DotNetNewsgroup.com  
web access to complete list of Microsoft.NET newsgroups
   home   |   control panel login   |   archive  |  
 
  carried group
academic
adonet
aspnet
aspnet.announcements
aspnet.buildingcontrols
aspnet.caching
aspnet.datagridcontrol
aspnet.mobile
aspnet.security
aspnet.webcontrols
aspnet.webservices
assignment_manager
datatools
dotnet.distributed_apps
dotnet.general
dotnet.myservices
dotnet.nternationalization
dotnet.scripting
dotnet.security
dotnet.vjsharp
dotnet.vsa
dotnet.xml
dotnetfaqs
framework
framework.clr
framework.compactframework
framework.component_services
framework.controls
framework.databinding
framework.drawing
framework.enhancements
framework.interop
framework.odbcnet
framework.performance
framework.remoting
framework.sdk
framework.setup
framework.webservices
framework.windowsforms
framework.wmi
frwk.windowsforms.designtime
lang.csharp
lang.jscript
lang.vb
lang.vb.controls
lang.vb.data
lang.vb.upgrade
lang.vc
lang.vc.libraries
  
 
start date: Sun, 12 Aug 2007 23:40:00 -0700,    posted on: microsoft.public.dotnet.framework.interop        back       

Thread Index
  1    Jason Schultz am
          2    (Walter Wang [MSFT])


False positive on interop_shell32.dll generated by VS2005?    
Hi all,

A customer reported that their Antivirus software (Rising Antivirus 2007) 
detected a virus in our product, specifically the "Backdoor.Agent.hyn" trojan 
in the interop.shell32.dll file generated by Visual Studio 2005 on our behalf.

Running this file through http://www.virustotal.com/ indicates that Rising 
Antivirus is the only product that finds a problem with the file, which I 
generated for the test using a "clean" install of Visual Studio 2005 on an XP 
VM.

Has anyone else seen this, or can anyone else confirm that this is a false 
positive? I've found only one other mention of this on the 'net, on a chinese 
site

Thanks! Jason
Date:Sun, 12 Aug 2007 23:40:00 -0700   Author:  

RE: False positive on interop_shell32.dll generated by VS2005?    
Hi Jason,

The interop.shell32.dll is just an interop assembly that contains metadata 
used to consume COM type library from .NET. If you use Reflector 
(http://www.aisto.com/roeder/dotnet/) to view it, you will see there're 
just some interfaces or data structures.

It's probably because the malware you mentioned that has some identical 
binary signature with this interop assembly. In my opinion, such issue 
should probably be reported to the anti-virus software vendor.

That said, we might be able to workaround this by somehow changing the 
content of this interop assembly so that it might bypass the anti-virus's 
checking, but there's no guarantee that it will work.

You can give the interop assembly a strong name and sign it with a key 
(such assembly is called primary interop assembly, PIA in short), this will 
somehow change the binary content of the assembly. To do this, please refer 
to following documents:

http://msdn2.microsoft.com/en-us/library/aa302338.aspx

Regards,
Walter Wang (wawang@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Date:Tue, 14 Aug 2007 02:06:41 GMT   Author:  

Google
 
Web dotnetnewsgroup.com


COPYRIGHT ?2005, EUROFRONT WORLDWIDE LTD., ALL RIGHT RESERVE  |   Contact us