ewido false positive?

Labrie · #1 May 31st, 2005, 05:20 AM

hi guys!

ewido have found as worm.finaldo a file named accwiz.exe in my windows system folder...well i run a scan over jotti´s place and none av has found nothing...i wonder if its a false positve?

tx.

Edwin024 · #2 May 31st, 2005, 06:00 AM

Look at the other thread on Ewido's beta 3.5. I think it very well might be a fp.

peter.ewido · #3 May 31st, 2005, 07:20 AM

Could you please send the file to submit@ewido.net? Thx

Edwin024 · #4 May 31st, 2005, 07:25 AM

I have sent in the following information. A lot of false positives after a full scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:19:18, 31-5-2005
+ Report-Checksum: 680D03C

+ Scan result:

[3316] C:\WINDOWS\system32\mscomctl.ocx -> Backdoor.Ciadoor.13
C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
C:\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
C:\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
C:\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor
C:\Program Files\Advanced System Optimizer\BackupManager.exe -> Heuristic.Win32.Worm
C:\Program Files\LeechGet 2004\LeechGet.exe -> Heuristic.Win32.Dialer
C:\Program Files\LeechGet 2004\LGOptions.exe -> Heuristic.Win32.Dialer
C:\Program Files\MSN Messenger\msnmsgr.exe -> Heuristic.Win32.Backdoor
C:\WINDOWS\pchealth\helpctr\System\NetDiag\dglogs.htm -> Trojan.Io
C:\WINDOWS\system32\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
C:\WINDOWS\system32\MSCOMCTL.OCX -> Backdoor.Ciadoor.13
E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.TSUpdate.i
E:\Warez\Kaspersky Anti-Virus 5\KAV_Registry_Clean.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
E:\Warez\LeechGet\crack\LeechGet.exe -> Heuristic.Win32.Dialer
E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.TSUpdate.i
E:\Warez\Norton Internet Security 2005\Setup\support\navtools\repair\gaobot\fxgaobot.exe ->

Heuristic.Win32.HostFile
E:\Warez\Norton Internet Security 2005\Setup\support\redist\msredist\mscomctl.ocx -> Backdoor.Ciadoor.13
E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.TSUpdate.i
E:\Warez\Outpost firewall\OutpostProInstall.exe/OUTPOST.EXE -> Heuristic.Win32.AVKiller
E:\Warez\PCMedik\crack\crack.rar/PcMedik.exe -> Heuristic.Win32.Backdoor
E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.TSUpdate.i
E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.TSUpdate.i
H:\backup13mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
H:\backup13mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
H:\backup13mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
H:\backup22mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
H:\backup22mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
H:\backup22mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller

::Report End

Labrie · #5 May 31st, 2005, 07:54 AM

Quote:

Originally Posted by fish25

Could you please send the file to submit@ewido.net? Thx

sent it

Edwin024 · #6 May 31st, 2005, 09:31 AM

Ewido-guys: please add an ignore function to the program. This mscomctl.ocx, for instance, is an active X component which I don't want or need to loose. But Ewido's guard is bugging me every time the pc starts up that it is there. And I can do remove or none... the last is my best option now but it is no option because the next time I startup Ewido sounds the alarm again...and again...

peter.ewido · #7 May 31st, 2005, 09:58 AM

An ignore list will be implemented in 3.6... As "mscomctl.ocx" is a real false positive and not a possible (un)wanted app, the best way to deal with it is to fix it

Edwin024 · #8 May 31st, 2005, 10:39 AM

And will that happen soon? The FP's deleted I mean

Labrie · #9 June 1st, 2005, 08:14 AM

it was a fp..tx for the nice and quick rply EWIDO TEAM

gerardwil · #10 June 1st, 2005, 01:38 PM

Hi,

I only got this FP left (Sygate). I will submit it.
Cheers,

Gerard

Edwin024 · #11 June 1st, 2005, 01:51 PM

On my side I still see urUninstaller flagged as a false positive... and there is absolutely nothing wrong with this program.

peter.ewido · #12 June 1st, 2005, 02:03 PM

Have you already submitted it?

lynchknot · #13 June 1st, 2005, 02:07 PM

Here's some FP:

C:\Documents and Settings\me\Desktop\OutpostProInstall.exe -> TrojanDownloader.TSUpdate

C:\Program Files\Bluetack\Blocklist Manager\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
C:\Program Files\Bluetack\Blocklist Manager\MSCOMCTL.OCX -> Backdoor.Ciadoor.13

It also quarantined over 2000 cookies

Edwin024 · #14 June 1st, 2005, 02:11 PM

Quote:

Originally Posted by fish25

Have you already submitted it?

I sent in the txt file after a scan where all the false positives were on... so I hope you guys saw it.

Ewido flagged a lot of legitimate programs wrongly as nasties. That is now over, apart from some programs, alas. But maybe tomorrow the next good update?

Edwin024 · #15 June 1st, 2005, 02:12 PM

Quote:

Originally Posted by lynchknot

Here's some FP:

C:\Documents and Settings\me\Desktop\OutpostProInstall.exe -> TrojanDownloader.TSUpdate

C:\Program Files\Bluetack\Blocklist Manager\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
C:\Program Files\Bluetack\Blocklist Manager\MSCOMCTL.OCX -> Backdoor.Ciadoor.13

The mscom files are no longer seen as nasties in Ewido as far as I can tell. About Outpost you are right... Some more work to be done.

lynchknot · #16 June 1st, 2005, 02:13 PM

I ran this last night while in bed. So there's an update?
It also quarantined over 2000 cookies

#17 June 1st, 2005, 03:36 PM

Here are a few more false positives...there are a few FW leak tests, but the
ones for NetVeda, XPlite and visioneer are true FPs.
I already sent them in......Sure is a lot less than first scans.

C:\Documents and Settings\WORK1\Desktop\Downloads\xplite_trial.zip/XPlite_TRIAL.exe -> Heuristic.Win32.Backdoor2
C:\Documents and Settings\WORK1\Desktop\Tests\surfer.exe -> Heuristic.Win32.Downloader
C:\Documents and Settings\WORK1\Desktop\Tests\tooleaky.exe -> Heuristic.Win32.Downloader
C:\Documents and Settings\WORK1\Desktop\Tests\TrojDemo.exe -> Heuristic.Win32.Backdoor2
C:\Program Files\AxBx\PC Security Test 2005\PCSecurityTest.exe -> Heuristic.Win32.Backdoor2
C:\Program Files\NetVeda\Safety.Net\ipcsvc.exe -> Heuristic.Win32.Backdoor3
C:\Program Files\Visioneer\PaperPort\Pplinks.exe -> Heuristic.Win32.Keylogger

Edwin024 · #18 June 1st, 2005, 03:40 PM

And a few from my scan of a few minutes ago: ( a full scan by the way!)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 21:27:35, 1-6-2005
+ Report-Checksum: 4C97F27B

+ Scan result:

C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor2
E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.Wiser
E:\Warez\Look 'n'Stop firewall\LNSFW1-d1.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
E:\Warez\Look 'n'Stop firewall\LNSFW1-d2.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.Wiser
E:\Warez\Norton Internet Security 2005\Setup\symsetup.exe -> Heuristic.Win32.AVKiller
E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.Wiser
E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.Wiser
E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.Wiser

::Report End

I have send in the files now, by the way

#19 June 1st, 2005, 03:43 PM

It shure likes to pick on FWs doesn't it.

lynchknot · #20 June 1st, 2005, 03:45 PM

lol - "Warez" - I'd be suspicious of those for sure.

I have uruninstaller and it did not pick up on that.*edit - mine is 2004 version though.

**edit - something funny about that. I checked and there is no such thing as Your Unistaller 2005

#21 June 1st, 2005, 03:47 PM

he he he....I just noticed that myself after double reading his report.

tsk tsk ....shame shame

lynchknot · #22 June 1st, 2005, 03:57 PM

In fact it's even spelled wrong!

Quote:

C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2

I'd venture to say it may not be a FP

Edwin024 · #23 June 1st, 2005, 04:00 PM

It's about the files...not about the directory names.

And I have a dir in my E drive with the name warez where I put all the files that I download from legitimate corporate websites. I beta test urUninstaller for instance for the company which produces it... Just as I test Ewido, for the matter

That you guys have such funny ideas tell me something about you.

lynchknot · #24 June 1st, 2005, 04:02 PM

Quote:

That you guys have such funny ideas tell me something about you.

It's not my idea, it's yours (to put legit downloads and label it "warez")

It say s something about you, not us.

Edwin024 · #25 June 1st, 2005, 04:04 PM

I am from Holland, maybe that makes it that I choose names that you can't understand. It could have been software too... will rename the dir, ok?

NB: I renamed the urUninstaller dir and still the same result. Of course...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search