A-Squared - False Positives

When scanning my PC with NIS2009, MBAM and Trojan Remover they all come up with nothing.. However A-Squared is reporting 286 items.



It's a plain old HTML file, you can see the content here:

http://pastebin.com/f7b44093a

Any idea's "what" exactly A-Squared is seeing with that file to flag it as a high risk worm? In the other 286 items, most are equally troubling like plain .txt files and genuine Windows files.

 

Re: A-Squared - Fasle Positives

a-squared seems to have more false positives than other malware scanners, but I use it anyway for another opinion. If it says a file is malware, I upload the file to Virustotal*com to see what the other scanners say and then make a decision on what to do.

Recently a-squared reported an Amazon*com url in my Internet Explorer Favorites to be malware. I uploaded the url to a-squared but it was never fixed. Eventually, I removed the Amazon*com url just to get rid of the report of it being malware.

 

Re: A-Squared - Fasle Positives

A-squared has high detection,but it also means more false alarm.

 

Re: A-Squared - Fasle Positives

Do you guys know if they're planning to implement some sort of reputation-scanning, such as what's seen in many security products today implementing "cloud technology"?

 

Re: A-Squared - Fasle Positives

See nrs. 7.3 and 9 here:

http://www.emsisoft.com/en/kb/articles/tec081001/#7.3

Gerard

 

Re: A-Squared - Fasle Positives

Thank you Gerard - now I remember. Since those options are for the IDS, though, I guess it doesn't affect the On-Demand or regular detections. I guess I should've been more clear that I meant for those parts of the program since this was what the topic involved (I meant reputation-scanning for On-Demand and regular detections that's, since this is a very simple but possibly severe FP).

 

Re: A-Squared - Fasle Positives

Thanks, yes i also upload to VirusTotal and/or run a Google search on the item if it's suspicious just in case. I'm just really stumped why A-Squared is seeing things like a plain old HTML file as a high risk worm.

Ahh got it after about 30 scans of the file editing bits of HTML each time to narrow it down. If you save this as wilders.html which just shows Wilders on the page in plain text.

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<table width="920" border="0" align="center" cellpadding="10">
  <tr><td>Wilders</td></tr>
</table>
</body>
</html>

It comes up high risk worm, if you change border="0" to border="10" it comes up clean. Very strange indeed it's getting hung up on probably the most simplistic HTML page you can make.

I will submit some of these simpler FP's and see if they are fixed, i can't send all 300 i don't really have the bandwidth (thanks Telstra).