Results 1 to 9 of 9

Thread: Issue on False Pos. / False Neg. - Hosts file + Misc Suggestions

Hybrid View

  1. #1
    markfilipak Guest

    Question Issue on False Pos. / False Neg. - Hosts file + Misc Suggestions

    Feedback to ZoneAlarm Developers...

    OS: WinXP-Pro
    Browser: Firefox 12.0
    Sandbox: Sandboxie 3.54
    URL: http: ~~snip~~
    Downloaded file: WECPSetup.exe

    Issue #1, Stealing the Focus: In sandbox (browser AND destination folder), while attempting to rename the file prior to saving it, ZoneAlarm's scanner stole the focus, and my keystrokes went into the scanner instead of into the filename box. Several unexpected things happened. STEALING THE FOCUS LIKE THAT IS DANGEROUS!! IT SHOULD NOT BE DONE!! (I won't tell the story about how an overly eager disk management program once stole the focus from my text editor to tell me that the disk check was complete and asking what I wanted to do next, just as I hit the "F" key.) Suggestion: Allow the disk save to complete (no harm there) AND THEN tell me about the virus detection. ...And, Yes, I'm going to make the entire sandbox off limits to the real-time scanner in the future.

    Issue #2, Mystifying Scanner Report: What am I to make of "not-a-virus: WebToolbar.Win32.InstallCore.a" in the following report?
    File name: WECPSetup.exe
    Virus name: not-a-virus: WebToolbar.Win32.InstallCore.a
    Type: Virus
    Risk:! Action required
    Path: E:\Sandbox\Mark_Filipak\DefaultBox\drive\F\Games\W ECPSetup.exe
    Issue #3, Strange Help: In an attempt to fathom what "not-a-virus: WebToolbar.Win32.InstallCore.a" meant, I clicked the For additional virus information and assistance, visit us at the link: Antivirus Resources link in the status bar of the Antivirus/Anti-spyware Scan popup. I then had to allow a non-sandboxed browser to be launched--Gasp!--and I was taken here:
    The page totally mystified me and didn't seem to have any bearing on the virus detection I'd just experienced. Certainly, it didn't answer what "not-a-virus: WebToolbar.Win32.InstallCore.a" meant.

    So, I joined this forum. ...And, Yes, I understand why ZoneAlarm didn't know I already had a web browser running in the sandbox.

    ~~snip~~

    Thanks for the bandwidth - Mark.
    Last edited by fax; June 17th, 2012 at 09:21 AM. Reason: de-link adware +offtopic

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,284

    Default Re: Strange behavior - sandboxed

    Hi!

    Sorry ZA development does not monitor this board. All users here.

    Issue 1: Sounds like it is by design. The tool is drawing you the attention on a possible threat. This is normally done front screen. Can you imagine instead getting an hidden window about you been infected by a virus? I would personally find it, to say the least, undesirable. But we are all users here. If you do not like it then you need to report it directly to ZA support. More reports from users more likely they will look into it.

    Issue 2: ZA uses Kaspersky as AV engine. For an explanation of what is a "not a virus" see here: http://www.securelist.com/en/threats/detect/apr. Thousands of new malware threats and the like are discovered everyday. Unfortunately it is not possible to develop a description for each of them. Malware analyst would spent more time in writing then detecting viruses out there.

    Please note that ZA is not the only one detecting that file as "adware":

    AntiVir ADWARE/Adware.Gen 20120606
    Antiy-AVL Trojan/win32.agent.gen 20120606
    BitDefender Application.InstallCore.E 20120606
    CAT-QuickHeal Trojan.InstallCore.a 20120605
    Comodo ApplicUnwnt.Win32.AdWare.InstallCore.1 20120606
    Emsisoft Riskware.WebToolbar.Win32.InstallCore!IK 20120606
    F-Secure Application.InstallCore.E 20120606
    Fortinet Riskware/InstallCore.AAAA 20120606
    GData Application.InstallCore.E 20120606
    Ikarus not-a-virus.WebToolbar.Win32.InstallCore 20120606
    Jiangmin AdWare/InstallCore.cu 20120605
    Kaspersky not-a-virus:WebToolbar.Win32.InstallCore.a 20120605
    NOD32 a variant of Win32/InstallCore.H 20120605
    Norman W32/InstallCore.BJB 20120605
    nProtect Application.InstallCore.E 20120605
    Rising AdWare.Win32.InstallCore.i 20120604
    VBA32 AdWare.InstallCore.gen 20120605

    If you are happy about having an adware installed on the system then you can set ZA to ignore the thread and/or the file, see the below link:
    How to diagnose and/or report antivirus/antispyware false positives

    Thanks,
    Fax
    P.S. Is good norm to at least post a minimal information about the ZA been used. When you post please attach ZA information you find by right clicking the ZA icon near the clock --> about --> copy to clipboard --> paste it here (remove license details).
    Last edited by fax; June 17th, 2012 at 09:50 AM. Reason: de-link + offtopic

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    markfilipak Guest

    Default Re: Strange behavior - sandboxed

    Hi Fax,

    ZoneAlarm Free Antivirus + Firewall version: 10.2.047.000
    vsmon version: 10.2.047.000
    Driver version: 10.2.047.000
    Antivirus engine version: 8.2.11.97
    Antivirus signature DAT file version: 1087419328
    Web Identity Protections version: 1.5.388.0

    I appreciate the time you spent responding. It's important to me that you clearly understand the issues:

    ~snip~

    One column says "Virus name: not-a-virus:..." while the very next column says "Type: Virus". Huh? Surely you can see how confusing that is. It's not a virus or it's a virus. It can't be both, so which is it?

    And where are the links for reporting false positives?

    Thanks - Mark.
    Last edited by GeorgeV; September 11th, 2012 at 05:48 PM. Reason: offtopic

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,284

    Default Re: Strange behavior - sandboxed

    Hi!

    may be I was not clear enough. I will try again.

    1. You need to report the false positive to Host file creator not ZA support and obviously remove the entries in hosts file before contacting ZA support. The cookie created is for recording your ticket number so that next time you log into ZA live chat the number is recalled. There is no spyware whatsoever and no tracking aside from your support tickets that is actually to help you! For more general information on cookies please see here: http://en.wikipedia.org/wiki/HTTP_cookie

    Please note that ZAfree does not offer free support. Sorry. If you would have posted your configuration from the beginning we could have saved some misleading suggestions. You may want to use the section named "ZoneAlarm Product Feedback" to post any changes you would like to see in future versions of ZA. This section may be reviewed by ZA staff from time to time.

    2. The name is the reference (NOT-A-VIRUS) the other column is the general category. There is no false positive as the detection is related to adware and confirmed by several other scanners. The link to report false positives (by the AV scanner) was already given to you in my previous post. Please read more carefully towards the end of my previous message.

    Hope it is clearer now.

    Relax, sit-back, no paranoia and enjoy your free ZA and unless you are still confused I will close soon this thread since we said all we could be said about it.

    Thanks,
    Fax
    Sorry, some offtopic remarks/comments from your previous posts needed to go. I am moving this thread to the free section as it was posted in the wrong part of the forum.
    Last edited by fax; June 17th, 2012 at 09:53 AM. Reason: zafree add info + spelling

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,461

    Smile Re: Strange behavior - sandboxed

    Quote Originally Posted by markfilipak View Post
    Hi Fax,

    ZoneAlarm Free Antivirus + Firewall version: 10.2.047.000

    #2: One column says "Virus name: not-a-virus:..." while the very next column says "Type: Virus". Huh? Surely you can see how confusing that is. It's not a virus or it's a virus. It can't be both, so which is it?

    And where are the links for reporting false positives?

    Thanks - Mark.

    How to Submit Suspicious Files and False Positives
    There is a sticky thread in the antivirus section,
    click here: http://forums.zonealarm.com/showthread.php?t=70505
    Last edited by GeorgeV; September 11th, 2012 at 05:44 PM.

  6. #6
    markfilipak Guest

    Unhappy

    Thank you. I didn't recognize the links because they don't look like links (not underlined). Suggestion: put this link in the ZA scanner so that users can challenge a virus determination (you can call it a false positive, but I can't because I am not a tester).

    Thanks GeorgeV, but how am I to know this is a false positive? ...Think about it.

    Does Check Point focus test ZA? I have lots of suggestions that would, 1, better inform & empower users, and 2, cut down on support. But there doesn't appear to be any way to make suggestions.

    Okay, I submitted psexec.exe to http://www.virustotal.com/

    Only 3 of 42 AV products (ClamAV, Kaspersky, and Sophos) finger this program. What am I to conclude from that?

    PsExec.exe is from Mark Russinovich (Sysinternals). I'm confident that Russinovich is not distributing viruses, but someone else may have injected a virus into it. I have 2 of them, one from Sysinternals and one from Bart Lagerweij (Bart's PE Builder). Both of these gentlemen are well-known technologists. The two files compare true, so I can confidently declare it to be a false positive.

    In tiny print at the bottom of the page, Kaspersky has a "Send us a suspected virus" email link: newvirus@kaspersky.com.

    To get the email through Googlemail I had to MIME encode the file (psexec.exe.b64), but I got it to them.

    Do you have any other suggestions?

    (This process could be made a lot easier...)

    Sky Soldiers,

    I went back to virustotal.com and forced it to rescan psexec.exe. This time ClamAV dropped out so now only 2 of 42 AV products (Kaspersky & Sophos) finger this program.
    Last edited by fax; June 17th, 2012 at 11:16 PM. Reason: reduce size

  7. #7
    Join Date
    Aug 2009
    Location
    Texas Gulf Coast
    Posts
    1,643

    Default Re: Strange behavior - sandboxed - ZAfree + AV 10.2.047.000

    Quote Originally Posted by markfilipak View Post
    how am I to know this is a false positive?

    any way to make suggestions.
    VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.You can upload file to scan.

    https://www.virustotal.com/#file

    FAQ : https://www.virustotal.com/faq/

    Only 3 of 42 AV products (ClamAV, Kaspersky, and Sophos) finger this program. What am I to conclude from that?

    Most likely false positive.

    You could try the following to send to Kaspersky.

    Windows XP default compression program:

    Right click on the file you would like to include in the zip file,
    Select "Send To" and then "Compressed (zipped) Folder". This will create the zip file.
    Double-click the zip file.
    Select "File" and then "Add a password".
    Set the password to: infected.
    Send an email to newvirus@kaspersky.com with the zip file as an attachment.

    You could try User Survey : ZoneAlarm values your opinion and feedback on ZoneAlarm products.

    http://osalerts.zonealarm.com/osanal...n&rtab=details

    Have a nice Day
    Last edited by Sky Soldiers; June 17th, 2012 at 06:03 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: May 22nd, 2012, 04:08 PM
  2. [SOLVED] ZA download link doesn't work --> hosts file issue
    By kryptic in forum ZoneAlarm Free Firewall
    Replies: 15
    Last Post: October 6th, 2010, 06:42 AM
  3. [SOLVED] How to upload a protected file (false pos)?
    By lozzz in forum General - Questions that don't fit any other category
    Replies: 3
    Last Post: June 21st, 2010, 05:24 AM
  4. Replies: 0
    Last Post: March 9th, 2009, 02:16 PM
  5. Another false positive--ATI file, atiacmxx.dll
    By amethyst in forum Malware Discussion
    Replies: 10
    Last Post: November 10th, 2007, 03:49 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •