Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Suscpected false positves during "deep-inspection" scan.

  1. #1
    lalittle Guest

    Default Suscpected false positves during "deep-inspection" scan.

    When I do a "deep-inspection" spyware scan with ZAX (298) I get three hits recommending that files be "Quarantined."
    I'm pretty sure these are false positives based on
    other reports (on both ZA and other security forums) talking about these same or similar
    alerts being false-positives.
    It also appears that if I let ZA Quarantine these files, it will break the functioning of some legitimate programs.
    Here is some of the info from the scan:
    Win32.Trojan.RbotFile: C:\Program Files\NVIDIA Corporation\NVIDIA PhysX\Demos\Fluids\glut32.dll
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\MCD
    Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe
    Power SpyFile: C:\Documents and Settings\All Users\Start Menu\Programs\Orban\AAC-aacPlus Plugin\Uninstall AAC-aacPlus Plugin.lnk
    File: C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe
    File: C:\System Volume Information\_restore{2D742486...}\...\A0052675.exe
    As I said, I 'think' these are false positives, but how
    can I confirm
    this?
    I've read about people sending in files to have false positives confirmed -- does ZA have such a service?
    I did send in
    the normal ZA
    tech support form, but I don't know if there is a better way to get help with this.
    It might also be important to note that for verification, I scanned the same files with SuperAntiSpyware (with latest updates) and received no alerts.
    Thanks,
    Larry

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Extreme Security

  2. #2
    Charles_B Guest

    Default Re: Suscpected false positves during "deep-inspection" scan.


  3. #3
    lalittle Guest

    Default Re: Suspected false positves during "deep-inspection" scan.

    Thanks.
    It's definitely the "spyware" scan and NOT the "anti-virus" scan that is giving me the alerts.
    I already
    filled out and sent
    in
    the ZA form linked in that post, but since the form has no provision for
    uploads, I was unable to send them the actual files themselves.

    Without the files, I don't see how ZA could 1) verify whether or not these are false positives, or 2) fix the issue if they are in fact false positives, so I assume that ZA will ask for me to email the files to them in a followup email response.
    I'll post back with any information I get.
    On this subject, I read on
    this forum about
    a site called virustotal.com, where you can send in files with potential infections for analysis by 39 engines.
    I sent in all the files in question (4 files total)
    and I'm interested in
    getting feedback and opinions
    from ZA users on the results and the way I'm interpreting them.
    The virustotal results were all negative (0/39)
    except for a 1/39 report on one of them.
    In other words,
    on this one file, of the 39 engines that virustotal.com uses, ONE of them saw the file as having an infection.
    It was "esafe 7.0.17.0" that saw an infection in this file, which it listed as "Win32.SusKeygen.a (ZAX lists it as "Win32.Trojan.Clicker.Small.is" instead.)
    Given this, my interpretation at this point would be to assume that all the alerts were indeed false positives, including the file that had the "1/39" result since with this many negatives, it seems far more likely that the single hit (or "double" hit if you could ZAX) would be a false positive.
    My question is:
    Does
    this seem like sound thinking?
    My thinking is that if I let ZAX quarantine these files, it will break the functionality of the programs in question, which I'd obviously like to avoid if the threat is not real.
    Assuming I'm properly interpreting the results, they would
    seem to indicate that the threat is not real, so I'm interested to hear if people think I'm properly interpreting the results.
    Thanks for any feedback,
    Larry

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Suspected false positves during "deep-inspection" scan.

    Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.Any security tool is subject to false positive, its normal.Youjust need to report it tothe producer as already suggested. <BLOCKQUOTE><HR>lalittle wrote:
    Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe<HR></BLOCKQUOTE>...and this one is a keygenerator to register Maya, sounds not really legalAlso note that 'deep inspection' is prone to false positive and it is not recommended for normal scan but only in case of malware.Cheers,Fax

    Message Edited by fax on 03-16-2009 08:10 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    lalittle Guest

    Default Re: Suspected false positves during "deep-inspection" scan.


    <blockquote><hr>fax wrote:
    Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.
    <hr></blockquote>Actually, I really
    don't feel like I know how to proceed since I'm not sure how to act on all the pieces of information.
    My &quot;feeling&quot; is that
    four 0/39 results and one 1/39 result would clearly point to false positives, and hence that I can assume that ZAX is also giving me
    false positives on these files, but with my limited experience in this field, and therefore with no
    point of reference, I honestly don't know if this is a safe assumption or not.
    This is why I'm
    very interested in hearing other opinions on this subject -- i.e. given all the information I've provided so far, what would the &quot;experts&quot; do?
    My hope in starting this thread is to get feedback from
    the ZA community
    on the actions I'm taking in the wake of these specific ZAX alerts.
    <blockquote><hr>fax wrote:
    Any security tool is subject to false positive, its normal.You
    just need to report it to
    the producer as already suggested. :8}<hr></blockquote>Unfortunately, ZA does not appear to have a means (that I could find) of directly submitting
    files for &quot;spyware&quot; analysis like I could do with &quot;virus&quot; (i.e. Kaspersky) alerts.

    For spyware hits I'm only able to send in a ts form, so at this point I'm hoping they'll reply with a request to send them the files in question.
    I have no idea, however, if this is how the process works, so (once again) feedback from other users could still be quite helpful.
    Thanks,
    Larry

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Suspected false positves during "deep-inspection" scan.

    Hi!Uuuhm, look like I was not enough clear You have to contact ZA technical support, they are the only ones that can instruct you on how to proceed.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    lalittle Guest

    Default Re: Suspected false positves during "deep-inspection" scan.


    <blockquote><hr>fax wrote:
    Hi!Uuuhm, look like I was not enough clear
    You have to contact ZA technical support, they are the only ones that can instruct you on how to proceed.
    Cheers,Fax
    <hr></blockquote>Already done -- I'm just waiting to hear back from them.
    In the mean time, I'm still interested in any feedback/discussion
    from the ZA community on this subject given the info I posted above.

    By getting opinions from other people
    on
    the decisions I've made and the information I've obtained so far, I hope to be able to make more informed decisions when running into this type of situation in the future.
    I'll post back with any information I obtain from ZA on this.
    Thanks again,
    Larry

  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Suspected false positves during "deep-inspection" scan.

    Hi!already gave mine... that is:- Do not run deep inspection, its prone to false positives (unless you are infected)- Use Virustotal to check for false positive- Report to manufacturerand by the way, this has been posted many times before no need to re-discuss. Also note that this board is not a discussion forum. We deal with ZA product support issues not about how the ZA community reacts to issues.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,470

    Default Re: Suspected false positves during "deep-inspection" scan.

    Unfortunately, it seems that LaLittle is Regressing back into his old habit of Hi-Jacking other Users request for Help.. and trying to use this forum as a Chat/discussion forum.. (sigh)
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    lalittle Guest

    Default Re: Suspected false positives during "deep-inspection" scan.


    <blockquote><hr>GeorgeV wrote:
    Unfortunately, it seems that LaLittle is Regressing back into his old habit of Hi-Jacking other Users request for Help.. and trying to use this forum as a Chat/discussion forum..
    (sigh)
    <hr></blockquote>Before any action is taken, please help me to understand where I misstepped so I can
    rectify the situation.

    I'm honestly trying REALLY hard to never hijack any threads, so if this happened it was a misunderstanding and I apologize.
    My posts to other user's threads have been sincere attempts to help.
    I'm
    perfectly willing to
    alter my posting habits appropriately in order to stay within the guidelines and intent of this forum,
    but I sincerely don't know where I hi-jacked a thread.

    I'm the starter of
    this thread we're in, so I assume you're referring to a different thread, but I'm not sure which one.
    I've been posting a lot lately because I just upgraded from ZASS 7 to ZAX 8 and there is a lot of new stuff that I'm trying to get a better understanding of.
    I've also been trying to &quot;give back&quot; by trying to help other users in situations where I've run into the same issues -- I've shared my experiences in the hope that it might help them solve the problem.
    The bottom line is that I'm asking for help and guidance here.

    I would very much like to remain a contributor/user of this forum, so please help me out to understand where I hijacked any threads so I can fix the situation.
    Thanks,
    Larry

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •