SpyReveal; about some other scanners giving warnings on it

[FanJ]

Hi,

Before I start, I want to make clear that:
1. this thread is only about some other scanners giving warnings on some SpyReveal files and/or its website;
2. this thread is not about other anti-keylogger software;
3. this thread is not about how good SpyReveal is;
4. I am not affiliated with the SpyReveal company (but yes I post sometimes database updates of it as I did in the past for SpyCop).

===

Several friends asked me recently questions in private about a warning from TrojanHunter on a file of SpyReveal. See http://www.wilderssecurity.com/showthread.php?t=323445
It was quickly fixed by Gavin. Unfortunatily Gavin is having at the moment a nasty flu, so it could well be that he just dropped the definition without looking at my submission. Folks, we are all human; health comes first!

I am usually reluctant to tell which file of SpyReveal and in which location it is placed. The SpyReveal company changes that from time to time.

The file on which TrojanHunter gave a warning, is called infozip.exe
SHA-256 - 64E6477FD422E1544D2042DC9798C2DB0B92655F0E164CFFC227AC01341F4390

A few scanners are giving warnings on some SpyReveal files. I scanned them at VirusTotal.

Two other of these files:
welcome.exe
SHA-256 - DCADD8ED9BCA188DFD1B1C25CC72321E4C41BE5404A1BA852B793C2EFDFA22D1
start.exe
SHA-256 - 8C465C513D11465EA9C1A990392D3C86534877EC60E594C3662BC55859B151EB

I think they are all FP's. Of course until an expert proves otherwise; but they have to prove it and tell why.
So, if you have SpyReveal installed and another scanner (AV/AT/AS) is giving a warning about one of its files, submit it to that other company and ask them to take a serious look at it.

The same goes for the site of SpyReveal: http://antikeyloggers.com/welcome

Are those files, and is this site, really infected?
If they are, it has to be proven. Only a cloud "proof" is not good enough. An expert has to look at it.
So submit them to your AV/AT/AS company.

If I'm wrong then I stand to be corrected.

[LoneWolf]

It's been over a week and I'm still waiting to hear back from SurfRight (HitManPro)
on two files "welcome.exe" and "start.exe"
I e-mailed them direct to erik, guess I'll give it another day or two and send them again.

[Page42]

Here is what SpyReveal had to say 5 days ago when I sent them info regarding the VirusTotal, Jotti and TrafficLight warnings. They seem to be implying that the vendors whose scans found malware are not "well regarded".

~Private communication removed. See the TOS.~

[FanJ]

Hey guys,

It wasn't my intention at all to start any "war" between company X and company Y, not at all! Please be assured of that.

BTW, about "welcome.exe":
1. sometimes its name changes.
2. its checksum changes with every update (as will know everyone who uses some kind of file-integrity-checker).

[Page42]

Nor is it my intent to start a war.
Posting the company's response to my inquiry seemed like a helpful thing to do.
But since doing so is against TOS, I have asked for the sender's permission to post the response in a public forum.
If granted, is that then sufficient?

[LoneWolf]

Quote:

Originally Posted by LoneWolf

It's been over a week and I'm still waiting to hear back from SurfRight (HitManPro)
on two files "welcome.exe" and "start.exe"
I e-mailed them direct to erik, guess I'll give it another day or two and send them again.

Update..........
Still have not heard back from SurfRight (HitManPro)
Resent e-mail earlier,
Rescanned with HitManPro results are as follows,
"welcome.exe" is no longer being detected as malicious,
"start.exe" is still being detected as malicious (another FP, I believe)

[FanJ]

Quote:

Originally Posted by LoneWolf

Update..........
Still have not heard back from SurfRight (HitManPro)
Resent e-mail earlier,
Rescanned with HitManPro results are as follows,
"welcome.exe" is no longer being detected as malicious,
"start.exe" is still being detected as malicious (another FP, I believe)

Attachment 232857

Hi LoneWolf,

Thanks for the update.

1.
Good to see that "welcome.exe" is no more flagged by HitManPro. Let's see what happens after the next SpyReveal update.
2.
The current version of "start.exe" is about three years old now, as far as I can tell at the moment.
As far as I can see from your screenshot, that detection Gen:Trojan.Heur.bmLfbLT!OBgi is the one from BitDefender/F-Secure/GData.
*edit to add* These three AV scanners share some engine cq. database as far as I know. I too think it is an FP (of course until proven otherwise).

[FanJ]

Quote:

Originally Posted by Page42

Nor is it my intent to start a war.
Posting the company's response to my inquiry seemed like a helpful thing to do.
But since doing so is against TOS, I have asked for the sender's permission to post the response in a public forum.
If granted, is that then sufficient?

Hi Page42,

Of course it is understood that you too didn't want to start a "war".

About your question: If you get permission from the SpyReveal company, maybe it is still wise to ask the Wilders Security Forums staff for advice in private. What the SpyReveal company itself does, is their responsibility; for example: they have the possibility to say what they want to say in the SpyReveal "Latest News" window in the program itself.

[FanJ]

From the SpyReveal FAQ:
http://antikeyloggers.com/faq.htm

Quote:

Q. My virus scanner says SpyReveal is a virus/trojan

A. These are false positives issued by virus scanners because they are unable to decipher the encryption used on the SpyReveal files, so they mark them as potential viruses, usually issuing a generic name. We are unable to fix false positives given by 3rd party products, so you must contact the support/virus research department for your virus scanner so that they can correct it. Send them the EXE files in your SpyReveal folder if they request them (this does not include your license information so it's legal to do so).

[FanJ]

Related postings/threads:

http://www.wilderssecurity.com/showp...postcount=4361

http://www.wilderssecurity.com/showthread.php?t=324345

The file start.exe has been submitted to virus_submission@bitdefender.com

I strongly believe that it is a False Positive.
Checksums of start.exe :
MD5 - 4FDCA077CADE7F412497E7A7FB7B24C7
SHA-256 - 8C465C513D11465EA9C1A990392D3C86534877EC60E594C3662BC55859B151EB

If somebody else could post it at the BitDefender forum, please by all means:
http://forum.bitdefender.com/

[FanJ]

As I posted in reply # 8, the SpyReveal company has the possibility to give info in the window "Latest News". They did so recently in a more general way. I give the screenshot of it; I left out the complete irrelevant part about what they recommand for AV (ough).

[FanJ]

Someone has started a thread at the BitDefender forum:
"False Positive On Spyreveal"
http://forum.bitdefender.com/index.php?showtopic=34271

[LoneWolf]

Quote:

Originally Posted by FanJ

Someone has started a thread at the BitDefender forum:
"False Positive On Spyreveal"
http://forum.bitdefender.com/index.php?showtopic=34271

Thanks for the updated info on this issue.

[FanJ]

Erik just posted here that it should be fixed (white-listed) now in HitManPro

[LoneWolf]

Quote:

Originally Posted by FanJ

Erik just posted here that it should be fixed (white-listed) now in HitManPro

Thank you

[FanJ]

Quote:

Originally Posted by LoneWolf

Thank you

You're welcome, LoneWolf, and thanks to you too !

===

About that file start.exe :

Although I didn't get a reply on my submission to BitDefender, and although there was only a probably automatically (?) reply in the FP thread at the BitDefender forum, I just noticed at VirusTotal that all three scanners BitDefender/F-Secure/GData are no more giving a warning on it

[FanJ]

Quote:

Originally Posted by FanJ

About that file start.exe :

Although I didn't get a reply on my submission to BitDefender, and although there was only a probably automatically (?) reply in the FP thread at the BitDefender forum, I just noticed at VirusTotal that all three scanners BitDefender/F-Secure/GData are no more giving a warning on it

There is now a reply at the FP thread at the BitDefender forum from Christian (BitDefender Technical Support) telling that the file is clean.
Thanks much, Christian