Enigma Protector

i sent you a link to my zip file, should I send a link to just the installer file?

I think my program might be having a bigger problem than usual because I use the keyboard hook and the mouse hook to bring up a popup menu and those hooks are used by keyloggers.

I found a web site that does a different kind of file analysis for viruses, it runs it on it's system and monitors everything that it does. I uploaded my NSIS intallation file there and got back this report. I believe that it only runs the installation file, not my inner program file. The funny thing is it seems to be contacting port 81 which is related to Backdoor.Bifrose. Could my NSIS compiler be infected?

http://www.threatexpert.com/report.aspx ... b5ba225856

speedyorange wrote:I think my program might be having a bigger problem than usual because I use the keyboard hook and the mouse hook to bring up a popup menu and those hooks are used by keyloggers.

Agree, any hook may cause suspicious alerts.. but, your file is digitally signed, and as far as I know, antiviruses apply another rules for signed files (for example, do not detect something in the signed files, until certificate is blacklisted).
As I wrote, in all cases I know, signing solved all false detection problems. This case is really strange.
Hook may relate on detection, but I think it is not a core of problem in our case. Many other application use hooking without any problem.

speedyorange wrote:I found a web site that does a different kind of file analysis for viruses, it runs it on it's system and monitors everything that it does. I uploaded my NSIS intallation file there and got back this report. I believe that it only runs the installation file, not my inner program file. The funny thing is it seems to be contacting port 81 which is related to Backdoor.Bifrose. Could my NSIS compiler be infected?

Can't open this report, probably link already expired?

I also do not know about NSIS, but you can be sure that Enigma Protector does not connect to internet at all.

you should be able to open that report, I just tried it in a different one of my browsers so it can't be tied to cookies. Could I try zipping up that page and sending it to you?

i just did a report on just my program file protected with enigma and I also came up with Trojan.Win32.Spy found! No attempt to contact port 81 was found though.

http://www.threatexpert.com/report.aspx ... a966bdd151

My program also has uiaccess set to true in the manifest which I needed so my popup menu can also be popped up when the user is running a window in administration mode. Maybe that's a problem. I think i'm going to try doing some tests with uiaccess set to false and then do a virus scan.

The things my program does that might be a problem are:
1) hooks the shift key, the control key, and the middle mouse button
2) uiaccess=true
3) the program is basically a launcher program that can start up other programs.

I created a quick copy of the virus scan for my installer that you should be able to see.

http://speedy-orange-pc-shortcuts.com/i ... s-scan.htm

speedyorange wrote:I created a quick copy of the virus scan for my installer that you should be able to see. http://speedy-orange-pc-shortcuts.com/i ... s-scan.htm

Probably your NSIS installation (or the file you are trying to protect) is really injected with the Bifrost virus. As written in report, after execution of the file, the registry keys and files specific to this virus had been created.

You should check it out carefully.

speedyorange wrote:The things my program does that might be a problem are:1) hooks the shift key, the control key, and the
middle mouse button2) uiaccess=true3) the program is basically a launcher program that can start up other programs.

This sounds well, no problems.

speedyorange wrote:i just did a report on just my program file protected with enigma and I also came up with Trojan.Win32.Spy found! No attempt to contact port 81 was found though.http://www.threatexpert.com/report.aspx ... a966bdd151

This is just false detection. Try to disable Checkup - File Name that fires on this site while test and probably this detection will be gone. Also note, you have a typo in message of Checkup - File Name, written "progams" need "programs".

Check if the files you are protecting and NSIS are not injected. I think once you solve it, there will be no problems with false detection caused by Enigma Protector.

did a dumb. somehow posted the wrong virus report link for my install file. It is not infected with bifrose! Must have copied the wrong link from my browser. Had me sweating there for a while! The actual virus report for my install file is:

http://www.threatexpert.com/report.aspx ... adc7c65dae

that shows 'Trojan.Win32.Spy' same that the actual program file shows

are you saying that if i disable 'Checkup - File Name' in enigma, that I should lose the 'Trojan.Win32.Spy' on my program file:

http://www.threatexpert.com/report.aspx ... a966bdd151

I don't know if you'll be able to see this link, but virustotal.com said that the install file has 12 positives and that the program file has 11 positives. Which means that most of the problem is in the program file.

https://www.virustotal.com/file/bfbeb44 ... 333833029/

I think you are right about using virustotal. When I told it to run a scan it said that one had already been done on that file and it had come out 8/42. I told it to rescan the file and it came out 11/42! An increase of 3 positives on the same file, it's propagating. Ouch, I better stop doing scans until this problem is resolved!

When I compile my file, it has a random element so that it will come out a different size and hash sum every time. Should I do that and start fresh? Upload it to my web site and send it to you to register with the virus companies? Wouldn't I have to do that anyways every time I released a new copy of my program?