Jump to content
FattyBoomsticks

lcc-win32 compiler reported (incorrectly?) as TaskDir trojan

Recommended Posts

...specifically the zlib.dll file that comes with the lcc-win32 c compiler (which I downloaded from the authors' website http://www.cs.virginia.edu/~lcc-win32/). The reasons why I think that this is a false positive are:-

1. Popular compiler and yet I can't find anyone who says that it is infected.

2. I recall reading that the compiler uses OS hooks, which are supposedly a common source of false positives for antivirus software.

3. Only C:\lcc\bin\zlib.dll is reported as infected, i.e. there has been no virus-like spread to other files executable files on my drives (although possibly a rootkit could hide infected files from the operating system, I don't know).

4. Trial versions of both Kaspersky and nod32 never detected it. Neither did Windows Defender.

5. No virus-like behaviour whatsoever as far as I can tell. TaskDir is, I believe, a mail spammer and yet I haven't noticed any unusual or increased network or CPU activity. Norton antibot hasn't reported any bot-like activity (ugh, I'm turning into a security software junky).

6. I found that during installation of lcc Avast Home antivirus flagged it as a virus. Why do I think that this supports my argument that zlib.dll is not infected? I believe this has something to do with point 2 above. I trust Kaspersky's and Nod32's detection capabilities over Avast based on their reputation and the fact that Avast Home is free (don't get me wrong, love your work!:P ).

I have a second laptop that never had lcc installed, I will check shortly to see if it too has been infected.

Cheers.

Share this post


Link to post
Share on other sites

Yes, although initially I didn't. As far as I can tell (newbie here), SAS only lets you report a false positive upon finding potential threats, but not after they have been quarantined. Not wanting to restore the quarantined files, I reported the false positive in this thread instead.

Share this post


Link to post
Share on other sites

Hi FB

Just my 2cents :wink:

It is more than likely that this particular DLL falls into what they call a grey area e.g Hacktool/Riskware by industry titling.

In laymans terms it is both legitimate file in some cases/scenario's where as in others it might be part of an attackers toolkit deposited apon the end user's machine.

If you know the source of the file is legitimate then for you it is a F/p where as it could be different on another detction on a compromised PC.

If ever in doubt about a file or even just a good habit to get into(outsourcing file checking versus 32 databases) as opposed to your resident foo or a couple online checks i would suggest VirusTotal service :D

http://www.virustotal.com/

HTH:)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×