launching SpywareBlaster causes strange Trojan alerts by DrWeb

Discussion in 'SpywareBlaster & Other Forum' started by _Tat_, Apr 13, 2003.

Thread Status:
Not open for further replies.
  1. _Tat_

    _Tat_ Guest

    Since I updated to current version 2.5.3 I'm getting a warning by Spiderguard (DrWeb's RTM) every time I launch SpywareBlaster:

    " C:\...\...\SPYWAREBLASTER.EXE probably infected with BACKDOOR.Trojan"

    I'm pretty sure there is no Trojan (TrojanHunter Guard also does not give any alert), but only DrWeb's oversensitive heuristic scanning, so I just ignore it. But as I did not get this alert with the previous version of SpywareBlaster, I wonder what has changed in the update to trigger that alert? ... And before I add the file to DrWeb's permanent ignore list I would just like to make sure whether there is anything to worry about?

    TIA
    Tat


    ---
    :rolleyes: having login problems, the site doesn't accept my password; and when I want to post as guest with my name, it's telling me that I cannot use it because that name is used by another member already ... - yeah of course it is - by ME... o_O grmbl...
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    I can assure you there is no "backdoor trojan" in SpywareBlaster and that there is nothing to worry about.

    There were some previous problems with Dr. Web giving heuristic "probable" alerts on SpywareBlaster before - looks like I'll have to go contact them again. :rolleyes:

    Thanks for posting this information, though. I don't have Dr. Web myself so your post allows me to report the false-positive much sooner.

    EDIT: But just to be on the safe side, you might want to try re-downloading from http://www.wilderssecurity.net/spywareblaster.html There is always the possibility that something malicious infected the spywareblaster executable (but then, you would probably have a much bigger problem on your hands, as most other executables on your system would be infected). If you still get the detection after a reinstall, then you can be sure it is a F/P. (I'm mentioning this as I haven't had any reports of this particular issue yet - better safe than sorry!)

    EDIT [2]: Here's the old thread about Dr. Web falsely detecting spywareblaster.exe with its heuristics - http://www.wilderssecurity.com/showthread.php?t=7929

    Best regards,

    -Javacool
     
  3. _Tat_

    _Tat_ Guest

    Javacool,

    Thanks for your fast reply! :)

    I'm pretty sure too that it's a false positive (as I said - Trojan Hunter doesn't detect anythig on that file) - but to make sure I'll download again and uninstall/reinstall.

    That's strange to me because I didn't have any of those false alerts prior to the update. That's why I thought if you might have made any change which trigger the alert.

    let's see the result of the new install... I'll be back soon...
     
  4. _Tat_

    _Tat_ Guest

    Javacool,

    Just FYI: I just re-installed v.2.5.3 from a new download (I used the wilders.org link for download), and I'm still getting the same warning. DrWeb also alerted me (same text) during installation: "... probably infected with BACKDOOR.trojan"

    The heuristics of DrWeb ARE very sensitive. But I rather bare with some false positives (it's not so many...) than disabeling heuristics and getting anything pass onto my system...

    regards,
    Tat
     
  5. fend

    fend Guest

    hi,

    Its happening to me too, with the new version of 2.5.3.

    its happened about 3 times and this last time I have put it down to when I updated spywareblaster as that was the only security prog that I did on this particular day.

    my anti-virus is coming up with the trojan JS_Seeker.R but says its a virus. but it does get cleaned off. and does not reappear till next update.

    not 100% but thinking last time it happened was when I downloaded this latest version, but for sure with the last update a few days ago.

    anti-virus picks it up on next boot up from download.

    any ideas o_O
    cheers for any help.
     
  6. fend

    fend Guest

    forgot to mention... my antivirus is pc-cillin 2000 version.

    cheers.
     
  7. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Well thank you for the information - I can assure you that the SpywareBlaster executable and the associated updates (definitions) are clean of any infections. Unless something is present on your system and is infecting those files, both of these sounds strongly like false-positives.

    It might do some good if both of you could contact the makers of your anti-virus software - I'll try to do so myself but sometimes these things are fixed faster if customers contact the company.

    Best regards and thanks,

    -Javacool
     
  8. Vampirefo

    Vampirefo Guest

    I just downloaded SpywareBlaster and installed it, then I downloaded the updates for SpywareBlaster installed them, McAfee found nothing.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It's a false positive - in all cases (we've fired up all - major antiiviruses on this one). Quite right Vamp - McAfee doesn't jump in ;).

    regards.

    paul
     
  10. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Well I can personally confirm that the following products do not give any false-positive reading on the spywareblaster.exe:
    -Norton AntiVirus
    -NOD32
    -BOClean
    -TDS

    So it does sound like rather sensitive/strong heuristics are the cause here (the more powerful the heuristic detection in an AV/AT many times means the more frequent the false positives). Thanks to all who have reported results from various AV/AT products.

    Best regards,

    -Javacool
     
  11. fend

    fend Guest

    Javacool, thanks for the quick reply,

    I shall do as suggested and contact me AV people.
    cheers for the info.
     
  12. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    from my experience I'd say you can add TrojanHunter to that list! :)

    I'm still curious though what actually could cause such an alert... o_O
     
  13. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Strong heuristics can catch many unknown viruses - but they also tend to make a lot of false-positive detections. In many cases, an anti-virus program with heuristics might take a look at a file and go through a checklist of items - if a certain number (or any in some cases) are found to be true, then the heuristics will flag a file as "possible".

    Of course, because legitimate files ALSO share some of the same characteristics as malicious files, they will undoubtedly be flagged too. From what I understand, many different, perfectly safe executables are also flagged by Dr. Web's heuristics as "possible virus/trojan". SpywareBlaster is flagged (and is perfectly safe, mind you :)) - I have attempted to contact the makers of Dr. Web, but since this is simply a heuristic detection (and the heuristics are understood to incorrectly detect files on occasion) I don't know if/when it will be fixed.

    Best regards,

    -Javacool
     
  14. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    Well - I for me personally it's not so many. Besides SpywareBlaster I only have 2 other programs which trigger the same 'possible Backdoor.trojan' alert and those are the only false positives I ever got from DrWeb. And as I already mentioned above - I'd rather bear with a few false positives but have the benefit of a higher safety level with the heuristics enabled... :)

    At least I can say that much, that they didn't fix it in their latest program update v. 4.29c which was released today. I just updated and then started SpywareBlaster for checking it out, and immediately got the same alert again... :rolleyes: ...

    Regards,
    Tat

    ---
    Edit: typo corrected
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Tat - Since you use DW - have you contacted them about it? Pete
     
  16. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    Pete - as I did not get that alert in previous versions of SpywareBlaster, there must have been some change from the former to this version, which now triggers the alert. Maybe in your eyes this doesn't make sense, but I actually hoped it would be possible to find out what that is, _before_ contacting DrWeb - as I think Javacool will know much better what he changed, than DrWeb does. ;)

    However... - yes, I meanwhile also sent a report to DrWeb with a link on this topic. :rolleyes:
     
  17. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    Just got reply from DrWeb support... - wow - THAT was fast! :D

    *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *.

    Date: Thu, 17 Apr 2003 11:45:19 +0400
    From: Support DrWeb <support@drweb.ru>
    To: Tatjana Luck <xxxxxxx>
    Subject: Re: false probable trojan alert on scanning spywareblaster.exe

    Hello Tatjana!

    Yes, it seems like false alarm on this software, we'll try to fix it in
    future release. As temporary solution we can recommend you to add
    SpyWareBlaster's path to the "excluded folders and paths" to prevent
    SpIDer's false alarms.

    Tatjana Luck wrote:
    > Hello,
    >
    > I'm running DrWeb 4.29c on Win98SE. Since a recent upgrade of
    > 'SpywareBlaster' to version 2.5.3 I'm getting an alert by Spiderguard
    > every time I launch SpywareBlaster:
    >
    > " C:\...\...\SPYWAREBLASTER.EXE probably infected with BACKDOOR.Trojan"
    >
    > An on demand scan of the SpywareBlaster program folder produces the
    > following log file entry:
    >
    > --- 8<------------------------------
    >
    > [Scan path] C:\PROGRAM FILES\SPYWAREBLASTER
    > C:\PROGRAM FILES\SPYWAREBLASTER\unins000.exe - Ok
    > C:\PROGRAM FILES\SPYWAREBLASTER\spywareblaster.exe probably infected with BACKDOOR.Trojan
    > C:\PROGRAM FILES\SPYWAREBLASTER\updatersup.exe - Ok
    > C:\PROGRAM FILES\SPYWAREBLASTER\sbhelp.chm - Ok
    >
    > -----------------------------------------------------------------------------
    > Scan statistics
    > -----------------------------------------------------------------------------
    > Objects scanned: 6
    > Infected objects found: 0
    > Objects with modifications found: 0
    > Suspicious objects found: 1
    > Objects cured: 0
    > Objects deleted: 0
    > Objects renamed: 0
    > Objects moved: 0
    > Scan speed: 394 Kb/s
    > Scan time: 00:00:03
    >
    > --- 8<------------------------------
    >
    > In previous versions of SpywareBlaster I never got this alert, so I
    > reported the problem in the SpywareBlaster support forum at
    >
    > http://www.wilderssecurity.com/showthread.php?t=8424
    >
    > Following the vendor's advice I tried to uninstall/reinstall
    > SpywareBlaster from a fresh download but I'm still getting the same
    > alert as before. Yesterday I also updated DrWeb from version 4.29b to
    > the current version 4.29c, still the problem remains.
    >
    > In case there is any relevance - these are my settings for SpiderGuard:
    >
    > * Scan:
    > OnAccess scan: smart
    > Heuristic analysis [ x ]
    > Virus activity control [ x ]
    > System Kernel Protection [ x ]
    >
    > * File Types
    > [ x ] By Formates
    > [ x ] Archives
    > [ x ] Packed Executables
    > [ x ] Mail
    >
    > I'm well aware that the above described alert is only a warning, most
    > likely caused by DrWebs quite sensitive heuristic scan - still it is
    > annoying, as it turns up every time I start the SpywareBlaster. I
    > would be grateful if you could perhaps look into it and if there was
    > any possibility to get this problem fixed somehow?
    >
    > Any help would be very much appreciated! :)
    >
    > Best Regards,
    > Tatjana Luck <xxxxxxx>

    --
    Best regards,
    ID Anti-Virus Lab. Ltd. Welcome to: www.drweb.ru
    SalD Ltd. Mail to: support@drweb.ru

    *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *.

    cheers,
    Tat


    ---
    edit: typo
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nice job, tat!

    regards.

    paul
     
  19. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    thanx Paul! :)

    cheers,
    Tat
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Tat - Asking JC about it made sense (up to a point) - my point was that when you're dealing with a trusted program (like anything by JC! :) ) my first email/post would have been to the manufacturer of whatever program had found something "wrong" with it (even in the most indirect way - such as a heuristic detection like you got).

    For example, when I update my defs in SpyCop, NOD or TDS and wind up with a "hit" on something that's been on my computer forever, I don't email/question the "hit on" software - I question whomever "hit" on it - especially when heuristics are involved (also when it's a hit that might be due to a generic "detection" due to a plain-text string of some kind, when/if such a detection method is used).

    Not to mention the fact that five posts over a three day period here could have been saved by simply emailing DW support to start with (and kudos to DW for such a rapid, effective response!).

    Glad everyone can stop "wondering" now. Pete
     
  21. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    well Pete - you have your preferences how to get things done, I have mine; and I told you already why I did it this and not the other way around. - And I would always do it in the same order again in a similar situation, as for me this is not a matter of which application I trust more, but which of the suddenly conflicting applications has changed and thus caused the conflict. ;)

    Agreed! :)

    Me too! :D

    cheers,
    Tat
     
Loading...
Thread Status:
Not open for further replies.