Overview

It is an unfortunate fact that Antivirus problems often report false positives with their checks. This is because they look for a match on small sequences of data that are often found in malware but do not necessarily indicate that the file is malware. Often these sequences of data are hashed. This is a similar process of that of calculating the check digit on a credit card number and a condition known as "hash collisions" can occur. This is where two different sequences calculate the same hash value. Hash Collisions are a mathematical certainty and need to be handled. This is one of the reasons why Antivirus programs have a facility to exclude certain programs from their detection and is documented in their manuals. How this is done differs from one Antivirus program to another.

General Procedure

If your antivirus detects problems with any ReferralNet executable or DLL you should follow the following procedure:

  1. Determine if the file has been altered (it may have been infected from something on your system)
  2. Report the "false positive" result to your Antivirus vender (it is their system that has the problem after all)
  3. Report the "false positive" to ReferralNet Support (we will do what we can to assist you but ultimately it is only your Antivirus vendor that can rectify the situation)
  4. Consider putting an exclusion in for the file with the "false positive" report

Determining File Integrity

All executable files for ReferralNet are Digitally Signed to prevent and detect tampering. If a ReferralNet file is reported as possibly containing malware, you can check to see if it has been altered by malware that may be infecting your system. Before considering to exclude virus scanning of the file, it is highly recommended that this be done.

To do this: 1. Locate the file using windows explorer

2. Right click on the file and select properties

Properties Dialog

3. Select the "Digital Signatures" tab

4. In the signature list select the link and press the "Details" button

5. If the file has not been tampered with since it was created and the digital signature is ok the page will say "This digital signature is OK"

6. If the file has been tampered with or if the digital signature is invalid (the certificate may have expired), the details will say "The digital signature is not valid"

Further Information on Code Signing

For more in depth information on code signing and how this is used to guarantee both who created the software and that the file is not altered, see: Microsoft - Introduction to Code Signing

 
antivirus_problems.txt · Last modified: 2013/06/07 01:38 by damong