Results 1 to 10 of 13

Thread: Suscpected false positves during "deep-inspection" scan.

Hybrid View

  1. #1
    lalittle Guest

    Default Suscpected false positves during "deep-inspection" scan.

    When I do a "deep-inspection" spyware scan with ZAX (298) I get three hits recommending that files be "Quarantined."
    I'm pretty sure these are false positives based on
    other reports (on both ZA and other security forums) talking about these same or similar
    alerts being false-positives.
    It also appears that if I let ZA Quarantine these files, it will break the functioning of some legitimate programs.
    Here is some of the info from the scan:
    Win32.Trojan.RbotFile: C:\Program Files\NVIDIA Corporation\NVIDIA PhysX\Demos\Fluids\glut32.dll
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\MCD
    Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe
    Power SpyFile: C:\Documents and Settings\All Users\Start Menu\Programs\Orban\AAC-aacPlus Plugin\Uninstall AAC-aacPlus Plugin.lnk
    File: C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe
    File: C:\System Volume Information\_restore{2D742486...}\...\A0052675.exe
    As I said, I 'think' these are false positives, but how
    can I confirm
    this?
    I've read about people sending in files to have false positives confirmed -- does ZA have such a service?
    I did send in
    the normal ZA
    tech support form, but I don't know if there is a better way to get help with this.
    It might also be important to note that for verification, I scanned the same files with SuperAntiSpyware (with latest updates) and received no alerts.
    Thanks,
    Larry

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Extreme Security

  2. #2
    Charles_B Guest

    Default Re: Suscpected false positves during "deep-inspection" scan.


  3. #3
    lalittle Guest

    Default Re: Suspected false positves during "deep-inspection" scan.

    Thanks.
    It's definitely the "spyware" scan and NOT the "anti-virus" scan that is giving me the alerts.
    I already
    filled out and sent
    in
    the ZA form linked in that post, but since the form has no provision for
    uploads, I was unable to send them the actual files themselves.

    Without the files, I don't see how ZA could 1) verify whether or not these are false positives, or 2) fix the issue if they are in fact false positives, so I assume that ZA will ask for me to email the files to them in a followup email response.
    I'll post back with any information I get.
    On this subject, I read on
    this forum about
    a site called virustotal.com, where you can send in files with potential infections for analysis by 39 engines.
    I sent in all the files in question (4 files total)
    and I'm interested in
    getting feedback and opinions
    from ZA users on the results and the way I'm interpreting them.
    The virustotal results were all negative (0/39)
    except for a 1/39 report on one of them.
    In other words,
    on this one file, of the 39 engines that virustotal.com uses, ONE of them saw the file as having an infection.
    It was "esafe 7.0.17.0" that saw an infection in this file, which it listed as "Win32.SusKeygen.a (ZAX lists it as "Win32.Trojan.Clicker.Small.is" instead.)
    Given this, my interpretation at this point would be to assume that all the alerts were indeed false positives, including the file that had the "1/39" result since with this many negatives, it seems far more likely that the single hit (or "double" hit if you could ZAX) would be a false positive.
    My question is:
    Does
    this seem like sound thinking?
    My thinking is that if I let ZAX quarantine these files, it will break the functionality of the programs in question, which I'd obviously like to avoid if the threat is not real.
    Assuming I'm properly interpreting the results, they would
    seem to indicate that the threat is not real, so I'm interested to hear if people think I'm properly interpreting the results.
    Thanks for any feedback,
    Larry

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Suspected false positves during "deep-inspection" scan.

    Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.Any security tool is subject to false positive, its normal.Youjust need to report it tothe producer as already suggested. <BLOCKQUOTE><HR>lalittle wrote:
    Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe<HR></BLOCKQUOTE>...and this one is a keygenerator to register Maya, sounds not really legalAlso note that 'deep inspection' is prone to false positive and it is not recommended for normal scan but only in case of malware.Cheers,Fax

    Message Edited by fax on 03-16-2009 08:10 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    lalittle Guest

    Default Re: Suspected false positves during "deep-inspection" scan.


    <blockquote><hr>fax wrote:
    Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.
    <hr></blockquote>Actually, I really
    don't feel like I know how to proceed since I'm not sure how to act on all the pieces of information.
    My &quot;feeling&quot; is that
    four 0/39 results and one 1/39 result would clearly point to false positives, and hence that I can assume that ZAX is also giving me
    false positives on these files, but with my limited experience in this field, and therefore with no
    point of reference, I honestly don't know if this is a safe assumption or not.
    This is why I'm
    very interested in hearing other opinions on this subject -- i.e. given all the information I've provided so far, what would the &quot;experts&quot; do?
    My hope in starting this thread is to get feedback from
    the ZA community
    on the actions I'm taking in the wake of these specific ZAX alerts.
    <blockquote><hr>fax wrote:
    Any security tool is subject to false positive, its normal.You
    just need to report it to
    the producer as already suggested. :8}<hr></blockquote>Unfortunately, ZA does not appear to have a means (that I could find) of directly submitting
    files for &quot;spyware&quot; analysis like I could do with &quot;virus&quot; (i.e. Kaspersky) alerts.

    For spyware hits I'm only able to send in a ts form, so at this point I'm hoping they'll reply with a request to send them the files in question.
    I have no idea, however, if this is how the process works, so (once again) feedback from other users could still be quite helpful.
    Thanks,
    Larry

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Suspected false positves during "deep-inspection" scan.

    Hi!Uuuhm, look like I was not enough clear You have to contact ZA technical support, they are the only ones that can instruct you on how to proceed.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •