View Full Version : Sent EWIDO three FP's just now.
spy1
March 13th, 2004, 11:41 AM
ewido security suite - Scan report
---------------------------------------------------------
+ Created on:*********11:19:24 AM, 3/13/2004
+ Report-Checksum:******57934070
+ Date of database:******3/13/2004
+ Version of scan engine:***v1.1
+ Duration:************8 min
+ Scanned Files:*********19465
+ Speed:************38.46 Files/Second
+ Infected files:*********3
+ Removed files:*********0
+ Files put in quarantine:******0
+ Files that could not be opened:***22
+ Files that could not be removed:***0
+ Ignore extension:***Yes
+ Binder:******Yes
+ Crypter:******Yes
+ Memory:******No
+ Archives:******No
+ Heuristic:******No
+ Scanned items:
***C:\
+ Scan result:
***C:\Compaq\CPQInet\LchApp.exe -> TrojanSpy.Algus.10 -> Ignored
***C:\Compaq\EAKDRV\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored
***C:\cpqdrv\misc\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored
Nice little program!
I set it to "Ignore All" just so I could get results only.
Added "securitysuite.exe" to PG and gave it the "Read" access it was clamoring for (I'd already started the scan before I did that, so it may account for some of the 22 "Files that could not be opened", I'm not sure).
No problems d/l'ing, installing or running it - and, it was certainly simple enough! Pete
peter.ewido
March 13th, 2004, 09:28 PM
Fixed with the latest update :)
spy1
March 13th, 2004, 10:12 PM
Thank you, sir. At work at the moment, but I'll get the update when I get home. Pete
spy1
March 14th, 2004, 10:18 AM
And fixed it is:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on:*********10:12:30 AM, 3/14/2004
+ Report-Checksum:******FD03011D
+ Date of database:******3/14/2004
+ Version of scan engine:***v1.1
+ Duration:************7 min
+ Scanned Files:*********19367
+ Speed:************44.37 Files/Second
+ Infected files:*********0
+ Removed files:*********0
+ Files put in quarantine:******0
+ Files that could not be opened:***22
+ Files that could not be removed:***0
+ Ignore extension:***Yes
+ Binder:******Yes
+ Crypter:******Yes
+ Memory:******No
+ Archives:******No
+ Heuristic:******No
+ Scanned items:
***C:\
+ Scan result:
***C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
***C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
***C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened
***C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened
***C:\Documents and Settings\spy1\Application Data\Phoenix\Profiles\default\x9eoecei.slt\parent.lock -> File could not be opened
***C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
***C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
***C:\Documents and Settings\spy1\NTUSER.DAT -> File could not be opened
***C:\Documents and Settings\spy1\NTUSER.DAT.LOG -> File could not be opened
***C:\hiberfil.sys -> File could not be opened
***C:\pagefile.sys -> File could not be opened
***C:\WINDOWS\system32\config\default -> File could not be opened
***C:\WINDOWS\system32\config\default.LOG -> File could not be opened
***C:\WINDOWS\system32\config\SAM -> File could not be opened
***C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened
***C:\WINDOWS\system32\config\SECURITY -> File could not be opened
***C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened
***C:\WINDOWS\system32\config\software -> File could not be opened
***C:\WINDOWS\system32\config\software.LOG -> File could not be opened
***C:\WINDOWS\system32\config\system -> File could not be opened
***C:\WINDOWS\system32\config\system.LOG -> File could not be opened
***C:\WINDOWS\system32\drivers\procguard.sys -> File could not be opened
::Report End
Sumire
March 15th, 2004, 10:31 AM
Hi,I just downloaded ESS and finished first scan, so far so good! :)
This program has really beautiful GUI, I love it.
ESS reported that Advanced Process Manipulation(from DiamondCS) is infected by Backdoor.Netsend.
http://www.diamondcs.com.au/index.php?page=apm
I think this is another false positive, would you analyze this program.?
Best Regards.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on:*********0:00:37, 2004/03/16
+ Report-Checksum:******D47FA012
+ Date of database:******2004/03/15
+ Version of scan engine:***v1.1
+ Duration:************18 s
+ Scanned Files:*********617
+ Speed:************33.65 Files/Second
+ Infected files:*********1
+ Removed files:*********0
translation error0
translation error0
+ Files that could not be removed:***0
+ Ignore extension:***Yes
+ Binder:******Yes
+ Crypter:******Yes
+ Memory:******No
+ Archives:******No
+ Heuristic:******No
+ Scanned items:
***C:\Documents and Settings\Sumire\My Documents\Application\Utility
+ Scan result:
***C:\Documents and Settings\Sumire\My Documents\Application\Utility\DiamondCS\APM\apm.exe -> |PACKED| Backdoor.Netsend -> Ignored
::Report End
Paul Wilders
March 15th, 2004, 10:38 AM
Sumire,
-{ Quote: "ESS reported that Advanced Process Manipulation(from DiamondCS) is infected by Backdoor.Netsend." }-
False positive indeed. Please inform ESS.
regards.
paul
peter.ewido
March 15th, 2004, 10:42 AM
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on:*********16:38:44, 15.03.2004
+ Report-Checksum:******BF0608A6
+ Date of database:******15.03.2004
+ Version of scan engine:***v1.1
+ Duration:************201 ms
+ Scanned Files:*********14
+ Speed:************69.65 Files/Second
+ Infected files:*********0
+ Removed files:*********0
+ Files put in quarantine:******0
+ Files that could not be opened:***0
+ Files that could not be removed:***0
+ Ignore extension:***Yes
+ Binder:******Yes
+ Crypter:******Yes
+ Memory:******Yes
+ Archives:******Yes
+ Heuristic:******Yes
+ Scanned items:
***M:\Whitelist\DiamondCS\APM\Links
***M:\Whitelist\DiamondCS\APM\TestDLL
***M:\Whitelist\DiamondCS\APM\apm.dll
***M:\Whitelist\DiamondCS\APM\apm.exe
***M:\Whitelist\DiamondCS\APM\apmhelp.chm
***M:\Whitelist\DiamondCS\APM\uninstal.exe
***M:\Whitelist\DiamondCS\APM\uninstal.ini
+ Scan result:
***No infected files found!
::Report End
Could you please send your apm.exe to submit@ewido.net? It seems to be a different version. Thanks!
Sumire
March 15th, 2004, 10:52 AM
@Paul
I'm sorry, I'll follow your instruction.
@fish25
Thank you for your quick response, I'll send you apt.exe.
Many thanks
peter.ewido
March 15th, 2004, 11:10 AM
apt.exe? ;)
Sumire
March 15th, 2004, 11:18 AM
I'm sorry , I sent wrong sample, :'( next sample is true.
best regards
peter.ewido
March 15th, 2004, 11:28 AM
Fixed with the current update :)
Sumire
March 16th, 2004, 11:05 AM
-{ Quote: " quoting: fish25 link=board=25;threadid=24454;start=0#msg144645 date=1079368102]
Fixed with the current update :)
" }-
I confirmed that false positive was fixed :)
Thank you very much. Please keep on good work :)
Best Regards
spy1
March 16th, 2004, 01:51 PM
fish - I see you also added TrojanSimulator to your detection sigs - and properly identified it as not being an actual trojan.
C:\Magnus Test\TrojanSimulator.exe -> Not-a-virus.Trojansimulator -> Ignored
C:\Magnus Test\TSServ.exe -> |PACKED| Not-a-virus.Trojansimulator -> Ignored
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums