Sonicwall reports a virus when downloading 9.0 exe

Having a problem? Ask for help here.
Post Reply
New User
Newbie
Posts: 1
Joined: Fri Dec 12, 2008 4:44 pm

Sonicwall reports a virus when downloading 9.0 exe

Post by New User »

vistumbler-download.JPG
vistumbler-download.JPG (23.65 KiB) Viewed 7567 times
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Sonicwall reports a virus when downloading 9.0 exe

Post by ACalcutt »

I will contact sonicwall and see what i can find
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Sonicwall reports a virus when downloading 9.0 exe

Post by ACalcutt »

--------------------------------------------------------------------------------
From: John Lasersohn [mailto:JLasersohn@SonicWALL.com]
Sent: Sun 12/14/2008 5:36 PM
To: Andrew Calcutt; Calcutt, Andrew
Cc: E-ClassSupport@sonicwall.com
Subject: RE: False positive (GAV blocks Vistumbler download)

Dear Andrew:

Feel free to pass on the below message to your users. Our Intrustion Prevention and Gateway Anti-Virus (GAV) signatures, based on certain strings or network behaviors, will sometimes be general enough to have ‘collateral damage.’ In this case, downloads of your Vistumbler wireless tool (in which I’m interested personally) are being stopped by a GAV signature. I’ve replicated this problem (only the .exe download is affected) and also a workaround.

Our products contain a lot of flexibility; all users of the GAV features on our firewalls can make an exemption for the server IP address from which the download occurs. This is done on the Security Services – GAV screen, inside the button “Configure Gateway Anti-Virus Settings.”

The key is to pay attention to the name of the server when in the File Save dialog box (details below). I resolved the server name during my download: internap.dl.sourceforge.net - occdce.chg005.internap.com [74.201.0.131]. Other users are likely to be pushed to other servers; this may be a large server farm so other users might download from other IP addresses. The SonicWALL log will tell them which server IP address was used; here is a live example from my testing:

12/14/2008 13:56:13.432 Alert Security Services Gateway Anti-Virus Alert: Adload.BT (Trojan) blocked 74.201.0.131, 80, X1 172.21.5.200, 1645, X0

Note that the downloads don’t happen from the home page of your product http://vistumbler.sourceforge.net nor from the downloads.sourceforge.net server either.

Another approach possible for some users of SonicWALL firewalls is to disable the offending signature. That feature is only possible on some models with some firmware versions.

Of course we hope to fix the false positive signature. I have created a bug report for it (below) but we cannot estimate when it might be fixed. I have supplied the EXE sample for them.

DTS #74916 GAV Adload.BT (Trojan) sig false positive - blocks Vistumbler EXE download

Regards,

John Lasersohn
Escalation Manager & Sr. Technical Support Engineer
http://www.sonicwall.com
--------------------------------------------------------------------------------
From: acalcutt@worcester.edu [mailto:acalcutt@worcester.edu] On Behalf Of Andrew Calcutt
Sent: Friday, December 12, 2008 3:05 PM
To: ASDSUPPORT; E-ClassSupport@sonicwall.com
Subject: False positive

Hello Sonicwall,

My name is Andrew Calcutt and I have a program called Vistumbler. I have been told on my forums that a sonic product is detecting my program as a trojan. My program is not a trojan, so what would be the best way to resolve a false positive with your companies product.

The only information I have on this is the screenshot posted on my forum (http://forum.techidiots.net/forum/viewt ... p=575#p575). The file being blocked can be downloaded from vistumbler.net

http://downloads.sourceforge.net/vistum ... taller.exe
http://downloads.sourceforge.net/vistum ... ler9-0.zip

Thanks,
Andrew Calcutt
Vistumbler.net
Post Reply