False Positive: Win32/Bulta!rfn
log in

Advanced search

Message boards : News : False Positive: Win32/Bulta!rfn

Author Message
Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 20468 - Posted: 26 May 2015, 13:23:40 UTC

Microsoft recently added a check for the Win32/Bulta!rfn trojan virus to Microsoft Security Essentials. Unfortunately, the footprint they use to check for the virus matches that of the mini amd gpu app. The app is NOT infected though. They are just using too short a foot print. It is no different than trying to find this web site by searching Google but only entering "Collatz" as the search criteria. You would get a lot of links as matches but only one is the real thing. The anti-virus software searches executable applications looking for viruses but if the search string is too short, they get a false positive.

Until Microsoft fixes it (if ever) you may
a) ignore it (but you won't be able to run mini WUs)
b) choose another app such as the solo_collatz app in your preferences instead
c) exclude the c:\program data\boinc folder from being checked.

Helix Von Smelix
Send message
Joined: 2 Aug 10
Posts: 43
Credit: 10,191,556,102
RAC: 1,436,599
Message 20469 - Posted: 26 May 2015, 14:13:44 UTC

yup, my one PC with MS SE showed it. Had a look at the location and then added it as okay. A long time since a false positive, all good now. ;-)

Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 20471 - Posted: 26 May 2015, 17:09:49 UTC

Option b won't work because they are all the same app. The only difference is the name. (BOINC requires a different name for each plan class even though the OpenCL app runs on any device and platform.) So, MSE identifies each as having a virus when they don't.

Rymorea
Send message
Joined: 14 Oct 14
Posts: 100
Credit: 200,411,819
RAC: 4
Message 20472 - Posted: 26 May 2015, 17:46:41 UTC

C) option is the best solution of this problem and also usefull for other projects too.
____________
Seti@home Classic account User ID 955 member since 8 Sep 1999 classic CPU time 539,770 hours

Profile justgeo1
Send message
Joined: 8 Dec 13
Posts: 1
Credit: 11,065,253
RAC: 5
Message 20474 - Posted: 26 May 2015, 20:41:44 UTC

Another option is to use a different AV program entirely! Any good AV program can usually be told that something is not a virus and to ignore it!I have NEVER used any of the Microsoft AV or security products...

Profile mikey
Avatar
Send message
Joined: 11 Aug 09
Posts: 3242
Credit: 1,693,178,126
RAC: 5,515,057
Message 20475 - Posted: 27 May 2015, 10:38:59 UTC - in response to Message 20474.

Another option is to use a different AV program entirely! Any good AV program can usually be told that something is not a virus and to ignore it!I have NEVER used any of the Microsoft AV or security products...


Yes but...most a/v programs find the way Boinc works as indicative of a virus in the new World of virus checking, some whole projects, Bitcoin Utopia is an example due to its need to communicate with the net constantly, can be flagged even by products such as AVG. IF you chose to exclude your Boinc folders from virus checking AND it really is a virus then it WILL try to get out beyond those folders and get caught by your a/v program. IF however it is just a false positive, as most Boinc related 'viruses' are, then nothing being checked means non stop crunching. If on the other hand it is a real virus, just not a very good one, and never leaves the Boinc folders then it isn't my problem, it is the projects problem. And ALL projects run a/v software on the files they send and receive from us.

Todd Madson
Send message
Joined: 17 Jun 12
Posts: 1
Credit: 30,194,970
RAC: 0
Message 20476 - Posted: 27 May 2015, 12:37:55 UTC

Typical. Microsoft seems to have been pushing out wonky or problematic windows updates and virus updates that detect non-virus content. What's going on up there anyway? Trying to make too many products perhaps and stretched a bit thin?

Profile The Ancient One
Send message
Joined: 5 May 10
Posts: 23
Credit: 91,574,211
RAC: 599
Message 20477 - Posted: 27 May 2015, 23:49:46 UTC

Nothing unusual for Microsoft. Try running a Self built Computer on their OS's, an utter pain
____________

Profile robertmiles
Send message
Joined: 8 Oct 09
Posts: 45
Credit: 15,071,562
RAC: 46,008
Message 20478 - Posted: 28 May 2015, 2:45:33 UTC

I just reported the false positive to Microsoft, in case no one else has done this.

Crystal Pellet
Send message
Joined: 12 Jul 09
Posts: 9
Credit: 16,450,326
RAC: 0
Message 20479 - Posted: 28 May 2015, 12:48:16 UTC - in response to Message 20478.

I just reported the false positive to Microsoft, in case no one else has done this.

If it's surely a false positive you can report it to 9 others too:

Antivirus ................ Result
Ad-Aware ................. Trojan.GenericKD.2442875
BitDefender .............. Trojan.GenericKD.2442875
Emsisoft ................. Trojan.GenericKD.2442875
F-Secure ................. Trojan.GenericKD.2442875
GData .................... Trojan.GenericKD.2442875
MicroWorld-eScan ......... Trojan.GenericKD.2442875
Microsoft ................ Trojan:Win32/Bulta!rfn
Tencent .................. Trojan.Win32.YY.Gen.30
TrendMicro-HouseCall ..... TROJ_GEN.R047H01EQ15
nProtect ................. Trojan.GenericKD.2442875

Profile mikey
Avatar
Send message
Joined: 11 Aug 09
Posts: 3242
Credit: 1,693,178,126
RAC: 5,515,057
Message 20480 - Posted: 29 May 2015, 11:17:46 UTC - in response to Message 20476.

Typical. Microsoft seems to have been pushing out wonky or problematic windows updates and virus updates that detect non-virus content. What's going on up there anyway? Trying to make too many products perhaps and stretched a bit thin?


No they are trying to be on the cutting edge of virus detection, most a/v companies are trying to outdo each other, and one of the ways is to detect 'behavior' not that actual virus itself. Waiting for someone to create a virus signature could mean it's too late for those infected, so they are trying to predict virus 'like' behavior. Sometimes they stray into areas they shouldn't, this being one of them.

Tomcat
Send message
Joined: 2 May 15
Posts: 1
Credit: 2,031,413
RAC: 0
Message 20482 - Posted: 30 May 2015, 16:47:53 UTC - in response to Message 20479.

Why not try qihoo360?

Profile mikey
Avatar
Send message
Joined: 11 Aug 09
Posts: 3242
Credit: 1,693,178,126
RAC: 5,515,057
Message 20483 - Posted: 31 May 2015, 11:05:31 UTC - in response to Message 20482.

Why not try qihoo360?


No idea what that is.

Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 20484 - Posted: 1 Jun 2015, 5:33:32 UTC

I recompiled the 32-bit v6.05 opencl intel cpu app to see if it would "sound any alarms" and MS Security Essentials didn't complain. So, that version does not appear to show a false positive. That means I should be able to copy/rename it so that AMD and nVidia can also use that version for their OpenCL apps. I'll try and get that done tomorrow or tomorrow evening.

Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 20485 - Posted: 1 Jun 2015, 5:43:10 UTC - in response to Message 20479.

I just reported the false positive to Microsoft, in case no one else has done this.

If it's surely a false positive you can report it to 9 others too:

Antivirus ................ Result
Ad-Aware ................. Trojan.GenericKD.2442875
BitDefender .............. Trojan.GenericKD.2442875
Emsisoft ................. Trojan.GenericKD.2442875
F-Secure ................. Trojan.GenericKD.2442875
GData .................... Trojan.GenericKD.2442875
MicroWorld-eScan ......... Trojan.GenericKD.2442875
Microsoft ................ Trojan:Win32/Bulta!rfn
Tencent .................. Trojan.Win32.YY.Gen.30
TrendMicro-HouseCall ..... TROJ_GEN.R047H01EQ15
nProtect ................. Trojan.GenericKD.2442875


I'm still going with false positive unless it is a magical virus that can infect a file on a Linux server even though it is a Windows trojan virus and the "infected" file was uploaded to to the Linux server over a year before the virus was even invented.

Rather than try and convince all of the above, I think it will be quicker to just replace the 6.04 version with the 6.05 version that doesn't get flagged as infected.

Profile heffalumpen
Send message
Joined: 2 Mar 11
Posts: 15
Credit: 1,024,271,094
RAC: 1,203,660
Message 20654 - Posted: 22 Jun 2015, 20:17:51 UTC
Last modified: 22 Jun 2015, 20:18:25 UTC

It looks like the mini's are back,after an update to Windows tonight. Happy :-)


Post to thread

Message boards : News : False Positive: Win32/Bulta!rfn


Main page · Your account · Message boards


Copyright © 2018 Jon Sonntag; All rights reserved.