...though it might be considered implicit in our hexadecimal friend's post, knowing
which AV you're using might also be useful.
Back in the day, especially, viruses compiled with specific home-user compilers could be identified in ways that could also pick up a significant coincidental subset of indy-programmed totally "innocent bystander" utilities and game executables that just happened to use the same/similar compiler and perhaps other hard to predict 'fingerprint' similarities.
I would have hoped that experience with proven coincidences like that would have reduced picking up on unrelated stuff like both virus and false-positive being built the 'same' just because the first global variables were an integer, double-word then a boolean (for example), enough to match a rough logical similarity intended to trap minor variations in the same virus-'family'.
Though I've also seen it happen for even more tenuous reasons. One company I worked for had a "checksum" prepended to anything sent to the line-printers, to allow the verification of the date of what was printed. One morning, every attempt to print activated the corporate AV scanner because (it was established), the string of characters just happened to trigger a threat-signature for some old and obscure threat that was nowhere near our system. Reconcigured to not scan the print-queue stuff (as temporary fix, which was generally safe to do anyway), got a less-temporary fix from the AV company in the form of an "unsignature" file to override/up-specify the detection of the original fingerprint so it needed things not found in a printer-file, meaning that printing could start again before the afternoon... presumably the globally distributed signature for the obscure virus was updated too, and the checksum added the next day (or any obvious day after that) wasn't going to trigger the original pattern either.
But I suppose, now, we have AV companies also extending the use of AI to try to boil down "suspicious" vs. "non-suspicious" data, and perhaps hard-learnt lessons about potentially making signatures too generic might not have been trained in. We might be like the AI that was trained to assess likelihood of an illness being cancer by (it turns out) correlating the medical reports against the instutions named including the word "cancer hospital" in their paperwork. Or the one that managed to spot cancerous skin blemishes by the fact that most of the ones "of interest" had a ruler in the picture, to show scale, whereas the (training) ones put in of blemishes that weren't to be matched generally did not.
i.e., it's possibly just a confluence of your AV tripping up over DT's executable for reasons that the developer of either haven't forseen.
Any AV company worth its salt also used to accept (safely wrapped) submissions of detected threats, for an in-depth check well beyond the original signature.
If you have a valid copy (not third-party-hosted copy, potentially
actually filled with actual viral code (or just is a trojan, full-stop)) perhaps your AV's company would accept your 'finding' fresh from the quarantine folder (or an extended detetection-log dump) and give you a better yay or nay than your desktop's realtime AV scanner.
But maybe I'm expecting too much from a Freemium home product (if that's what you're running), when I'm trying to relate to experiences of a worldwide corporate support version of a (for the time) fully-featured AV suite. (I use free/consumer AVs these days, now I'm not part of that company, generally a mix so that a failure by one product on one machine
might be discovered by a different one on a connected machine. But I'm also rather picky what I expose myself to, by habit, so haven't had an actual detection/quarantine for yonks... Mostly I get (supposedly) self-congratulatory "<AV program> has detected zero threats in the last month" popups.)
Though (unless Clément
has neglected to perform Safe Hex, on this occasion, and assuming you've not been picking up strange packages from strange repositories), I am going to guess it's bytewise misidentification at its root. The more details the better, of course, to help confirm or deny this.
Author
Topic: Dwarf Therapist v42.1.12 | DF 51.10 (Read 450900 times)