I don't know if you saw that in my article about the GiPo@FileUtilities, some readers noted that Symantec Endpoint triggered an alarm when they installed the tool. AVG Anti-Virus, the AV software I use at the moment, had no complaints though. Thus I was uncertain if this was just a false-positive. Most anti-virus tools use heuristics to detect viruses for which there are no signatures yet available. Many viruses share specific characteristics which can be detected with rules-of-thumb.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
One reader uploaded GiPo@FileUtilities to Virustotal to clarify things. I must admit I didn't know about this useful free service, so perhaps you don't know about it either. Virustotal uses 38 different malware scan engines to analyze the files you send them. There are many well-known brands among these such as Trend Micro, Symantec, F-Secure, or Sophos.
Virustotal only requires a few seconds to analyze a suspicious file. It then presents a list of the outputs of each scan engine. I was somewhat surprised that 50% of the antivirus tools identified a Trojan inside the GiPo@FileUtilities installation file. They don't all detect the same Trojan, although at least they use different names. It is possible that a virus tool kit was used to compile the setup file.
On the other hand, the GiPo@FileUtilities perform file system manipulations that are typical for malware. Hence, I was still not convinced that this was not a false positive. In the same article Petr mentioned that the antivirus software vendor EST identified it as a false positive, even though Virustotal reports that their scan engine NOD32 also classified GiPo@FileUtilities as suspicious.
This just reaffirms my view that heuristics in antivirus software are quite unreliable. Therefore, I recommend using the Virustotal service if your AV software detected a virus in your network using its heuristics algorithms. However, this case demonstrates that even if several different scan engines claim to have detected a virus, you can't be really sure. If you are uncertain if your network really has been infected, you should send the suspicious files to your antivirus software vendor.