Hi!

I just received my FeiyuTech FY-31AP autopilot module and HornetOSD modules tonight. I went to the FeiyuTech website and download their ground control software and my ESET NOD32 antivirus software is reporting their ground control software is infected with the WIN32/Packed.Enigma.AAA trojan. Has anyone else experienced this? Does anyone have a copy of their ground control software that isn't infected?
It's really pathetic that for $300.00USD, I buy something that is supported with virus infected software...

Thanks,
Aonghais

Packers are used to obfuscate (and sometimes compress) executables. This makes it harder (but not much) to reverse engineer them. It is possible that the company is using a packer to protect their software and the antivirus picks up a false positive because it has a signature for a virus that used the same obfuscation program.

It might also detect generic packer like behaviour.

I don't think so...

If you read the response from FeiyuTech, they admit there is a software module to perform internet updates that may cause this. I found that NOD32 deletes their installer as soon as it downloads from the internet. If I disable NOD32 and allow it to install, NOD32 deletes the installed executable as soon as I re-enable it. I find it suspicious that an antivirus program specifically recognizes this particular trojan whether its compiled into an installer, or not.

Why would they tell me to run their software with my firewall and antivirus off?????

Well, AV is software. Software can have bugs. So... ?

What's "WIN32/Packed.Enigma.AAA"? Let me guess - some generic code, detected by AV, may be used for 3216518416813164 purposes?
I did quick google search, haven't found any detailed description about this "virus"...

When I run a full virus scan, many of my executables that contain ftp clients or http api calls get incorrectly flagged as viruses. Since I wrote these executables, I know they are not. But they must contain the same api calls that some viruses contain. So I assume eset is wrongly identifying them.

As Uranium has said, Eset has identified that a packer is in use - not an actual virus/Trojan. The developers are probably using Enigma Protector http://www.enigmaprotector.com/

This not only packs the exe making static analysis harder but also provides runtime protection making disassembly harder. I guess the developers are just keen to hide what their code is doing - probably because they don't want other people to reverse engineer or modify it.

It is not a cause for concern particularly. As with any software do not run it on a trusted system if you do not trust the source. If you're paranoid then run it on a dirty system and monitor what it is doing to the system checking for changes or behaviour not consistent with what you would expect of a GCS application.

Quote:

Why would they tell me to run their software with my firewall and antivirus off?????

To reduce support calls and problems. Remember security breaks everything.

OK. Makes a bit more sense now... I've been using ESET on >30 workstations and 5 servers for several years and never had any false positives before, some malware has gotten past ESET, but never false positives...

I'll just use it on an internet disabled laptop.

When I uploaded in December, I too got a Trogen Gen warning from my Norten Internet Security.
But I reloaded recently, and the virus warning is gone. They probably cleaned it up.

http://shop.fyetech.com/dl/fygcsv15.rar


I've been flying this GCS the past few days, no issues at all.


BB