Results 1 to 6 of 6

Thread: Considering all the false positives...

  1. #1
    amethyst Guest

    Default Considering all the false positives...

    ... and the havoc they are wreaking on people's computers, and the fact that when ZA quarantines something, restoring the files from quarantine is not enough, since ZA seems to de-register the file when it quarantines it, and maybe not all of us know how to restore that registry setting and maybe we can't necessarily restore the system...

    Shouldn't we all just choose to have ZASS 'report only' when it perceives a problem? (That's with "Alert me, do not treat automatically" for the AV and the check removed from the box to treat automatically in the antispyware part.) ZASS is not the first security software to have false positives and, personally, I won't even use security software if it doesn't provide the option for me to decide what I want it to do with a file before it does anything. I did have the antispyware set to treat automatically until this latest rash of problems (involving people's monitors). Somehow my AS didn't flag these files, so I was lucky there, but I'm not giving ZASS another chance to wipe out legitimate files. I've already lost a system file for good to a false positive, and fortunately it's not one that I've needed so far.

    Yes, it's more work to have to second guess everything ZASS does, but it's the same with any security software, false positives happen. And looking something up and verifying it first is probably easier than trying to get back something that's been lost for good.

    Just my 2 cents. :-) Happy computing, folks. I appreciate everyone who has written here to share their experiences and knowledge. It is a great help.

    Amethyst
    ZASS 6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Considering all the false positives...

    I think the best setting is quarantine. Then check it out and see if it is a false positive. This way, if it something evil, it is contained amd stopped and if it is a false positive, it can always be released. Safe and no harm can be done either way.

    Lost files should be recovered in a system file check. That will work for the OS files. Lost files from supported software should be recovered by re-installs. Or if there are two machines, then copy from one PC and place in the other PC.

    If it is a virus scan detection and a suspected false positive, then send it to :

    newvirus at kaspersky.com and zip the file and password protect it and include the password in the e-mail.


    If it is a spyware scan detection and a suspected false positive , then send it to:

    http://www.zonelabs.com/store/conten...are_report.jsp

    Determing if the file is evil or not...there are numerous internet sites, depending on what type of file. In general google does have good results. Sites such as

    neuber.com

    liutilities.com

    or microsoft or wikipedia are helpful.

    Many sites have lists of known spyware to help determine such as http://www.pcpitstop.com/spycheck/known.asp
    Although commercially driven, they do provide a service.

    Castle Cops has extensives list of CLSID and BHO and Toolbar found here>

    http://www.castlecops.com/CLSID.html

    Castle Cops has a ActiveX list found here>

    http://www.castlecops.com/ActiveX.html

    Castle Cops has a list of LSP found here>

    http://www.castlecops.com/LSPs.html

    plus they have many more lists.

    A good site for spyware and adware listing is >

    http://www.spywaredata.com/spyware/s...t/W/result.php


    But a good site to help with not just determing if the file(s) are bad or not, but the actual removal and cleanups is at spywarewarrior, found here >

    http://spywarewarrior.com/sww-help.htm

    Many of the online scanners suggested by spywarewarrior can be useful for seeing of the PC is actually infected or not.Another list of on-line antivirus scanners is found here >

    http://blogs.dotnethell.it/vincent/V...INE__2046.aspx


    Actual files can be uploaded to sites for antivirus scanning. The advantage is the site usually has many scanners to check at the same time. Many scanners means a better detection. Two can be found here >

    http://virusscan.jotti.org/

    http://www.virustotal.com/

    Posting at forums such as here, the Zone Alarm forum or other security forums is always a good approach. There are others who have seen the same thing or users who will be able to help in reaching a proper solution or users who can be certain to say if the detection is correct or wrong just by the name/ file location alone.

    Oldsod

    Message Edited by Oldsod on 08-05-2007 05:03 AM
    Best regards.
    oldsod

  3. #3
    amethyst Guest

    Default Re: Considering all the false positives...

    Thanks for the good info, Oldsod. I've bookmarked your reply so I can refer to it if I need to. :-)


    Regards,
    Amethyst


    ZASS 6.5

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Considering all the false positives...

    You are welcome amethyst

    Cheers,
    Oldsod
    Best regards.
    oldsod

  5. #5
    random9q Guest

    Default Re: Considering all the false positives...

    OK, I have what I strongly suspect is a false positive.
    After searching the forum, your posting looked like the most useful I've seen here.
    This isn't the first time this has happened, previously it was just impacting games downloaded via Steam.
    I couldn't find any recourse and gave up, life moved on.
    Then it started hitting the odd and occasional system file.
    Today this is hitting me where it hurts.
    The file quarantined was "C:\Program Files\Native Instruments\Pro-53\DXi\Pro-53DXI.dll".
    If you're not familiar with them, Native Instruments manufactures high-end software-synths that are usable as stand-alone synths and as plug-ins to other programs, mainly composition tools.
    Zone Alarm identified it as Trojan-Downloader.Win32.bagle.jc.
    A quick search of Kaspersky's site gives me the clue that one of their analysts is jumping all over trying to keep up with creating new definitions to combat new variants.
    OK, so I'm a victim of "minor" collatoral damage in this war: my computer still runs.
    There are two possibilities here:
    (1) The trojan infected my computer and ZA failed to find several other instances of DLLs it has infected, only finding this one.
    (Implausible, IMSHO.)
    (2) Zone Alarm possibly damaged the file during its "attempted repair", found it still didn't like the file, and then quarantined it.
    I'd love to file this off to Kaspersky using your directions, only I now cannot find the file.
    I can't locate any "quarantined" (or similar) directory in the "C:\Program Files\Zone Labs\" tree, and I find that the folder "C:\Program Files\Native Instruments\Pro-53\DXi" has been emptied (presumably its contents removed to the "quarantined" folder I can't find).
    I can find the option to un-quarantine the files.
    What I also find is that immediately after restoring the file, Zone Alarm re-quarantines it as soon as I try to zip it.
    Any suggestions?


  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,286

    Default Re: Considering all the false positives...


    <BLOCKQUOTE><HR>random9q wrote:
    Any suggestions?
    <HR></BLOCKQUOTE>Yep. always better to create a new message than attaching a response to an existing one. Since it will not be easy to find by most users...
    <BLOCKQUOTE><HR>random9q wrote:
    I can find the option to un-quarantine the files. What I also find is that immediately after restoring the file, Zone Alarm re-quarantines it as soon as I try to zip it.<HR></BLOCKQUOTE>please go to ZA antivirus/antispyware tab --&gt; Advanced options ---&gt; Virus Management --&gt; Automatic Treatment and select "Alert me - do not treat automatically".Now restore the quarantine and when you get a pop-up windows from ZA just select "ignore always" from the list of proposed actions.Now you can upload the file to www.virustotal.com to have the files scanned by more than 30 AV engines. If it is confirmed that is a false positive, than send it to newvirus at kaspersky dot com in a password protected zip. Subject: false positive. Remember to include the password in the e-mail.Hope this helpsCheers,Fax



    Message Edited by fax on 02-02-2008 09:42 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •