Discussion in 'Prevx Releases' started by Pain of Salvation, Sep 17, 2009.
Prevx detected two Rootkits on my PC. The .exe is xpsviewer.exe.
I think it is a false positive...
Any trust in Prevx that I started to acquire is now gone!
Prevx File Investigation Report:
Windows Hardware Developer Central - View and Generate XPS:
Explore the features: XPS documents:
NOTE: XPSViewer.exe is an hidden system file:
Why is it gone?
You seem to have completely missed the point. You can't assess if a file is malware only from its name! LOL
But you need more information like the size, location, the behaviour, unique hash code, etc...
The web page at Prevx is telling you that XPSVIEWER.EXE, doing XXXX, with yyyy size, located in zzzz and identified in qqqq countries is malware, not the one installed on your PC.
Any malware scanner will inevitably at some point generate an false positive or an false negative, this is expected and acceptable, however,
this particular false positive concerning the Microsoft XPSViewer.exe is totally out of context and unacceptable, especially the ludicrous Prevx File Investigation Report details.
This is one time Sir, that I will not argue my point, because I know that I am right.....and the road ends.....right here.
The file in Pain of Salvation's log is this one:
It is not marked as malicious in the Prevx database. Guess a strange behavior of this file triggered the Rootkit.MFTHide detection.
This false positive is caused because of a mismatch between usermode data and kernel mode data and is detected within our rootkit scanner. I suspect most other antirootkit programs would detect this as well and it literally means that the file has a missing entry within the file system (which is a technique used by some advanced rootkits today).
However, the cause of it generating a false positive is very rare and usually would only happen either from harddisk corruption, another AV blocking that specific file (which I doubt in this case), or a file having just been written to the disk/created.
This FP in particular affected only one user (Pain of Salvation) and the file in his log has never been seen on any other PC, which leads me to believe that it had just been created on the system or possibly has been corrupted in some form.
Let me know if you have any questions!
Respectfully.....your entire Post is misleading and wrong.....
There are two files for the XPSViewer:
(a) Internal Name = XPSViewer.exe
(b) Original File Name = XPSViewer.exe.mui
(a) Internal Name = XPSViewer.exe
(b) Original File Name = XPSViewer.exe
That's All Folks
Sorry, but it isn't - you have misread his log:
[R<11000020>] c:\windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.0.6001.22221_es-es_b2545417a9a413f3\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide
[R<11000020>] c:\windows\winsxs\x8a9e0~1.181\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide
This is not referring to xpsviewer.exe. These files are identical - the issue came because one of them was not flushed all the way to disk so Prevx was seeing that it was hidden from the Master File Table.
Lol, sorry but, right or not, and as explain by Joe, you are still ... missing the point
You are out of your playpen again fax
I am sorry but I for one do not understand the reason for overreaction. One false positive, which occurred in one system, due to some odd condition. Where's the problem?
There is no problem.
It's not like this is some system-crippling bug affecting thousands of systems a la unmentioned european company
Directory Hard Links
Pen which pen? The heuristics on your end seems to generate a lot of false positives
Sorry couldn't resist, peace...love and music forever
Hmm, I am not encountering this false positive. I'm using Windows 7 x64 RTM.
No one else encountered the FP - it was literally limited to Pain of Salvation and wasn't a signature detection, as pointed out by ctrlaltdelete, so no other user could ever have been affected by it.
Hi Joe can you confirm this as a FP.
I have marked them as such and just require confirmation from you or one of your team.
Yes, it is We corrected this FP yesterday and the misdetection should be removed automatically on a re-scan
A note to all - we strongly encourage reporting FPs by using the methods in this thread: http://www.wilderssecurity.com/showthread.php?t=245129
To prevent this thread turning down unproductive routes, please follow the instructions in that post to submit false positives. I'm now closing this thread but feel free to send me a PM if you have any questions.
Thank you for your support!
Separate names with a comma.