Shareaza

[deathfired]

When trying to upgrade to the latest version of Shareaza it says "a malware has been detected in c:\windows\system32\pxwma.dll". This file is not malware. It's actually a required dll file for the Roxio and Sonic cd/dvd burning software. I can understand having Shareaza block malware hashes from showing when doing searches but I cant understand why you would have a P2P program checking system files for malware. Leave that to the pros please. In any case please remove pxwma.dll from your check list.

[cyko_01]

there have been several complaints about this returning false positives in the past. It is intended to remove the browser helper object (AKA toolbar) left behind from fakeaza but it is returning a lot of false positives. Shareaza is not a malware removal tool so I have removed the courtesy check for this file from the installer.

This problem should be fixed in the next daily build.

[kevogod]

[ailurophobe]

Not necessarily. Some malware spreads by copying itself to P2P application shared folders, checking for those on install does make sense. No idea if those are being checked for, just saying there are checks that do make sense.

[kevogod]

[ailurophobe]

In theory I agree, but in practice malware that can't be recognized with reasonable certainty from the file name probably is best left to professionals. Much of malware relies simply on most of the users never checking for them and doesn't particularly try to hide or fool anyone who actually does look.

[deathfired]

I agree, to some extent, that if you're planning to do a file check, go by fingerprint (hash) in staid of file names lol. I still disagree that this should even be added in Shareaza though...Shareaza is a P2P program, not a malware scanner. At the very least limit it to only scan the user's download folder that's set in the options panel only at start up or closing of Shareaza. Don't have it go scanning system folders or other random folders that have nothing to do with Shareaza. Anyone seeing a message like the above and not knowing what the dll or file is may very well end up deleting it thinking that will solve the problem instaid of upgrading whatever they use for protection. That only causes more problems for them.

So in short if security is to be added
1) Change it from file names to finger printing.
2) limit it to only scan what the user set's as their download folder on program start up and close.
3) prevent hash values of popular P2P malware from showing up when doing searches.
4) Make 2 and 3 optional so people don't have anything to get mad about.
5) combining this with my proposal to have an automated IP block list like peer guardian implemented, a hash list would be a HUGE plus. Shareaza would check if the list is modified and download the updated list on start up if it is modified.

But again, I dislike the idea of programs scanning for malware or anything for that matter if they're meant to be doing something else. Just my 2 cents.

Anyway good work so far.

[ailurophobe]

I remember having a discussion like this two or three forums ago... If malware is trying to hide changing the hash is just as easy as changing the file name. So hash checks only make sense for places where you already use the hash anyway such as using the security manager to block searches returning common malware. Or whitelisting, but that is too involved for casual courtesy checks. Other than that having the installer (and only installer) check for some specific malware by quickly looking for it by name and removing any checks that cause too many false positives is about the extent of what might be worth doing.

A suggestion: instead of reporting that a malware has been found, it would probably be better to say that your system contains traces of malware and while this might be a false alarm you probably should scan your system with a (real) anti-malware scanner just in case. That way even false positives would have a positive effect and only cause minor nuisance not panic action. In fact, it might be a good idea to remind the users that P2P applications are popular targets for malware and any P2P user should have anti-malware software installed in any case.

[raspopov]

Its not a common malware, its part of ShareazaV4-5-6 setup only. In past too many users complains about fake Shareaza behavior so we decided to help users to upgrade from fake to real Shareaza.

[deathfired]

raspopov if that's the case then why aren't you targeting just those fake Shareaza's when doing the start up scan? It makes no sense to scan for other things.

@ailurophobe - Hash checking, depending on what type of hash you use, is leap years better then searching via name lol. By hash search your chance of a false positive is nearly 0 (depending on which type of hash you use). Searching by name is just asking for trouble.

[ailurophobe]

IIRC the fake Shareaza leaves behind all kinds of other crap that stays behind even if you find out about the real Shareaza and remove the fake one. By the time you are installing real Shareaza it is that other stuff that is the problem. Never installed the fake one so could be wrong.

You mean hash checking is better every fourth year? The best solution obviously depends on what you want the solution to do. I don't want Shareaza to have an integrated anti-malware tool so to me hash checking or other finger printing would be pointless. I just want Shareaza to warn the user and advice using a real anti-malware tool if it sees something something suspicious and for that a fast file name check is the most efficient solution. IMO the problem in your case was not the false positive, it was that a quick and unreliable check was presented giving certain information it never was capable of producing.

[deathfired]

[raspopov]

Its not a "searching by name", it checking exactly for malware distributed with fake Shareaza. Two years ago there was no driver named "pxwma.dll". Anyway new setup will not check for this file anymore, so fake Shareaza users must pay more attention to upgrading process.