Is Hybrid PhysX mod v1.03 a virus?

[Man-wai Chang to The Door (33600bps)]

http://www.ngohq.com/graphic-cards/17706-hybrid-physx-mod-v1-03-a.html

Avira (forgot when) had once reported it as a virus....

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (x86_64 Ubuntu 9.10) Linux 2.6.34
^ ^ 20:10:01 up 12 days 23:21 2 users load average: 0.06 0.03 0.00
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“交! ä¸æ‰“劫! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

 

[David H. Lipman]

From: "Man-wai Chang to The Door (33600bps)" <[email protected]>


| http://www.ngohq.com/graphic-cards/17706-hybrid-physx-mod-v1-03-a.html

| Avira (forgot when) had once reported it as a virus....


Plaese upload the file(s) to UploadMalware for evalusation.
http://www.uploadmalware.com/

 

[FromTheRafters]

http://www.ngohq.com/graphic-cards/17706-hybrid-physx-mod-v1-03-a.html

Avira (forgot when) had once reported it as a virus....

No, it was probably a false positive detection at one time - since
corrected. You could submit the program to virustotal.com, jotti.org, or
virscan.org to see what some other scanners have to report.

....better safe than sorry.

 

[VanguardLH]

Man-wai Chang wrote ...


No, it was probably a false positive detection at one time - since
corrected. You could submit the program to virustotal.com, jotti.org, or
virscan.org to see what some other scanners have to report.

...better safe than sorry.

Until the AV program quarantines system files for the OS. A false
positive on a system file could render your OS unbootable or inoperable.

 

[VanguardLH]

http://www.ngohq.com/graphic-cards/17706-hybrid-physx-mod-v1-03-a.html

Avira (forgot when) had once reported it as a virus....

Many games use nVidia's PhysX SDK to eliminate having the game coders
from having to write all the physics engine routines, like how bodies
fall down stairs or clothes flap in the breeze. This is similar to how
Microsoft produced DirectX to provide consistency and ease of coding for
multimedia-enabled apps.

http://www.nvidia.com/object/physx_new.html
http://physxinfo.com/

But you already knew all of this. So what is your question *NOW* about
PhysX?

 

[FromTheRafters]

Until the AV program quarantines system files for the OS. A false
positive on a system file could render your OS unbootable or
inoperable.

Those are file submission scanners, no danger of that.

 

[VanguardLH]

VanguardLH wrote ...


Those are file submission scanners, no danger of that.

I thought you meant "better safe than sorry ... to allow false
positives". I have my AV program alert my on *everything* it thinks is
bad; i.e., no automatic actions. I'll be able to figure out if the file
belongs to an app or to the OS and then investigate what that file
should really contain to determine if it was a false positive. I've hit
far more false positives in a variety of AV programs than I have ever
discovered for infections on my host. Letting the AV program
automatically dump files into its quarantine area (which means not even
the OS can get at it) could result in a dead OS or app.

Quarantining is usually an automatic action performed by the AV program.
I don't believe in allowing automatic quarantines; however, that also
means the user needs some education regarding their OS and have some
inititative to investigate the claim of an infection.

The online scanner make a good backup to get more opinions regarding the
good/bad status of a file. However, since only an on-demand scan is
performed against the uploaded file, only the current signatures can be
tested against the uploaded file. None of the heuristics can be used
against the behavior of the functions performed by execution of the file
or any libraries it happened to call. So the online scanners are only
good for a signature test against known malware. Zero-day malware won't
be caught that way.

 

[FromTheRafters]

I thought you meant "better safe than sorry ... to allow false
positives". I have my AV program alert my on *everything* it thinks
is
bad; i.e., no automatic actions. I'll be able to figure out if the
file
belongs to an app or to the OS and then investigate what that file
should really contain to determine if it was a false positive. I've
hit
far more false positives in a variety of AV programs than I have ever
discovered for infections on my host. Letting the AV program
automatically dump files into its quarantine area (which means not
even
the OS can get at it) could result in a dead OS or app.

Quarantining is usually an automatic action performed by the AV
program.
I don't believe in allowing automatic quarantines; however, that also
means the user needs some education regarding their OS and have some
inititative to investigate the claim of an infection.

The online scanner make a good backup to get more opinions regarding
the
good/bad status of a file. However, since only an on-demand scan is
performed against the uploaded file, only the current signatures can
be
tested against the uploaded file. None of the heuristics can be used
against the behavior of the functions performed by execution of the
file
or any libraries it happened to call. So the online scanners are only
good for a signature test against known malware. Zero-day malware
won't
be caught that way.

All good points.

 

[Man-wai Chang to The Door (33600bps)]

But you already knew all of this. So what is your question *NOW* about

PhysX?

I was/am just not sure whether Avira was trying to protect Nvidia's
interests...

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (x86_64 Ubuntu 9.10) Linux 2.6.34
^ ^ 18:20:01 up 13 days 21:31 2 users load average: 0.00 0.00 0.00
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“交! ä¸æ‰“劫! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

 

[VanguardLH]

I was/am just not sure whether Avira was trying to protect Nvidia's
interests...

Avira, as well as other anti-virus vendors, don't want their products
generating ANY false positives regardless of whose software is installed
on your host. I'm not sure that any AV product hasn't had false
positives in the past and why you have to do some investigation when any
malware gets reported on your host. For example, I've had false alerts
on the .vhd files for virtual machines where they contained a pristine
install of Windows XP. Somewhere in the huge file was a string of bytes
that happened to match on a malware signature.

Avira may have falsely alerted on PhysX in the past but it is likely
that it didn't false alert before that, happened to include a signature
that matched on a byte string after some update to Avira's signatures,
and then users reported the false positive and Avira updated the
signature database or extended the signature to ensure it looked at more
bytes than before so it wouldn't match on the PhysX file anymore. If it
is a *false* alert then it usually does get fixed but can be several
updates later. Some false positives never get fixed by some AV vendors,
like many continually alert on Nirsoft's utilities on your host.

 

[SR86]

I think you guys should check out http://www.opswat.com/ there are 2 or 3 products that may be a match. I think that OESIS Framework at http://www.opswat.com/products/oesis-framework provides a single interface to many antivirus and Avira is in that list. Another option is, I think, Metascan at http://www.opswat.com/products/metascan which is more for ISV.
I also found that Avira is certified by OPSWAT at http://www.opswat.com/certified.

I hope this helps.
Regards,