Phant0m``s Look 'n' Stop Ruleset - Trojan?

After reading on the Look 'n' Stop section, I thought it might be an idea to buy the Phant0m``s Look 'n' Stop Rule-set - This sent WSA into overdrive, regarded the installer as a Trojan & removed multiple infections. Was it correct in doing this, it seems several on the Look 'n' stop section of this forum use this rule-set without issue.

http://www.mntolympus.org/

Any help? I do have an image made directly before I ran the installer so I can image back without any problems. Have I been conned?



Thanks ~

 

If you could write into our support inbox, they'll be able to help you out

 

It's a False Positive as I use the same and I have sent the line in the log to WSA support and asked to change the determination!

TH

 

Some of possible threats that were removed were of a legally worrying nature though several immunizing programs I've also used also contain websites etc. of an 'threatening' nature to prevent access.

What did concern me was even after telling WSA to ignore the installer as a Trojan on re-boot many supposed threats were removed. I've submitted all info to WSA anyway.

How exactly though did you get the rule-set to install as ignoring the installer as a threat WSA on the next re-boot was locked to remove supposed threats & WSA removed the entire rules from Look 'n' Stop & returned LNS to default rules?

This thread was by way of an inquiry as it was a little worrying to say the least, anyway I've restored an image & will see what transpires as to reinstalling the rule-set.

Thanks for the info.

Paul

Edited for grammar

 

Here is what Phant0m had to say: https://www.wilderssecurity.com/showpost.php?p=2015441&postcount=49

HTH,

TH

 

Looks like it's up to Webroot to sort it then?

Interestingly neither Mbam, Trojan Remover or SAS had issues after further experimentation's & interesting results ;-)

 

Here is more info but I can say that Phant0m``s Look 'n' Stop Rulesets are safe it was detected by other vendors as well: http://www.mntolympus.org/phpBB3/viewtopic.php?f=24&t=7117

HTH,

TH

 

Full apology to Phant0m after reading the thread I missed if it has caused any issues to who seems a very decent guy.

 

Yes cross-posted there I've just read the thread(s) Might take a while for Webroot to sort but I'm in no major hurry.

 

Phant0m``s Look 'n' Stop Rulesets arn't well known that's why it's picked up as suspicious by many scanners when ever he updates his Rulesets and Webroot will fix this issue ASAP.

TH

 

Webroot support feel it's not a FP & a Trojan as they seem have read exactly the same info from VirusTotal I read last night - Asking for me to submit the file in question zipped I though would have been an idea?

'We have examined the logs from your system and found that the detected items has been reported and detected by multiple engines from Virus Total as a Trojan.Win32.Generic infection. It's not a false positive in this case and the installer infects the machine with a trojan.'

https://www.virustotal.com/file/14588387eaa17c3efb2b49fe0c20dd8a89ea47ce154c4ab03fe7662599fcd1a0/analysis/'

They do suggest I try the file again (done that) & inform me that WSA does have an excellent firewall which to be honest is somewhat insulting to my intellegence.

Is there a way to get round this situation as to be rather simplistic it either is a Trojan that causes multiple infections or it isn't.

 

Phant0m from the posts I have read has known for some time this is an ongoing problem & to be blunt seems disinterested in doing anything to remedy the situation & is waiting to be fully exonerated rather than repackaging the rules.

 

You could override it locally. I'm really not sure why he would be using some obscure packer for it anyway as it's supposed to improve security.

 

To be honest at this point I'm inclined to err on the side of caution & trust Virus Total rather than Phant0m - You really shouldn’t be having ANY security security issues with an installer (a bought security program actually) that sets rules for a Firewall esp. as it's been going on since at least last year - There is no email contact on his page & no information regarding the programer whatsover & the only contact is through the forum. There are heaps of obscure small programs I've used haven’t triggered major AV issues, in fact this is the first for many years.

 

I use it as it only adds Phant0m``s Look 'n' Stop Ruleset to Look'N'Stop and Joe we had this issue with Prevx and they had no problem making it good in there database!

TH

 

Well in conclusion I was unimpressed to say the least with the reply from Webroot - it did look a lttle 'copy & paste' - I only hope I don't have issues with a more complex/expensive program than a $10 or to me £6.50 rule-set

 

On the other hand, Phant0m has been around forever it seems to me. I have never seen anything with regards to improper behavior and why on earth would he stoop to that? I mean he would be gone like that if the forum communities = he's most likely buyers (probably only buyers) found out about such a theoretical scenario.

Why not err on the side of being calm instead. TH has sent the files to the lab so knowing TH you will know soon enough what the verdict is.

 

I've passed these onto our research team as well so the false positive will be corrected. It's difficult with software like this where so many attributes point to it being malicious.

 

This should be fixed now

 

@Sir Percy - I am calm - I also feel the way to resolve 'some' issues in life is to get things into the open 'sometimes' in a somewhat forthright way, not aggressive though & there is a difference. We are all different & I wasn't overly impressed at the reply from Webroot & I said so – If that is a problem I'm happy to discuss it.

I would rather do that that slate Webroot off in private, if I have offended anyone that was never my intention. I praise & recommend & also say when I feel improvements can be made, I do that in life in general. I am also very impressed that the issue should have been fixed now I did include this thread URL in my initial information to Webroot support but it does seem they perhaps did not look, though of course I could be wrong? I know of this forum not all Webroot customers do though.

I maintain Phant0m could do more to help this ongoing problem, some info on his home page or links to the issue in the forum would take minutes to do, but of course that's up to him, he got his ten bucks from me though – I have to deal with my customers & suppliers also on a daily basis & if changes need to be made I make them. I also have a rule that anything I type in a forum I would say to a person face to face.

Thanks for all the help.

 

That worked perfectly - Thank you.

Paul

 

Thanks Joe!

Cheers,

Daniel