Site Tools


Kaspersky False Positive - Bifrose Trojan Horse

Overview

Users of the following antivirus software have reported detection of the Backdoor.Win32.Bifrose.zwe Trojan Horse).

Affected files

Current Status

9/5/2008 1:30pm: New builds of Rhino 4.0 SR4 and Rhino 4.0 Evaluation are now available that do not get triggered by Kaspersky Antivirus. We're still convinced that the original files were perfectly safe, but have replaced them to eliminate the burden of explaining that they were safe.

9/3/2008 10:54am: A new build of the affected files does not get caught by Kaspersky; we are testing this new build now, and will upload it today.

9/3/2008 8:15am: We believe this to be a false diagnosis, and are working with antivirus vendors to update their virus definitions.

We have not seen an infection of the Bifrose trojan horse after installing from the affected files, nor have any customers reported an infection.

Background

Reports of spreading malware are taken very seriously by McNeel. We want to ensure that all our files are clean and uninfected. Here's the process we took to diagnose this problem:

Beginning 29-Aug-2008 we started receiving reports that Rhino 4.0 SR4 Patch and Rhino 4.0 Evaluation were infected with the Bifrose trojan horse.

By 2-Sep-2008 these reports were coming in at the rate of 10 per day.

We evaluated the problem by downloading the suspect files to a test server and scanning them with the following antivrus products:

  • Kaspersky Antivirus 9
  • Windows Defender
  • Symantec Client Security
  • McAfee Antivirus
  • BitDefender

The only antivirus product in our test suite to identify the files as infected with Bifrose was Kaspersky Antivirus 9.

After installation of the products listed above, scans were performed to find any new infections on the system. Nothing was detected. Manual investigation based on the Wikipedia article) to identify the Bifrose trojan horse also found no infection.

On the evening of 2-Sep-2008, Brian Gillespie sent a request to Kaspersky reporting a potential false positive.

As of 10:30am 3-Sep-2008, no response has been received from Kaspersky.

We're also rebuilding the installers for all these products with the hope that a new build will change the signature of the file slightly and get around the false positive.

If you learn anything else about this, please contact Brian Gillespie: brian@mcneel.com or (206)634-4592.

rhino/kasperskyfalsepositive.txt · Last modified: 2020/08/14 (external edit)