - but it doesn't show up there and rootkit revealer shows that it isn't there but hidden from the API).

I am very very annoyed with the Norton antivirus support - it's useless, and I shall be VERY angry if this is just bad detection (there being nothing around that seems to exploit mchinjdrv) as I have been tearing my hair out about this... last thing I want is some keylogger grabbing passwords... and the less I can see the more paranoid I'm getting [backstory - I did actually encounter one of the first ever "wild" viruses... good old nVir on the Macintosh back in '84 or '85 I think... no one believed me at first - viruses were almost unheard of then!]

However, whilst I know there are good uses for it (is there a list of which legitimate apps use it?) I think I'd like to get rid of it for the time being.

The question is - how? Not on disk, can't delete the reg key.

I tried another www.sysinternals.com utility to move/delete files at boot time, but that didn't seem to work either (maybe user error?).

<sigh> the joys of technology.

Kudos for some very clever programming, nil-points for those who are too blase about the way they use such a powerful and potentially exploitable mechanism.

Thanks for listening to the whinge,

Jules

FYI here's the Norton threat log...

Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
09/03/2006 08:52:12,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200603070009,11.0.16.2,SYSTEM,myHPLaptop,Source: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Half an hour earlier the virus detection version was 200603060006 - and no mchinjdrv warning.
Markham
Posts: 26
Joined: Wed Nov 02, 2005 11:46 am

Post by Markham »

Jules,

The Log you posted would seem to indicate that mchinjdrv.sys was prevented from being loaded by the resident portion of Symantec Anti-Virus - i.e. its "active protection". This is potentially bad news for any application that requires its use - and you may well have such an application installed on your PC such as a security app. Have you noticed any of your programs failing to work as expected?

I can assure you that Frisk Software's F-Prot does not detect this file as being risky, even with its latest update received yesterday. Throughout most of the 1990s, I made a living by independently testing all anti-virus programs at very regular intervals. F-Prot is a product I trust to give accurate results, SAV (NAV) is one that I don't.

I am not at all surprised by your experiences with Symantec's technical support. In fairness to the individual concerned, he probably has to support all Symantec's programs and may have to rely on crib-sheets which could be somewhat out of date. It's quite likely that you know more about the problem than he does. If you were the IT director of a major corporate customer, you could expect to enjoy a somewhat more competant level of support.

Mark
trafficlights7
Posts: 9
Joined: Thu Jan 06, 2005 4:33 am

Symantec address to complain to?

Post by trafficlights7 »

Any info on where\who to contact at Symantec? Hopefully we can get a quick resolution on this!!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Well, anyone who has a bought a product can contact customer service and complain. That's probably the fastest way to achieve attention. Another way is to use the homepage to enter a false positive report. But that seems to be quite slow. I've already done that and didn't hear anything back yet... :?
Post Reply