A virus in CyberInstaller? It’s a false positive!

A user, on a blog, has reported that his anti-virus, F-Secure, has warned that CyberInstaller Suite was an insecure software, probably carrying a trojan.

It has been years since CyberInstaller Suite was not reported as carrying a virus and, fortunately, other users in the same blog answered that F-Secure itself did not report anything to them.

So, how to unveil this mystery? It’ll be soon explained.

As often occurs for other prize-winning professional software (produced by Microsoft, Skype and even anti-malware as Spybot-Search&Destroy), it’s just a FALSE POSITIVE, that is an erroneous report from the anti-virus that identifies a virus in a completely un-harmful application. Probably antivirus software that reports this false positive has the heuristic scan turned on, option that applies more in depth scans but, to identify still unknown viruses, may report even many false positives.

I have to say that the CyberInstaller Suite module recognized as a trojan is CIPEW, that is the CyberInstaller Portable Executable Wrapper, that is the wrapper for the Setup.exe executable. Such wrapper uses advanced techniques to embed the executable and decompress it on-the-fly (it is necessary to execute some security controls over the serial numbers if used in the installation package) and probably is identified as "abnormal" from the heuristic scan of some anti-viruses. Another module that can cause a false positive, at least some versions ago, was CISUpdater, probably because it connects to SilverCyberTech site searching for updates (in a totally legal and user-aware way!).

In addition to this, all modules of CyberInstaller Suite are compressed with UPX, an utility to compress executables that does not only reduce their size without slowing down their loading (they are decompressed on-the-fly when executed in a nearly real-time mode), but also crypts all their content making it very difficult to hack and disassembling them. This utility is often used by virus-writers for these very reasons to compress their viruses and because of this an executable carrying the UPX signature is often identified as "abnormal" from the heuristic scan of a paranoid antivirus.

Finally, CyberInstaller Suite has no malware in it at all, no worms, no trojans, no dialers, no nothing. It is perfectly clean, as confirmed by the Softpedia award: "100% Clean, no spyware, no adware, no viruses".

Anyway, if you ever find false-positives with your antivirus, please contact me: I’ll try to recompile the module so that no false-positive will be reported anymore!

Friday, February 1st, 2008 : CyberInstaller Suite : No Comments

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.