From owner-freebsd-bugs Thu Jan 1 07:51:16 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA17403 for bugs-outgoing; Thu, 1 Jan 1998 07:51:16 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA17398 for ; Thu, 1 Jan 1998 07:51:10 -0800 (PST) (envelope-from j@uriah.heep.sax.de) Received: (from uucp@localhost) by sax.sax.de (8.8.8/8.8.8) with UUCP id QAA24523; Thu, 1 Jan 1998 16:51:01 +0100 (CET) (envelope-from j@uriah.heep.sax.de) Received: (from j@localhost) by uriah.heep.sax.de (8.8.8/8.8.5) id QAA16587; Thu, 1 Jan 1998 16:22:28 +0100 (MET) Date: Thu, 1 Jan 1998 16:22:28 +0100 (MET) Message-Id: <199801011522.QAA16587@uriah.heep.sax.de> Mime-Version: 1.0 X-Newsreader: knews 0.9.8 Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) Organization: Private BSD site, Dresden X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E References: <199712271647.IAA05026@hub.freebsd.org> In-Reply-To: <199712271647.IAA05026@hub.freebsd.org> From: j@uriah.heep.sax.de (J Wunsch) Subject: Re: misc/5383: bloodhound.MBR Virus detected by Norton AV after Boot Mgr Install X-Original-Newsgroups: local.freebsd.bugs To: freebsd-bugs@freebsd.org Cc: ccosolo@ulti.net Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ccosolo@ulti.net wrote: > After successfully installing freeBSD with The supplied boot > manager, I rebooted and selected dos. This boots win95 and executes > Norton AV win95's navboot.exe /startup from autoexec.bat. While > booting navboot detects bloodhound.MBR on the master boot record. I > selected the repair option and rebooted. This was certainly a mistake. :) Well, virus scanning is signature-based, and as such always risky at misdetecting something for a virus that isn't one. This is inherent to the virus scanning itself, and cannot reliably prevented. One customer of us once told me that his virus scanner `detected' a virus in /sbin/init. :-) >>Fix: > Modify code fragment to mismatch virus def on executable in bootmanager. Rather, tell the vendor of your virus scanner to increase the amount of data they are using to check the virus signature. Sorry, it's not a viable option for us to change the bootblocks to not incidentally match what virus scanner XYZ is using to check for virus ABC. What to do if this change makes the virus scanner misdetect it as something else? No, thanks. Besides, you didn't even tell us _what_ exactly the signature might be. How do you expect us to know? We don't have your virus scanner (and i'm not like buying it just for you -- i don't have any DOS files at all, so i don't need a virus scanner). > Or scan for possible virus in distribution And then? Besides(2), this would require bundling of a virus scanner product which is usually payware. We can guarantee you that there are no viruses in the files we are creating, and in order to check whether the files remained untouched, you can always match them against the MD5 checksums we are providing. Sorry to say, but that's really all we can do for this matter. p.s.: Yes, we should adopt a more recent version of booteasy anyway, for other reasons. This might or might not solve your problem. You can also try os-bs (should be found in the tools/ directory), maybe this doesn't check out as a pseudo-virus in your scanner... -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)