Results 1 to 8 of 8

Thread: [SOLVED] Trojan-Spy.Win32.Agent.bloy possible false positive

Hybrid View

  1. #1
    Join Date
    Jul 2005
    Posts
    46

    Default [SOLVED] Trojan-Spy.Win32.Agent.bloy possible false positive

    I'm using ZAISS latest version last updates. I use to do a complete scan of my hard drive several times per year, maybe 8 on average. I use the deepest settings I can (currently Super Scan mode and in Scan Options, Riskware, ADS and heuristics enabled, the other 3 checkboxes disabled) and leave the computer unattended.

    The Trojan-Spy.Win32.Agent.bloy has been found in a win98 driver (driver_usb20_nvidia_9xme_v2.1.3.exe) of a motherboard (Gigabyte GA-7N400-L) that I used from Jan 2004 to Jul 2007. The rig with that mobo worked fine and no virus was ever found there (with McAfee). I sold that computer in 2007 and built my now secondary one (Athlon X2 5000+) that runs XP and ZAISS. In Sep 2009 I built my now main computer (Phenom II X4 955) that runs Vista and XP, ZAISS in both. No viruses have been ever found in any of the computers involved, although the file has been stored in every of them for years and passed many antivirus scans.

    Every computer had or has one partition meant to store drivers, installers, documents etc that I backup quite frequently to rewritable DVD's, and I have these files in these partitions. Since Sep 2009 I've been maintaining and updating the one of my main computer, that I use daily, but the one of my secondary rig is mostly stuck with what it had back then. I turn it on about a 2 hours session per week.

    However the virus has been detected in the three copies of the file: in my main computer, in the backup DVD and in the secondary computer.

    The file in question is a compressed archive with many files inside as usual with drivers. I've managed to uncompress it to a folder of my secondary computer and the virus has been detected in \usb20_9x\9x_me\driver\Setup.exe .

    The file isn't quite important but doesn't this sound to a false positive. Any way to double check?

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Trojan-Spy.Win32.Agent.bloy possible false positive

    Quote Originally Posted by factor View Post
    Any way to double check?
    How to diagnose and/or report antivirus/antispyware false positives

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Jul 2005
    Posts
    46

    Default Re: Trojan-Spy.Win32.Agent.bloy possible false positive

    Thanks. Virustotal reported that the file has been submitted there in the past. In the last report generated before "mine", 1 from 34 or 39 engines reported something different from "-", but I cannot remember the details and now the last report is the one generated upon my request afterwards (I was concentrated in guessing if I'm supposed to do anything about the md5 displayed, but I don't have any app to generate it and I didn't find any that looked trustworthy enough -I downloaded one anyway but ZAISS regular scan of d/l files didn't report that the app was safe and the deeper scan advised to delete it, what I did-).

    In the report generated "by me", 1 (Ikarus) from 41 engines reports it as "Trojan-Spy.Win32.Agent", the other 40 report "-". Most engines, discordant one included, are updated at 2010-11-20 (today), some few at 2010-11-19, one at 2010-11-18 and one at 2010-11-09.

    Is this is enough to send it to Kaspersky as a false positive?

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Trojan-Spy.Win32.Agent.bloy possible false positive

    Quote Originally Posted by factor View Post

    In the report generated "by me", 1 (Ikarus) from 41 engines reports it as "Trojan-Spy.Win32.Agent", the other 40 report "-". Most engines, discordant one included, are updated at 2010-11-20 (today), some few at 2010-11-19, one at 2010-11-18 and one at 2010-11-09.

    Is this is enough to send it to Kaspersky as a false positive?
    If this is the case also ZA should not detect it since it uses kaspersky. Unless you refer to the ZA heuristics that does not name treaths as you describe in the title. So your ZA is not updating correctly or you are using an old version 8.

    In the antivirus section you find a sticky post about ZA heuristic.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    Join Date
    Jul 2005
    Posts
    46

    Default Re: Trojan-Spy.Win32.Agent.bloy possible false positive

    Sorry, I should have mentioned it before, but Kaspersky isn't among the engines. Here's the report:

    AhnLab-V3 2010.11.20.00 2010.11.19 -
    AntiVir 7.10.14.55 2010.11.19 -
    Antiy-AVL 2.0.3.7 2010.11.20 -
    Avast 4.8.1351.0 2010.11.20 -
    Avast5 5.0.594.0 2010.11.20 -
    AVG 9.0.0.851 2010.11.20 -
    BitDefender 7.2 2010.11.20 -
    CAT-QuickHeal 11.00 2010.11.09 -
    ClamAV 0.96.4.0 2010.11.20 -
    Command 5.2.11.5 2010.11.20 -
    Comodo 6785 2010.11.20 -
    DrWeb 5.0.2.03300 2010.11.20 -
    eSafe 7.0.17.0 2010.11.18 -
    eTrust-Vet 36.1.7989 2010.11.20 -
    F-Prot 4.6.2.117 2010.11.20 -
    F-Secure 9.0.16160.0 2010.11.20 -
    Fortinet 4.2.254.0 2010.11.20 -
    GData 21 2010.11.20 -
    Ikarus T3.1.1.90.0 2010.11.20 Trojan-Spy.Win32.Agent
    Jiangmin 13.0.900 2010.11.20 -
    K7AntiVirus 9.68.3041 2010.11.20 -
    McAfee 5.400.0.1158 2010.11.20 -
    McAfee-GW-Edition 2010.1C 2010.11.20 -
    Microsoft 1.6402 2010.11.19 -
    NOD32 5635 2010.11.20 -
    Norman 6.06.10 2010.11.20 -
    nProtect 2010-11-20.01 2010.11.20 -
    Panda 10.0.2.7 2010.11.20 -
    PCTools 7.0.3.5 2010.11.20 -
    Prevx 3.0 2010.11.20 -
    Rising 22.74.04.00 2010.11.20 -
    Sophos 4.59.0 2010.11.20 -
    SUPERAntiSpyware 4.40.0.1006 2010.11.20 -
    Symantec 20101.2.0.161 2010.11.20 -
    TheHacker 6.7.0.1.087 2010.11.20 -
    TrendMicro 9.120.0.1004 2010.11.20 -
    TrendMicro-HouseCall 9.120.0.1004 2010.11.20 -
    VBA32 3.12.14.2 2010.11.19 -
    VIPRE 7362 2010.11.20 -
    ViRobot 2010.11.20.4158 2010.11.20 -
    VirusBuster 13.6.51.0 2010.11.20 -


    About my ZAISS (I've detected this under Vista SP2 in my main computer and I haven't booted to its XP SP3 install since, but it also has the 9.3.014.000 version, I updated both at the same time):

    ZoneAlarm Security Suite version 9.3.014.000
    TrueVector security engine version 9.3.014.000
    Driver version 9.1.522.000
    Anti-virus/Anti-spyware engine version 8.0.2.48, DAT file version 1031051744
    AntiSpam version 6.0.0.2383
    ZoneAlarm Browser Security 1.5.152.10


    Don't heuristic findings start with or contain "HEUR"?

    --------------------------------------------------------------------------------------

    Well, I decided to abuse a bit from Virustotal and requested another analysis, that turned out a bit different: 3 from 43 engines including Kaspersky have detected a positive:

    AhnLab-V3 2010.11.21.00 2010.11.20 -
    AntiVir 7.10.14.55 2010.11.19 -
    Antiy-AVL 2.0.3.7 2010.11.21 -
    Avast 4.8.1351.0 2010.11.20 -
    Avast5 5.0.594.0 2010.11.20 -
    AVG 9.0.0.851 2010.11.20 -
    BitDefender 7.2 2010.11.21 -
    CAT-QuickHeal 11.00 2010.11.09 -
    ClamAV 0.96.4.0 2010.11.20 -
    Command 5.2.11.5 2010.11.20 -
    Comodo 6785 2010.11.20 -
    DrWeb 5.0.2.03300 2010.11.21 -
    Emsisoft 5.0.0.50 2010.11.20 Trojan-Spy.Win32.Agent!IK
    eSafe 7.0.17.0 2010.11.18 -
    eTrust-Vet 36.1.7989 2010.11.20 -
    F-Prot 4.6.2.117 2010.11.20 -
    F-Secure 9.0.16160.0 2010.11.20 -
    Fortinet 4.2.254.0 2010.11.20 -
    GData 21 2010.11.21 -
    Ikarus T3.1.1.90.0 2010.11.20 Trojan-Spy.Win32.Agent
    Jiangmin 13.0.900 2010.11.20 -
    K7AntiVirus 9.68.3041 2010.11.20 -
    Kaspersky 7.0.0.125 2010.11.21 Trojan-Spy.Win32.Agent.bloy
    McAfee 5.400.0.1158 2010.11.21 -
    McAfee-GW-Edition 2010.1C 2010.11.20 -
    Microsoft 1.6402 2010.11.19 -
    NOD32 5635 2010.11.20 -
    Norman 6.06.10 2010.11.20 -
    nProtect 2010-11-20.01 2010.11.20 -
    Panda 10.0.2.7 2010.11.20 -
    PCTools 7.0.3.5 2010.11.20 -
    Prevx 3.0 2010.11.21 -
    Rising 22.74.04.00 2010.11.20 -
    Sophos 4.59.0 2010.11.20 -
    SUPERAntiSpyware 4.40.0.1006 2010.11.20 -
    Symantec 20101.2.0.161 2010.11.21 -
    TheHacker 6.7.0.1.087 2010.11.20 -
    TrendMicro 9.120.0.1004 2010.11.20 -
    TrendMicro-HouseCall 9.120.0.1004 2010.11.21 -
    VBA32 3.12.14.2 2010.11.19 -
    VIPRE 7365 2010.11.21 -
    ViRobot 2010.11.20.4158 2010.11.20 -
    VirusBuster 13.6.51.0 2010.11.20 -


    So I won't report a false positive unless I'm advised to do so. I am now more interested in this point (reporting a false positive or not doing it) than in the file itself (I've managed to get an equivalent one from Gigabyte's web in case I decided to keep such old stuff, but I'm starting to think that it's pointless and that my backups need some cleaning).

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Trojan-Spy.Win32.Agent.bloy possible false positive

    Uuuhm, I am quite lost about all of this... if the last scan with virustotal is the valid one then follow up with kaspersky to report the false positive. Modalities are explained in this post:
    How to diagnose and/or report antivirus/antispyware false positives

    You will get an answered from a malware analystic about it and if it is a false positive it will be fixed.

    Quote Originally Posted by factor View Post
    Don't heuristic findings start with or contain "HEUR"?
    No, that is still kaspersky. I am referring to this. But you get this option only if you download from the internet.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. FALSE POSITIVE Win32.Trojan.Agent.CWS.42
    By yarok in forum Malware Discussion
    Replies: 1
    Last Post: January 30th, 2009, 05:14 AM
  2. FALSE POSITIVE Win32.Trojan.Agent.CWS.42
    By GeorgeV in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 0
    Last Post: January 29th, 2009, 12:09 AM
  3. Is Trojan.Win32.Agent.avcy. a False Positive?
    By bcool in forum Malware Discussion
    Replies: 5
    Last Post: December 30th, 2008, 01:31 PM
  4. Win32.Trojan.Spy.Ardamax.t - False Positive?
    By matamata in forum Malware Discussion
    Replies: 6
    Last Post: August 6th, 2008, 11:27 PM
  5. Is Win32.Trojan.Spy.Agent.kb a false positive?
    By skjhlkj in forum Malware Discussion
    Replies: 2
    Last Post: May 28th, 2008, 10:52 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •