Why does BOClean think VNC is malware?

I had this issue with BOC 4.25. It is still happening with 4.26, installed yesterday. I get a messagebox (usually twice) that RSK-VNC.WINVNC4.exe malware detected - process stopped, do I want to remove the file also. I have installed RealVNC 4.12 myself, so I am well aware that it is there on my system. I have added the winvnc4.exe file in the BOC Excluder, but the message STILL comes up on every reboot/login to the PC, and also periodically during my PC usage. How can I prevent this from happening?

Better use UltraVNC, it’s better and more actively developed :slight_smile:

@ Commodus, you should give him an answer to his questions not giving other programs (:TNG).
(it’s like saying to someone who has a virus, that he needs to use macintosh or so).

@ RDPetruska, try adding the whole folder to the exluder, this should fix the problem.


If I try to drag the folder to the excluder, it displays “The item you dragged is not a program or a shortcut to a program. It cannot be excluded. Try again.”
Did you mean to add each file in the program’s folder instead?

And, while I have UltraVNC around somewhere, RealVNC (made by the people from AT&T who initially developed the VNC protocol/standard, so I trust them) works just fine for me and my coworkers. :slight_smile:

Well I’m not a BoClean specialist (:SHY). But you could try to see what actually triggers the alert and then exclude that. I wouldn’t know… In the end case, try excluding all the files and see if that works out for you. :slight_smile:

In any case, I’m sad that I’m not a techie ;D


I have VNC installed on several computers on our network. When I install BOClean to any computer that also has VNC, the very first thing I do is open explorer to the folder with the VNC executables then open the BOClean excluder program from the start menu. I then drag all of the executables into the excluder and click Done. Doing it this way I have no problems with BOClean and VNC.

Can you provide exact filename / path details.

Have you checked the file on www.virustotal.com ???

Kevin McAleavey is original programmer of BoClean and in charge of BoClean’s signature. Each signature is thoroughly checked by him and is undoubtedly malware.


Hi Eric,
Well unfortunately I may not agree with you completely about “undoubtedly”
I know that you helped in “_Disinfector” case
So you are aware of the result - one FP fixed one left.
and according to Kevin’s position “nothing we can do” with nircmd.exe meaning - we cannot force him to change his opinion.
At the same time I have a few consultations contacting several very reliable sources.
People who develop Tools for malware removal widely use nircmd.exe
Many programs or part of code can be used by malicious code (how about riskwares) but it doesn’ make those progs a malware and nircmd “never was and never should be considered being rootkit (pseudo or not)”.
I hope you forgive me for too much writing about just one word (“undoubtedly”) :wink:
Sorry for interrupting your dialogue, Guys
My regards.

Kevin stated it was a rootkit installer but your computer is your computer. You can always add that file to the exclusion list if you disagree. Incidentally, Panda and other antivirus software also detect nircmd.exe as an unwanted program.


Umm - well, I’ve downloaded the RealVNC application Installation files directly from RealVNC’s site. I understand that if someone has installed VNC (or any other remote control software, for that matter) on a PC and the PC’s user is not aware of that fact, that it could be interpreted as malware. My problem was that even after I added the “winvnc.exe” program into BOClean’s exclusion list, that BOC still pops up the error message and insists that it has blocked a possible malware application on my computer. As a user, I expect that when I configure a program (anti-virus, anti-malware, etc.) to exclude something, that program will listen to me and properly exclude the application I have told it to!!

Hiya! As the official coder for BOClean, I’d expect that as well. Something’s gone weird there indeed. If you can send me an IM, will get back to you as to how to send me some diagnostics information so we can figure this out.

As far as VNC and a number of other “remote access tools” they’ve been covered by BOClean as a threat for several years as many of these “legitimate tools” are packaged into “pseudo-rootkits” and are run completely hidden when this occurs. Since we provide the excluder, we expect that anyone who chooses to run these will go ahead and just exclude them. Of course, normally the excluding works. Even in a company-wide situation, there are means to “mass exclude” as well, but it requires some additional stuff. In such situations, a master configuration is deployed which will also include this pre-configured arrangement so that all clients will have the common exclusions.

But because these programs which BOClean alerts on are SO widely used by the “bad guys” we really DO have to alert on them because they can be rendered completely invisible and are rather powerful when this is done. I’m guessing that the file you excluded is the same one that BOClean is alerting on and in the same location? I’ve seen this happen before and the “victim” was indeed using one of these utilities willingly but as it turned out another copy elsewhere was what was actually being alerted to, a rather unpleasant surprise for them indeed.

Be happy to help sort this out though!