We had a major storm through here recently and we suffered damage to the house roof and ceilings. I just received the quote to repair. I’m hoping that a small fraction of the 80,000 odd people that download SDIO and/or Desktop Info every month won’t mind chipping in a few dollars to help out. Click on the big blue button at the bottom of the page to help us keep a roof over our heads, literally!
Guests have read-only access to our forums. If you wish to participate you will need to register. Be sure to activate your account from the email sent to you when you register.
Hi Glenn & all,
I'm new to the SDI/SDIO world, but recently went on a voyage of discovery trying to unpick the persistent rumours (mainly spread by people who've never downloaded or inspected either project) about malware.
I downloaded and scanned both (which takes quite a while) and both projects (which I seem to share most of the same driver repositories) contain a file - Wincor > Allx64 > BIOS > wnBios64.sys inside DP_Misc_25062.7z - which MS Defender and some (but not all) antivirus vendors detect as Trojan:Win64 / VulnDrv!MSR
The detection is ambiguous, because none of the major vendors (Kaspersky, Eset, etc.) see it, and the ones reporting it, besides MS, are tiny nobody companies I've barely heard of (see attached screenshot). But in total it is about a third of the companies on Virustotal who list it as a trojan.
Here is my thread on SDI discussing this with one of their people:
(edit - can't add link, but it is the most recent thread on SDI's SourceForge discussion forum)
I still can't decide what the odds are that this file is actually malicious: it was signed and included in the MS update catalogues back in the 2000s and has been there ever since, so it could well be a false positive. I don't know how to go further with it. But with such disagreement among antivirus vendors, I thought I should make you guys aware just in case.
Thanks for bringing this to our attention. I note there is no information available on exactly what this virus is. It's also worth noting that many of the smaller vendors share their signature libraries so one false positive bleeds across many vendors. I read the SDI thread and note the file in question was removed from the latest driver packs which I have confirmed here.
For the record, my release procedure includes running a full malware scan across the entire 45GB of driver packs, every time. Takes ages. Occasionally the scanner questions something which could be debated, I may run a second scanner or just remove the offending files from the driver packs if there is any doubt.
As with all such downloads, you should not take our word for it. You should run your own preferred malware scanner on the downloaded files so that you are comfortable using the files.
@glenn Thanks Glenn. The 'yoink' spreading of a definition between small companies makes total sense, and seems likely to me. I just can't figure on a company like Kaspersky, with all their heuristic analysis, not realising that a .sys file is able to behave as a trojan, or part of one!
It would've made a cool story, though, if a trojan written in the noughties was still alive and well in the wild because, due to some technical quirk, nobody ever spotted it. At least one third of an airport novel in that.
