Bitdefender

Bitdefender

Postby xide » Tue Mar 17, 2015 4:01 pm

Not sure if this is where I should put this or not. I sell Bitdefender Internet Security as an antivirus solution to my customers. Today I found that http://d7techtool.com/IPCheck.php is blocked due to it being "Infected web resource" (is this from d7 or dsupport?) also dsupport is listed as malicious/infected. Of course d7 itself seems to be flagged by just about every anti-virus so thats nothing new. But my customers tend to be paranoid when software I install on their machine is coming up as a virus from the anti-virus software I sold them.
Attachments
infected-resource.PNG
Infected web resource
infected-resource.PNG (19.5 KiB) Viewed 2509 times
infected-file.PNG
Infected file
infected-file.PNG (18.36 KiB) Viewed 2509 times
malicious-detected.PNG
Malicious file detected
malicious-detected.PNG (26.79 KiB) Viewed 2509 times
If I had a world of my own, everything would be nonsense.....Who in the world am I? Ah, that's the great puzzle. I'm afraid I can't explain myself, sir. Because I am not myself, you see?
User avatar
xide
 
Posts: 452
Joined: Tue Mar 19, 2013 12:43 am

Re: Bitdefender

Postby bored369 » Wed Mar 18, 2015 5:16 am

The IP check is how the external IP is determined, I believe it is used by both d7II and dSS.
I would highly recommend adding dSS to your whitelist for the antivirus when you install it on a client system. dSS does a number of powerful things like d7II which can be interpreted as false positives by AV.
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!

Image
User avatar
bored369
Foolish IT Staff
 
Posts: 183
Joined: Sat Feb 01, 2014 6:57 am
Location: Anderson, SC

Re: Bitdefender

Postby xide » Thu Mar 19, 2015 2:35 am

Well adding it to the white list is a rather obvious choice. I really hope that was a joke and you wouldn't think I would leave it like that when that's the reason the client came in.

The purpose of this post is to report a false positive that seems to recently be discovered by bitdefender since this is the first time in 3 years that it detected a foolish it product other than d7. I know in the past with other dSupport products we were asked to post false positives so that information can be sent to the antivirus company letting them know it's a false positive.... Do you recall the MSSE issue? I also posted screen shots to support my findings in case they are needed. Also this post was to inform any other members that sell dSupport and bitdefender so they don't have customers coming back for the same reason.

Sent from my Samsung Galaxy Note 8 tablet
If I had a world of my own, everything would be nonsense.....Who in the world am I? Ah, that's the great puzzle. I'm afraid I can't explain myself, sir. Because I am not myself, you see?
User avatar
xide
 
Posts: 452
Joined: Tue Mar 19, 2013 12:43 am

Re: Bitdefender

Postby Nick » Thu Mar 19, 2015 6:53 pm

The php is a one line'r I found somewhere that just returns the IP:

Code: Select all
<?php echo $_SERVER['REMOTE_ADDR']; ?>


the dSupportSuite client software hits this for the WAN IP address -- and I have verified that is the exact script that is there. there shouldn't even be any server side logging of any sort (that I intentionally enabled or am aware of) and no client side logging except via the health check/info report/heartbeat functionality sent to the admin/client email address in your dSS config for that Client ID, otherwise this function is used for the main interface of the client software to display the WAN IP, and possibly also to determine internet connectivity during certain operations (before running maintenance perhaps, if custom apps need to be downloaded, during heartbeat perhaps... using this method is far faster than waiting for a ping response!) but I will need to double check if that is used in dSS. If not used there, then using the simple UI (you can see/check this in any Client ID Config or Template via dSSMC) wouldn't check for the WAN IP for the system info, and it shouldn't hit that web address. Might even have a config option to disable it, uncertain.

I'm not sure why that is being targeted, it still is what it is... The naked domain does redirect to http://foolishit.com/d7/ in a browser, I wonder if you are seeing this due to the "suspicious" or "pup" or whatever status it may categorize the original d7 in... though there isn't even a download for d7 on the site..

Please assist with false positive submissions!! I have links for most A/V companies here: http://www.foolishit.com/bad-av/ though this may or may not be appropriate for a web filter/URL submission, but perhaps they can direct the message to the appropriate parties or refer you to them.

A config option for an upcoming edition could be to host your own PHP or other script that returns the WAN IP.
Author of d7/d7II and other PC technician's tools. http://www.FoolishIT.com

Image
User avatar
Nick
Site Admin
 
Posts: 2718
Joined: Mon Nov 19, 2012 7:54 pm

Re: Bitdefender

Postby xide » Fri Mar 20, 2015 1:26 am

It's seems bitdefender only developed a dislike for Foolish this past week in a recent update because I have never had these false positives before. I assume it's nothing personal lol.
Thanks for telling me where the report bad av link is, I knew it was around here somewhere.

Sent from my Samsung Galaxy Note 8 tablet
If I had a world of my own, everything would be nonsense.....Who in the world am I? Ah, that's the great puzzle. I'm afraid I can't explain myself, sir. Because I am not myself, you see?
User avatar
xide
 
Posts: 452
Joined: Tue Mar 19, 2013 12:43 am

Re: Bitdefender

Postby bored369 » Sat Mar 28, 2015 3:35 pm

It wasn't a joke actually, I would highly recommend that you whitelist the dSupportSuite folder by the local security/firewall programs, before you consider the installation of the dSupportSuite client complete. This would save you in times like this where an AV decides to add it to a false positive listing. Plus I believe (not positive but) with most security programs if you whitelist the scanning exe, the files that it then scans or interacts with will not also be scanned by the local security program, thereby increasing the speed of scans and lessen the possibility of locked files interrupting scans. This has actually been a standard recommendation in a large number of programs installation methods for those two reasons. Most every database program I've installed requests this because of the locked files issue I know for sure.

Assisting with the false positives is a very helpful as well, I was just trying to suggest a preemptive solution to avoid having a customer return thinking the software you installed is bad or malicious. I mainly suggested this because of your concern statement of "But my customers tend to be paranoid when software I install on their machine is coming up as a virus from the anti-virus software I sold them."
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!

Image
User avatar
bored369
Foolish IT Staff
 
Posts: 183
Joined: Sat Feb 01, 2014 6:57 am
Location: Anderson, SC


Return to dSupportSuite Support