egghelp.org community

juanamores · Master Joined: 15 Mar 2015 Posts: 317

I made a backup of my VPS on my PC and Avast antivirus detect a trojan in a file.
The path: \eggdrop\modules-1.6.21\
The file: seen.so
Detection: ELF:IRCBot-D [Trj]

Most likely is a false positive.
I've scanned the file using web total virus and here are the results:
https://www.virustotal.com/es/file/9747d59e90bcc5c56c93bee2e4a35ed45c0317be879c97ded5632e0933370096/analysis/1470704763/

Only Avast detect virus of 53 AVs.
_________________
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks Smile

caesar · Posted: Tue Aug 09, 2016 1:20 am Post subject:

False positive, nothing to worry about unless you got the file from another source other than the official one that might have tampered with the files.
_________________
Once the game is over, the king and the pawn go back in the same box.

juanamores · Master Joined: 15 Mar 2015 Posts: 317

I sent the file to AVAST Laboratory.
I have confirmed that the virus detection is correct.
The truth is I do not think it virus.

I do not think 52 antivirus mistake .
It is a false positive!

This said AVAST :

caesar · Posted: Wed Aug 10, 2016 2:30 am Post subject:

If and only if you got the eggdrop1.6.21.tar.gz (or whatever version you are using) from the official source aka. Eggheads.org site, then grab the non-compiled seen.c from the archive located in eggdrop1.6.21/src/mod/seen.mod, tell them that they are idiots cos it's a false positive result and uninstall the product.

I just got the seen.c file and here (link) is the virustotal result.
_________________
Once the game is over, the king and the pawn go back in the same box.

juanamores · Master Joined: 15 Mar 2015 Posts: 317

I uploaded the file to

caesar · Posted: Thu Aug 11, 2016 1:27 am Post subject:

I got the seen.so file from my own eggdrop that i know for sure i got from the official source and the virus scan has the same result.
_________________
Once the game is over, the king and the pawn go back in the same box.

nml375 · Revered One Joined: 04 Aug 2006 Posts: 2854

I would assume they (Avast) classify it as a positive trojan, as eggdrops have been used to power malicious botnets in the past. To be honest, I'd almost expect them to classify any irc-client as an intrusion or trojan...

Sadly, I doubt they'll change their minds about it. Best bet is to get the binaries from a trusted source, or build them yourself, and do whatever you can to whitelist the file on your system.
_________________
NML_375, idling at #eggdrop@IrcNET

caesar · Posted: Sat Aug 13, 2016 1:53 am Post subject:

Because they haven't marked more files and just the seen module makes me think that the file has some piece of code (for instance like writing something in a file) similar to what malicious botnets used, maybe got some inspiration from the seen module..

Anyway, I wouldn't be bothered by this if you got the source from Eggheads.org's website.
_________________
Once the game is over, the king and the pawn go back in the same box.