Results 1 to 10 of 10

Thread: [SOLVED] ZA ISS missed a trojan --> False Positive

  1. #1
    Join Date
    Apr 2010
    Posts
    11

    Question [SOLVED] ZA ISS missed a trojan --> False Positive

    Hi there Gurus.
    I have been using ZA ISS 9.037 (the latest) on XP pro & home (3 PCs) for about a year now.

    I downloaded a RAR file viewer "Portable" and tested it in PC then placed it in my thumb drive.
    Did not receive any alerts from ZA whatsoever.

    Took it work that uses Symantec AV. Plugged it in and clicked on the folder that RAR portable was, and bingo, all sorts of warning, deletion and notification of Network admins (I know I am going to pay for it), etc etc.

    What is ZA doing? Is not ZA ISS AV to catch upon a file access?
    Now, I have to go home & deep scan xp pro & home versions hoping ZA AV will find bunch of them trojans like the one below:

    Filename: WinRAR viewer Portable.exe
    Risk: Trojan.ADH
    Action: Deleted
    Risk Type: File
    Original Location: F:xxxxx
    Computer: xxxxxx1
    User: xxxxxx
    Status: Deleted
    Current Location: Deleted
    Primary Action: Clean security risk
    Secondary Action: Delete
    Logged By: Auto-Protect scan
    Action Description: The file was deleted successfully
    Date and Time: 4/8/2011 6:48 AM

    Thanks for listening.
    Mike

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,470

    Default Re: ZA ISS missed a trojan

    Follow ALL the steps as detailed here:
    Malware Clean-up Guidance


    After cleaning it up please review this post:

    xyz was not detected. What I should do?
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZA ISS missed a trojan

    Upload the file to virustotal.com, if kaspersky does not detecting it then send it to them (instruction in GeorveV message), if it is detecting it than your ZA is not working correctly.

    If you downloaded the RAR portable from a trusted source then it could be also a false positive by the other antivirus.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    Join Date
    Apr 2010
    Posts
    11

    Default Re: ZA ISS missed a trojan

    Thanks Gurus.

    I uploaded it to virustotal.com and looks like a few people have reported it already, this is what I got:

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
    MD5:04d667b4fb36982e9790618c478537a2
    Date first seen:2009-08-20 16:17:32 (UTC)
    Date last seen:2010-12-02 06:52:18 (UTC)
    Detection ratio:25/43
    What do you wish to do?

    And upon requesting more info I got what Kaspersky Version 7.0.0.125 reports:
    Constructor.Win32.Joiner.fw

    So, what am I doing wrong with ZA that did not catch this?
    I have not changed any default setting of AV part of ZA.
    Now that I am at home I can copy/paste ZA "about" data:

    ZoneAlarm Security Suite version:9.3.037.000
    TrueVector version:9.3.037.000
    Driver version:9.1.522.000
    Anti-virus engine version:8.0.2.48
    Anti-virus signature DAT file version:1049136448
    AntiSpam version:6.0.0.2383
    ZoneAlarm Browser Security 1.5.152.14
    ZoneAlarm ForceField Spyware Scanner 1.5.53.235
    ZoneAlarm ForceField Anti-Phishing Database 1.2.104.0
    ZoneAlarm ForceField Spyware Sites Database 04.155

    Is there a secret for setting up ZA so it will catch this type of virus?
    Do I replace it with another AV app that may do it's job?

    Thanks
    Mike

  5. #5
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZA ISS missed a trojan

    Re-check with virustotal by uploading it to virustotal. Do not rely on old uploads. Are you actually scanning the file with the right of the mouse? If not, this can explain it.
    If your ZA does not detect it then your ZA have a problem. Running any other security tool? It may conflict with ZA

    Please contact the official technical support and report the issue. All users here...

    Thanks,
    Fax
    Last edited by fax; April 10th, 2011 at 07:17 AM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  6. #6
    Join Date
    Apr 2010
    Posts
    11

    Default Re: ZA ISS missed a trojan

    I am aware that users helping users.
    I am not "complaining".
    Just looking to see if this is something that has already happened, and there may be a solution, may be a setting that I have it wrong.

    I have set ZA to check for updates every 30 minutes. Scan mode is "super",
    and scan all of C, D, E drives.

    I did upload a copy to Virustotal, and already posted the reply I got.

    I do right click the "offending" file and select "scan with Za av" and I receive a message that one item scanned & 0 virus found.

    I do have "Spybot Search & Destroy" that does not report any trojan.

    I guess I will delete the file for now.

    Thanks

    Mike

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZA ISS missed a trojan

    The scanning is back to February 2010. You need to rescan it as of April 2011 to be sure the detection has not changed. Sorry, if I was not clear. Only this way you can confirm that there is something wrong. Otherwise its like comparying pears with apples (an year old detection database with current one).

    The ZA setting you reference are not related to the on-access scanning so they are inifluencial.

    Thanks,
    Fax
    Last edited by fax; April 11th, 2011 at 12:07 AM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #8
    Join Date
    Apr 2010
    Posts
    11

    Default Re: ZA ISS missed a trojan

    Thanks Gurus.
    Well I did submit the zipped file with password "virus" to Kaspersky virus lab and got an email that the file is clean.
    So this means (probably) that Symantec issued a false positive.
    Well Da..n you Symantec for ruining a good weekend for me.

    ~~snip~~

    Mike
    Last edited by fax; April 12th, 2011 at 07:53 AM. Reason: offtopic

  9. #9
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,470

    Post Re: ZA ISS missed a trojan

    Your Welcome..

    I'm Glad to see Kaspersky resolved your Concerns..

    Hackers and Spammer BOTS have increased their Attacks on Public Forums requiring counter measures to defeat BOT Attacks..

    This link from the Offtopic area will explain the reason for these inconvience..

    http://forum.zonealarm.com/showthread.php?t=72855
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZA ISS missed a trojan

    Ok! Issue then resolved ...
    Changing the title of the thread and closing it.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Trojan-Spy.Win32.Agent.bloy possible false positive
    By factor in forum Malware Discussion
    Replies: 7
    Last Post: November 21st, 2010, 11:04 PM
  2. [SOLVED] False-Positive for Trojan Backdoor.Win32.Rbot.amhq
    By mirra508 in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 0
    Last Post: September 14th, 2010, 05:09 AM
  3. [SOLVED] ClamAV finds Trojan.Generic.Fakesec-9, but ZoneAlarm not --> False positive
    By grundfos in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 4
    Last Post: August 11th, 2010, 12:33 AM
  4. [SOLVED] Cant get helpsvc.exe out of quarantine --> False positive
    By rinda in forum ZoneAlarm Configuration
    Replies: 3
    Last Post: August 6th, 2010, 05:51 AM
  5. Replies: 4
    Last Post: July 4th, 2008, 05:42 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •