madshi.net

pto · Joined: 20 Oct 2004 Posts: 15

Hi,

We're running Symantec Antivirus 10.0.2.2000 with definition file version 3/7/2006 rev.9. It reports mchInjDrv.sys as a virus. Is the file part of madCodeHook library? If it's, how do I go about resolving the problem?

Regards,
Patrick

iconic · Joined: 08 Jun 2005 Posts: 603

it's the NT dll injection driver so yes it's part of MCH. Madshi will have to dispute it with the AV company I guess. Which file does it detect and was it one of Madshi's demos, anyhow it's certainly NOT a virus so dont be worried. The file is harmless and used internally by his library.

--Iconic

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

It's a false alarm. Do you have a contact address at Symantec where we can complain? The more people complain the better.

sad

iconic · Joined: 08 Jun 2005 Posts: 603

6 results turned up in their AV database when I queried "mchinjdrv"

http://search.symantec.com/custom/update/query.html?filter=all&nh=10&hitsceil=100&st=1&context=gbh&qt=mchInjDrv&x=16&y=6

I think Symantec is slacking and needs to get their stuff straight. Madshi haven't you complained to them before? I would submit a copy of madinjdrv.sys to them so they can diagnose it themselves, either that or hire an independent researcher to clear the files name. After that I doubt they would dare call it something stupid like that again.

--Iconic

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

pto · Joined: 20 Oct 2004 Posts: 15

I'm using the commercial license of the madCodehook library. We currently have some of our users complaining about it.

Also I don't have Symantec contact information yet. I'll let you know once I have it.

I hope that we can get it resolved soon before we start getting more complains.

Patrick

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

Please let me know if there's anything more than I can do to help. The problem is that I'm in a bad position to complain. I can say "my API hooking library is falsely detected as a virus", but Symantec can say "it's being used by a trojan". Then I can say "my API hooking library is used by lots of good software". Then Symantec might say "which?". And then I have a problem, cause I'm usually not giving out information about my customers. If you complain directly at Symantec, the chance is higher that they'll remove the faulty detection quickly.

Sorry for the inconvenience!! sorry

iconic · Joined: 08 Jun 2005 Posts: 603

Madshi some AV companies allow you to submit a file for examination. If your driver is being flagged as something it is not you can dispute it and submit a copy of the file for them to analyze and come to a verdict whether they feel it's harmless or a threat. I'm not sure if Symantec will allow for personal submissions such as this but it's certainly worth looking into once you get their contact information.

--Iconic

Markham · Joined: 02 Nov 2005 Posts: 26

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

I've sent a mail to Symantec and hope they'll react as soon as possible.

Fortunately there are a wide number of security applications out there using madCodeHook. So I don't have a lot of trouble to prove that madCodeHook is not bad in itself.

iconic · Joined: 08 Jun 2005 Posts: 603

Sounds promising Madshi. Good luck! very happy

--Iconic

Jules · Joined: 11 Mar 2006 Posts: 1

My Symantec started detecting mchinjdrv as a trojan on the the 8th - I think there was a virus update around then.

Long, boring post born of frustration follows...

As is my policy, having received useless support from Symantec I am going to publicise it: I emailed symantec with the Norton threat logs, the other checks and fixes I had tried (rootkit revealer, complete sweeps with Norton and Steganos anti-spyware and afterwards sbybot 1.4, system restore to before first detection...), and all sorts of other information and received from Jagjeet Singh (Symantec Authorized Technical Support) an email that showed my message hadn't been read, recomending as it did stuff I had already done and told them about.

Since no other threat is notified, I don't *think* there is a problem... BUT... I don't know whose app it came with, and it seems very odd that the file itself is not found anywhere on the system - I guess it is memory resident (Norton says it is in windows\system32\drivers - but it doesn't show up there and rootkit revealer shows that it isn't there but hidden from the API).

I am very very annoyed with the Norton antivirus support - it's useless, and I shall be VERY angry if this is just bad detection (there being nothing around that seems to exploit mchinjdrv) as I have been tearing my hair out about this... last thing I want is some keylogger grabbing passwords... and the less I can see the more paranoid I'm getting [backstory - I did actually encounter one of the first ever "wild" viruses... good old nVir on the Macintosh back in '84 or '85 I think... no one believed me at first - viruses were almost unheard of then!]

However, whilst I know there are good uses for it (is there a list of which legitimate apps use it?) I think I'd like to get rid of it for the time being.

The question is - how? Not on disk, can't delete the reg key.

I tried another www.sysinternals.com utility to move/delete files at boot time, but that didn't seem to work either (maybe user error?).

<sigh> the joys of technology.

Kudos for some very clever programming, nil-points for those who are too blase about the way they use such a powerful and potentially exploitable mechanism.

Thanks for listening to the whinge,

Jules

FYI here's the Norton threat log...

Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
09/03/2006 08:52:12,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200603070009,11.0.16.2,SYSTEM,myHPLaptop,Source: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Half an hour earlier the virus detection version was 200603060006 - and no mchinjdrv warning.

Markham · Joined: 02 Nov 2005 Posts: 26

Jules,

The Log you posted would seem to indicate that mchinjdrv.sys was prevented from being loaded by the resident portion of Symantec Anti-Virus - i.e. its "active protection". This is potentially bad news for any application that requires its use - and you may well have such an application installed on your PC such as a security app. Have you noticed any of your programs failing to work as expected?

I can assure you that Frisk Software's F-Prot does not detect this file as being risky, even with its latest update received yesterday. Throughout most of the 1990s, I made a living by independently testing all anti-virus programs at very regular intervals. F-Prot is a product I trust to give accurate results, SAV (NAV) is one that I don't.

I am not at all surprised by your experiences with Symantec's technical support. In fairness to the individual concerned, he probably has to support all Symantec's programs and may have to rely on crib-sheets which could be somewhat out of date. It's quite likely that you know more about the problem than he does. If you were the IT director of a major corporate customer, you could expect to enjoy a somewhat more competant level of support.

Mark

trafficlights7 · Joined: 06 Jan 2005 Posts: 9

Any info on where\who to contact at Symantec? Hopefully we can get a quick resolution on this!!

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

Well, anyone who has a bought a product can contact customer service and complain. That's probably the fastest way to achieve attention. Another way is to use the homepage to enter a false positive report. But that seems to be quite slow. I've already done that and didn't hear anything back yet... unsure