After talking to knowledgeable people on the digital SSTV group, I have decided that the "virus" detected by Norton is a legitimate file distributed with the program.
The confusion seems to be stemming from Norton's detection of a file called loop.zip, which contains a Windows library file called loop.dll. Loop.dll has been around for a few years, and it contains routines that are sometimes used with SDRs. However, another file named loop.exe is associated with several known Trojans.
This leaves only the odd question of why loop.zip would be recreated whenever EasyPal ran. After I completely uninstalled EasyPal, this behavior stopped, so there's no evidence that the system is doing it.
I have not tested the latest version of EasyPal, which is only a few weeks old, to see whether it, too stops this behavior. However, I now once again consider it excellent software.
Apologies to the programmers of EasyPal, who have really done a nice job bringing hams a more reliable way to use a complex mode.
Other discussions have centered on the widely known fact that there are probably better anti-virus packages on the market than Norton. While my version is better than the previous two or so, it's still pretty bloated and prone to causing issues such as this one with EasyPal.
Sorry about that.
Showing posts with label easypal. Show all posts
Showing posts with label easypal. Show all posts
Wednesday, March 17, 2010
Monday, March 15, 2010
Possible Issue With EasyPal
Some people might have noticed that the glowing review of the EasyPal software has been deleted from this blog. This is because of various strange virus detection issues that many users, myself included, have gotten since the start of 2010 while using this program.
A rather spirited discussion of this subject is on QRZ. There's another on the DigiSSTV Yahoo! group.
The areas of agreement are as follows:
1. EasyPal detects as clear of malware on all checkers when its files are scanned on first installation.
2. At some point after the first picture is viewed, various different virus checkers start to show various different Trojan loaders in EasyPal's directories. MalwareBytes seems to do this the most often. (There is no agreement on whether or not these are false positives.)
3. After this detection, EasyPal still shows as clear. The alleged virus is in a more recently created file that was not distributed with the original package.
Such a behavior is common to some types of dropper programs, which will download the malware later while not making code changes that will be detected. Sometimes anti-virus programs find the new bad stuff before it runs, and sometimes they don't.
Unfortunately, it is also typical of false positives, given the huge complexity of virus detection lists.
In my own case, running EasyPal would create a zip file named loop.zip, which Norton would "quarantine" as containing a rare Trojan which logs keystrokes and steals all your passwords. I would delete the zip archive, but it would reappear on every subsequent running of EasyPal.
The suspect file inside loop.zip is called loop.dll. Searches show one old (~2008) reference to a QRZ forum thread mentioning a file with this name associated with ham radio software. Perhaps it creates a local loopback so a simplex sound card can feed multiple programs.
There is no other mention of this file anywhere detectable on Google, and a full disk search of my computer (which has at least 30 ham radio programs), finds nothing.
Therefore, there are two main possibilities:
1. Norton is confusing loop.dll with loop.exe, a program dropped by many Trojan loaders to capture keystrokes.
2. Norton is finding malicious code that somehow gets into the EasyPal directory hierarchy via file transfers on the air, or an infected utility which is called on the fly when pictures are viewed. (If so, this is a good reason to transfer them to Irfan View, the way DIGTRX does.)
Everyone will have to draw their own conclusion. In my own case, I am far, far from certain that there is any problem with EasyPal. I still really like it a lot. However, I won't put any version of it back on any of my computers until the issue is resolved one way or the other.
Perhaps I'm erring on the safe side, but that's what I do.
A rather spirited discussion of this subject is on QRZ. There's another on the DigiSSTV Yahoo! group.
The areas of agreement are as follows:
1. EasyPal detects as clear of malware on all checkers when its files are scanned on first installation.
2. At some point after the first picture is viewed, various different virus checkers start to show various different Trojan loaders in EasyPal's directories. MalwareBytes seems to do this the most often. (There is no agreement on whether or not these are false positives.)
3. After this detection, EasyPal still shows as clear. The alleged virus is in a more recently created file that was not distributed with the original package.
Such a behavior is common to some types of dropper programs, which will download the malware later while not making code changes that will be detected. Sometimes anti-virus programs find the new bad stuff before it runs, and sometimes they don't.
Unfortunately, it is also typical of false positives, given the huge complexity of virus detection lists.
In my own case, running EasyPal would create a zip file named loop.zip, which Norton would "quarantine" as containing a rare Trojan which logs keystrokes and steals all your passwords. I would delete the zip archive, but it would reappear on every subsequent running of EasyPal.
The suspect file inside loop.zip is called loop.dll. Searches show one old (~2008) reference to a QRZ forum thread mentioning a file with this name associated with ham radio software. Perhaps it creates a local loopback so a simplex sound card can feed multiple programs.
There is no other mention of this file anywhere detectable on Google, and a full disk search of my computer (which has at least 30 ham radio programs), finds nothing.
Therefore, there are two main possibilities:
1. Norton is confusing loop.dll with loop.exe, a program dropped by many Trojan loaders to capture keystrokes.
2. Norton is finding malicious code that somehow gets into the EasyPal directory hierarchy via file transfers on the air, or an infected utility which is called on the fly when pictures are viewed. (If so, this is a good reason to transfer them to Irfan View, the way DIGTRX does.)
Everyone will have to draw their own conclusion. In my own case, I am far, far from certain that there is any problem with EasyPal. I still really like it a lot. However, I won't put any version of it back on any of my computers until the issue is resolved one way or the other.
Perhaps I'm erring on the safe side, but that's what I do.
Subscribe to:
Posts (Atom)