Important! CounterSpy Definitions 416 False Positives

Discussion in 'other anti-malware software' started by eburger68, Sep 28, 2006.

Thread Status:
Not open for further replies.
  1. eburger68
    Offline

    eburger68 Privacy Expert

    Hi All:

    Definitions 416 for CounterSpy Consumer 1.5 & 2.0 Beta (defs 418 for CSC 1.0) were released Wednesday evening. As a result of an unusual confluence of circumstances, two false positives were incorporated into defs 416. Both false positives are on Registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CODE STORE DATABASE\DISTRIBUTION UNITS

    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE

    Both false positives will be reported as "SearchSquire" (ThreatID 40276).

    You will likely see more than just the above two Registry keys detected, though, because these two Registry keys store data for installed ActiveX controls in Windows. In addition to the above two Registry keys, you will likely also see detections for a number of sub-keys and values as well as files in the \Downloaded Program Files folder. All of these detections are being caused by the two erroneous Registry traces listed above.

    Sunbelt became aware of the problem late Wednesday night/early Thursday morning. We will be pushing out corrected definitions later this morning. At present Sunbelt is working to turn off any further distribution of defs 416 from Sunbelt's update servers.

    Until those corrected defs are released, we advise you not to quarantine or remove any "SearchSquire" detections from system scans using defs 416. If you have already quarantined SearchSquire traces from a scan with defs 416, you should unquarantine those traces.

    We will announce the release of the corrected set of defs.

    Best,

    Eric L. Howes
    Sunbelt Software
  2. eburger68
    Offline

    eburger68 Privacy Expert

    Hi All:

    Sunbelt has now released Definitions version 417 for CounterSpy 1.5 and 2.0 beta (420 for CounterSpy 1.0). These definitions correct the SearchSquire false positives announced earlier.

    Best,

    Eric L. Howes
  3. the Tester
    Offline

    the Tester Registered Member

    Thanks for the heads up Eric.
  4. JerryM
    Offline

    JerryM Registered Member

    I did not correct it on mine. I'll run another scan and see if any different.

    Edit, No, I have CS2 on two machines with both showing v 417, and the scans still show SearchSquire.
    Jerry
    Last edited: Sep 28, 2006
  5. Bubba
    Offline

    Bubba Updates Team

    Same here Jerry and until it's fully corrected We can just tell CounterSpy to ignore them, or always ignore.

    Bubba
  6. JerryM
    Offline

    JerryM Registered Member

    Yes, and they are aware if on the support forum. I will just tell to ignore.
    Thanks,
    Jerry
  7. eburger68
    Offline

    eburger68 Privacy Expert

    Hi All:

    Those of you using CounterSpy 2.0 should be aware that there are some glitches with the incremental update system -- glitches that the devs are working on. One of those glitches involves incremental updates being applied in such a way that false positives corrected in our master database aren't corrected in the defs on the user's hard drive. (The other glitch involves incremental updates that simply fail to be merged properly.)

    If you visit the Sunbelt beta forums and look in the "Definitions & Updates" forum you'll find a good, zipped copy of defs 417 that can be downloaded and manually installed. This known good copy of 417 will correct the SearchSquire false positives.

    Best,

    Eric L. Howes
    Sunbelt Software
  8. Bubba
    Offline

    Bubba Updates Team

    I can confirm the manual install does indeed fix the 417 FP's and have posted as such on the CounterSpy Forums. Thanks as always for the promptness in rectifying.

    Bubba
  9. JerryM
    Offline

    JerryM Registered Member

    Me too!:thumb:
    All is well now with the fix.
    Thanks,
    Jerry
Thread Status:
Not open for further replies.