I just did a scan with PestPatrol and it found
scvhost.exe in my windows file and identified it as backdoor Xeol.a

I checked it with my antivirusm antitrojan and antispyware programs as
well as a check on Jotti and nothing was found. Can I assume that this is a False Positive?

No. There is no system file called "scvjost.exe".

Please send this file to mike [at] f-prot.com and i'll have later a look at it.

-{ Quote: "I just did a scan with PestPatrol and it found
scvjost.exe in my windows file and identified it as backdoor Xeol.a

I checked it with my antivirusm antitrojan and antispyware programs as
well as a check on Jotti and nothing was found. Can I assume that this is a False Positive?" }-
Did u try to upload it to Jotti or virus total?

It's Backdoor packed with Themida. Yes, it's malicious and you should get rid of it. We'll add it into detection today as well.

Thanks Mike.
But I don't understand why TrojanHunter, Nod32, Norton and Kaspersky
didn't detect it nor did Jotti

Can't we reply on any of these?!

Eset just gets it in this moment - just sending it via chat to marcos.

Kaspersky got it also right now via chat.

No idea about trojan hunter. maybe you can submit it there via email somehow.

Is it posseble to see jotti,s or virus total results?
Thanks

I already submitted to Trojan Hunter and am waiting for a response

I didn't make of copy of Jotti's results (sorry about that)

One of the lessons I learned from this whole mess (and there are many)
is that I will never make light of PestPatrol again. I've been using it for years and
was contemplating deleting it a number of times because I thought I'd be covered by the rest of my software arsenal. But PestPatrol was the ONLY ONE OUT THERE THAT CAUGHT THIS BACKDOOR (not Trojan Hunter, Kaspersky,
Nod32, Norton, AVG Jottis or any of the rest).

I'm amazed!

U are copmaring an AS scanner with AV scanners.

-{ Quote: "U are copmaring an AS scanner with AV scanners." }-Yes he is, so whats your point?

I never used Pest Patrol but always heard about it to give false positives. All I mean that just by one detection by it and noy by oters will not make it so excellent scanner and even in this reagrd same file might have been detected by many other AS scanners as well, if tried.

There definitely are FP's occasionally with PestPatrol as there are with other
anti spyware and and virus software. In both cases they are usually corrected
by the next update. So?

By the way, I also scanned with AVG anti spyware as well as Counterspy and neither detected it.

And just for the record, PestPatrol is not just an anti spyware but an anti trojan as well. I decided to keep it in my arsenal after all this.

Pest Patrol detected this when CounterSpy and AVG AS didn't?
Got to give them credit for that.Maybe Pest Patrol is better than I thought.

It,s good that PP detected it but as I said u can,t decide on a single detection.
Personally I have no experience with it though.

-{ Quote: "It,s good that PP detected it but as I said u can,t decide on a single detection.
Personally I have no experience with it though." }-If it helps him sleep at night he should keep it.

New rulesets with detection of this particular malicious file have been issued for TH by Gavin on 4-Nov-06.

I can't believe it!
After all this time I did another scan on Jotti and the majority of
programs still haven't detected it. Norton and Kaspersky also let it go by without detection.

What is going on?!

This time I saved Jotti's scan

That,s strange.

that result shows scvhost.exe. the legitimate windows file is svchost.exe.

im wondering why so few programs detected it.

Hi, folks: Very interesting indeed. I am not even an AV under-expert. But I googled it and found this file IS a well-documented virus.trojan etc. Why on earth those high-detection rate AVs not sniff it out? Are they been neutralized? Let me wonder???;D

-{ Quote: "Pest Patrol detected this when CounterSpy and AVG AS didn't?
Got to give them credit for that.Maybe Pest Patrol is better than I thought." }-

Thanks Tester, at least somebody speaking well of PestPatrol... :)

Anyway for any help assistance or problems or malwares not detected let me know...

Cheers

Rossano

Are you using pestpatrol? Or are you using the latest CA antispyware version 9 and just calling it pestpatrol?

I'm still using Pestpatrol

Why aren't the other anti-virus and anti-spyware programs adding a signature for this?

-{ Quote: "I'm still using Pestpatrol

Why aren't the other anti-virus and anti-spyware programs adding a signature for this?" }-
I guess they either don't know about it, don't regard it as a threat or don't care lol.

Anyway, if you are using a licensed copy of pestpatrol you should try out the new ca antispyware 2007 (version 9). The pestpatrol v8 license works with the new version.

Hi,

well I am researcher and specialist support activity for CA. I come from the old PestPatrol company

Cheers! :)

-Rossano

Thanks, I realized that these were the three alternatives but
I was trying to zero them down (-:

I was told not to update yet but this isn't the forum for this discussion

Thanks

And to Rossano regards from Debbie

You are very welcome Debbi,

for any help on PP let me know! ;)

Cheers!!

-Rossano

HI Rossano! welcome to Wilders. First time to see anyone from CA, at least for me.
That,s nice!

My pleasure Aigle :)

Nice to see you here Rossano :) heheh :thumb:

Ciao,
Marco

Hi rossano, Is there a way to install only Pestpatrol w/o CA security center?

-{ Quote: "Nice to see you here Rossano :) heheh :thumb:

Ciao,
Marco" }-

Hi Marco,

thanks! Well I have seen PP involved so I decided to collaborate here as well... :)

Cheers

Rossano

-{ Quote: "Hi rossano, Is there a way to install only Pestpatrol w/o CA security center?" }-

Hi MrHero,

well yes there shoould not be any problem to install only PP. You need to customize the installation process installing only PP and disable the other installations. Which version of CA ISS have you got?

-Rossano

I've got the latest CA Antispyware v9, is it possible to install that without having the security center?

Is CA anti-spyware v9 the new 2007 version? And will a license version of pestpatrol 2005 work with the new 2007 version? Thank you!

As i remember Pest Patrol 2005 on-access scanner doesnt work under limited account in XP, i hope new version works now ::)

-{ Quote: "I've got the latest CA Antispyware v9, is it possible to install that without having the security center?" }-

CA Antispyware 9 is CA Antispyware 2007. Security Center is present in all CA Security products but it should not be a problem. Which problems does it create to you?

Rossano

-{ Quote: "As i remember Pest Patrol 2005 on-access scanner doesnt work under limited account in XP, i hope new version works now ::)" }-

Yes it works now

Rossano

-{ Quote: "Is CA anti-spyware v9 the new 2007 version? And will a license version of pestpatrol 2005 work with the new 2007 version? Thank you!" }-

Yes it is. A valid and not expired license key should work on the new version. rcently we had some problems of licensing issues but consumer upgrade should not be affected.

Rossano

-{ Quote: "CA Antispyware 9 is CA Antispyware 2007. Security Center is present in all CA Security products but it should not be a problem. Which problems does it create to you?

Rossano" }-

CA Security Suite is very annoying:-\ . I only want Pestpatrol. I haven't renewed my subscription just for this issue.

To all who were wondering why many AVs, ATs, and ASs have missed this trojan?

The answer is very simple, because the trojan was packed by Themida .

In my personal experience the only antimalware program which is able to detect malwares packed with Themida is AntiVir.

Try it you self, get a very old and very well known malware, test your AV with it to be sure that it is detectable by it, then pack this same malware with Themida and try your AV again, and you'll be disappointed to see your favourite AV or Antimalware's big failure.

I have tried a lot of antimalwares including KAV, NOD, ewido, Norton, Mcafee, PC ciilin, SpySweeper, A2, Ad-Aware, Spybot, SAS and others, all of them failed against any malware packed with Themida, the only one who succeeded was AVIRA AniVir.

No AV or Antimalware vendor is talking about their product weakness against malwares packed with Themida when some customer send them a sample and asking why thier product failed against? They just add a sig of the packed file to their database and tell that thier scanner is able to detect it now! Saying no single word about the real reason of failure which is Themida runtime packer.

you can easily send your scanner's vendor a thousands of samples which they don't detect by simply packing all well known malwares with Themida !!

I think that this commercial runtime packer is a graet challenge to antimalware programs and vendors have to find a real solution.

-{ Quote: "CA Security Suite is very annoying:-\ . I only want Pestpatrol. I haven't renewed my subscription just for this issue." }-

Well, one way is to remove the security suite console from startup so it is not present on the tray anymore. Then you can browse the path of CA Antispywrae and make a shortcut to your dektop of the PP program lunch.
So on your desktop you will have only CA Antispyware

Let me know if you need additional info

Cheers

Rossano

Hi Rossano,

I'm glad to see a CA rep here. Thank you for your participation.

I used to be one of the few PP advocates around here.

Since the new version -- CAAS came out and blocks the operation of SpywareBlaster, I've become less enthusiastic.

http://www.wilderssecurity.com/showthread.php?t=151652

Is CA aware of this?

Does CA care?

---------

On a separate note, has CAAS been tested by any publications that you know of?


Thanks,

-ftp

-{ Quote: "CA Antispyware 9 is CA Antispyware 2007. Security Center is present in all CA Security products but it should not be a problem. Which problems does it create to you?

Rossano" }-
Its just a little annoying having to go thru the security center to get to the antispyware program if thats all i have installed. I much preferred pestpatrol 8 where i had could disable the security center and run just the antispyware. Its not a huge problem just one of those nagging things.

-{ Quote: "Hi Rossano,

I'm glad to see a CA rep here. Thank you for your participation.

I used to be one of the few PP advocates around here.

Since the new version -- CAAS came out and blocks the operation of SpywareBlaster, I've become less enthusiastic.

http://www.wilderssecurity.com/showthread.php?t=151652

Is CA aware of this?

Does CA care?

---------

On a separate note, has CAAS been tested by any publications that you know of?


Thanks,

-ftp" }-

Hi Frank,

nice to meet you and thanks for your kind words about PP.
Well about the problem you mention yes we are all aware. There will be a new release build with enhanced features. That problems comes up from PPRT component which monitors process, file and registry activity. I have noted there are some legitimate applicarions with conflicts popping up the message mentioned.
The new build will be released soon anyway if you need a temprary workaround to get SpywareBlaster working together CA Antispy let me know

As for press well yes CA has gota precise policy according to which very product is tested and then publicized... PC Professional is one of the magazine tested CA Antispy but many other are involved in CA process.

Obviously a testing process cannot cover everything and then a software could have problems which are solved eventually and by support organization.

Hope it helps and let me know if you need more assistance

-Rossano

-{ Quote: "To all who were wondering why many AVs, ATs, and ASs have missed this trojan?

The answer is very simple, because the trojan was packed by Themida .

In my personal experience the only antimalware program which is able to detect malwares packed with Themida is AntiVir.

Try it you self, get a very old and very well known malware, test your AV with it to be sure that it is detectable by it, then pack this same malware with Themida and try your AV again, and you'll be disappointed to see your favourite AV or Antimalware's big failure.

I have tried a lot of antimalwares including KAV, NOD, ewido, Norton, Mcafee, PC ciilin, SpySweeper, A2, Ad-Aware, Spybot, SAS and others, all of them failed against any malware packed with Themida, the only one who succeeded was AVIRA AniVir.

No AV or Antimalware vendor is talking about their product weakness against malwares packed with Themida when some customer send them a sample and asking why thier product failed against? They just add a sig of the packed file to their database and tell that thier scanner is able to detect it now! Saying no single word about the real reason of failure which is Themida runtime packer.

you can easily send your scanner's vendor a thousands of samples which they don't detect by simply packing all well known malwares with Themida !!

I think that this commercial runtime packer is a graet challenge to antimalware programs and vendors have to find a real solution." }-


Another reason to give PestPatrol another look as they were the only
program around that detected it from the beginning

-{ Quote: "Hi Frank,

Nice to meet you and thanks for your kind words about PP.
Well about the problem you mention, yes we are all aware. There will be a new release build with enhanced features. The problems comes from the PPRT component which monitors process, file and registry activity. I have noted there are some legitimate applications with conflicts popping up the message mentioned.
The new build will be released soon. If you need a temprary workaround to get SpywareBlaster working together with CA Antispy, let me know.

As for press coverage, CA has a precise policy according to which every product is tested and then publicized... PC Professional is one of the magazines that has tested CA Antispy, and many others are involved in CA process.

Obviously a testing process cannot cover everything, and software can still have issues which will then be addressed and solved by the support organization.

Hope it helps and let me know if you need more assistance

-Rossano" }-


Hello Again Rossano,

Thank you for your response.

Of course you are correct that in the development of new security software – the implementation will not usually factor in non-conflicts with every other type of security software.

But now that you have stated that CA is aware of this, and will attempt to play nice with SpywareBlaster in the next build, I think that’s great. It’s hard to ask more than that.

More specifically on CAAS performance, can you post any links to comparative tests that have been done?

Can you give us a preview as to what improvements / additions are coming out in the next build?

Have you heard of any conflicts between CAAS and Prevx1? I’m a believer in the Prevx1 model, and I’ve been meaning to load it for awhile, but travel and life have gotten in the way…

Thank you again for your participation.


v/r Frank the Perv

-{ Quote: "Hello Again Rossano,

Thank you for your response.

Of course you are correct that in the development of new security software – the implementation will not usually factor in non-conflicts with every other type of security software.

But now that you have stated that CA is aware of this, and will attempt to play nice with SpywareBlaster in the next build, I think that’s great. It’s hard to ask more than that.

More specifically on CAAS performance, can you post any links to comparative tests that have been done?

Can you give us a preview as to what improvements / additions are coming out in the next build?

Have you heard of any conflicts between CAAS and Prevx1? I’m a believer in the Prevx1 model, and I’ve been meaning to load it for awhile, but travel and life have gotten in the way…

Thank you again for your participation.


v/r Frank the Perv" }-

Hi Frank,

about comparative tests I need to look at...probably I have got something stored on my email box :) Or I can ask to product management and marketing department for that.
Preview about next release: what we release is now a new UI included in RT exclusion policy in the console so in that way any user could exclude automatically the binary file creating conflict with ca antispyware.
Then other new features will be included into the software in the course of the next year.

I have heard about several conflicts so far reported and solved with the new release (by new release I do not mean a new product release but a release of a specific component whcih is PP RealTime SDK).

I am getting a list of all the legitimate applications with this kind of issue. Not aware of prevx because nobody reported that to me...probably it is not used by ca users. But I am happy to know you are reporting this to me. That's strange prevx support team did not contact me about that. I will test it to rebuild the same issue over to my lab and proceed to include in the list. Thanks for that.

Let me know for any other assistance or request

Cheers!!!

-Rossano

-{ Quote: "Thanks Tester, at least somebody speaking well of PestPatrol... :)

Anyway for any help assistance or problems or malwares not detected let me know...

Cheers

Rossano" }-

Your Welcome Rossano.
For the sake of curiosity I'm going to trial Pest Patrol.Haven't tried the program in 3 or 4 years.

-{ Quote: "Your Welcome Rossano.
For the sake of curiosity I'm going to trial Pest Patrol.Haven't tried the program in 3 or 4 years." }-

Very good!! ;)

Let me know if you need help or assistance

Cheers!

-Rossano

Hey Rossano,

Unfortunately,the install didn't work.
I got a message about a corrupt file when I started the install process.
The trial download (pptrialr8 )came from etrust.

-{ Quote: "Hey Rossano,

Unfortunately,the install didn't work.
I got a message about a corrupt file when I started the install process.
The trial download (pptrialr8 )came from etrust." }-

Do you want to use the PP8 or the latest one?

Let me know

-Rossano

Rossano I sent you a PM, can you look?

-{ Quote: "Rossano I sent you a PM, can you look?" }-

Responded, thanks!

-Rossano

-{ Quote: "Do you want to use the PP8 or the latest one?

Let me know

-Rossano" }-

The latest one.

Hi Rossano,

Is there a page at the CA site where info is published about the daily updates for PestPatrol?
I mean something like (just an example):
"The last definitions update for PestPatrol was on 10 November 2006".

It would make things easier for those forums where daily updates for scanners are posted.

If such a site exists, could you please give the link.

Thanks in advance !

Regards, Jan.

-{ Quote: "Hi Rossano,

Is there a page at the CA site where info is published about the daily updates for PestPatrol?
I mean something like (just an example):
"The last definitions update for PestPatrol was on 10 November 2006".

It would make things easier for those forums where daily updates for scanners are posted.

If such a site exists, could you please give the link.

Thanks in advance !

Regards, Jan." }-


Hey Jan,

PestPatrol (new brand is CA Antispyware) is updated daily at 17.00 GMT. We have decided to make daily updates to better serve customers.
Let me know if you need more information about

-Rossano

As this thread has truely drifted way off topic from the original poster's question, we'll close it now.