[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Wireshark v1.2.0's msvcp90.dll real or FP?
From: Phillip Pi <ant () zimage ! com>
Date: 2009-06-22 18:54:17
Message-ID: 20090622185417.GK1356 () alpha ! zimage ! com
[Download RAW message or body]
On Mon, Jun 22, 2009 at 11:45:53AM -0700, Gerald Combs wrote:
> >>> Strange. My DiamondCS MD5 v1.4.0.0 tool doesn't match yours from
> >>> portable Wireshark (after extraction): 7B80921F9F6126F53F4250E2B23E0EA3
> >> I copied msvcp90.dll to a temp directory and ran "upx -q" on it using
> >> UPX 3.01w on it. The UPX-ed hashes are:
> >>
> >> MD5(msvcp90.dll)= 7b80921f9f6126f53f4250e2b23e0ea3
> >>
> >> I generated the hashes using "openssl md5", "openssl sha1", and "openssl
> >> rmd160" respectively.
> >
> > OK, that's better. So the files aren't tampered. Also, notice more than
> > one online scanners detected suspicious beside SuperAntiSpyware?
>
> Yes. Please note that
>
> 1) We've received quite a few virus reports in the past:
> http://wiki.wireshark.org/FalsePositives
>
> 2) So far they've _all_ been false positives.
>
> 3) Trying to get confirmation about a specific positive for a specific
> file from a specific vendor is often an exercise in joylessness.
>
> I'm not quite ready to declare this a false positive. However, the
> hashes for msvcp90.dll that we shipped match the ones on multiple
> systems (which appear to be clean), and the hashes for the version of
> UPX used to compress msvcp90.dll match those from a fresh download from
> SourceForge. It really, really looks like a false positive right now.
Yeah, I am thinking it is FP too. I am surprised that there a few
scanners thinking it is a bad file. Oy! :(
--
"Left right left right we're army ants. We swarm we fight. We have no
home. We roam. We race. You're lucky if we miss your place." --Douglas
Florian (The Army Ants Poem)
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.ma.cx (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / E-mail: philpi@earthlink.net or ant@zimage.com
( )
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic