Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Could I get some feedback on TotalVirus' reported concerning software behavior?  (Read 3410 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Could I get some feedback on TotalVirus' reported concerning software behavior?

Hello,

I want to download and use foobar200 because Florian Heidenreich, developer of Mp3tag software recommends it; his software and communication style is professional, and I value his opinion.

However, as I was researching the software before I ran it on my computer (I have a thing with cybersecurity), I uploaded the file to TotalVirus, and the report that it generated includes some concerning behavior. Could I get some feedback regarding these?

The TotalVirus URL is: https://www.virustotal.com/gui/file/9272830b7a9fc67d28145a318c4c6f2134ea45d802cedffbfafdac69ded1715f

The concerning behavior is listed as:

  • Detects network connections and DNS queries initiated by Regsvr32.exe
  • Detects "cmd" utilization to self-delete files in some critical Windows destinations
  • Detects modification of autostart extensibility point (ASEP) in registry

And the most concerning one:

  • Matches rule MALWARE-CNC DNS Fast Flux attempt from Snort registered user ruleset -> trojan-activity

Below, I include a screenshot of the page I got:

X

Thank you

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #1
I just downloaded a fresh copy of the foobar 1.6.7 installer from the Foobar website (https://www.foobar2000.org/download).  My results at VirusTotal are shown below--100% clean at all vendors.  Where did you download yours from?  I wouldn't be concerned about "crowdsourcing."



Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #2
Those sigma rule detections are all nonsense. The installer registers shell extension when the player is intalled in normal mode instead of in portable mode and this would use regsvr32, but there is no network activity. The file deletions in "critical Windows destinations" listed there are temp file removals from Windows\TEMP, but these are not done by foobar2000. And the Autoruns keys modifications it reports are about Edge browser. I think the temp file removals were also caused by Edge browser updater, possibly the regsvr32.exe network accesses were too.

Looks like the stupid system records all kinds of background activity taking place on their machine and blames it on the software you happened to scan.

Edit: I forgot to comment the "MALWARE-CNC DNS Fast Flux attempt" high risk trojan alert. If you look at the details entry, the supposed malware attack comes from Google's 8.8.8.8 DNS server. Other than that no idea what it is supposed to be about. foobar2000 installer doesn't access network, you can verify that by using Process Monitor to log all the activity it does. And foobar2000 only access network if you ask it to, for example to play a stream or to check for updates.

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #3
It may be possible that NSIS is designed to switch the machine into High Performance power profile for the duration of the install, but I kind of doubt it.

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #4
Quote from: sveakul on
Where did you download yours from?

I downloaded from here: https://www.foobar2000.org/files/foobar2000_v1.6.7.exe

In the VirusTotal details tab you can see the SHA256 as "9272830b7a9fc67d28145a318c4c6f2134ea45d802cedffbfafdac69ded1715f"

DO we have the same file? Or are the checksums different?

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #5
Quote from: Case on
Those sigma rule detections are all nonsense. The installer registers shell extension when the player is intalled in normal mode instead of in portable mode and this would use regsvr32, but there is no network activity. The file deletions in "critical Windows destinations" listed there are temp file removals from Windows\TEMP, but these are not done by foobar2000. And the Autoruns keys modifications it reports are about Edge browser. I think the temp file removals were also caused by Edge browser updater, possibly the regsvr32.exe network accesses were too.

Looks like the stupid system records all kinds of background activity taking place on their machine and blames it on the software you happened to scan.

Edit: I forgot to comment the "MALWARE-CNC DNS Fast Flux attempt" high risk trojan alert. If you look at the details entry, the supposed malware attack comes from Google's 8.8.8.8 DNS server. Other than that no idea what it is supposed to be about. foobar2000 installer doesn't access network, you can verify that by using Process Monitor to log all the activity it does. And foobar2000 only access network if you ask it to, for example to play a stream or to check for updates.

Thank you Case

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #6
Quote from: kode54 on
It may be possible that NSIS is designed to switch the machine into High Performance power profile for the duration of the install, but I kind of doubt it.

Thank you kode54

Re: Could I get some feedback on TotalVirus' reported concerning software behavior?

Reply #7
btw, welcome to HA & Foobar2000, both most excellent destinations imho
Quis custodiet ipsos custodes?