Possible false positives with latest eTrust scan.

Discussion in 'malware problems & news' started by spy1, Jun 7, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "eTrust EZ Antivirus Version 5.4.2.0
    Started scanning:      12:50:32 PM, 6/7/2002
    Major dat file       v1000
    Minor dat file       v2094
    Macro dat file      Jun  6 2002 (VMD Ver 1.6)

    Scanning file(s)...
    C:\WINDOWS\SYSTEM\PAV.SIG - Win95.Bumble.1736/1738 dropper.
    C:\WINDOWS\SYSTEM\imscan.dll - infected with Tentacles III virus.

    Finished scanning:      12:57:20 PM, 6/7/2002
    Number of files scanned: 24489.
    Number of infections: 2
    Number of infected files not cleaned/deleted/renamed: 2
         C:\WINDOWS\SYSTEM\PAV.SIG (Win95.Bumble.1736/1738 dropper)
         C:\WINDOWS\SYSTEM\imscan.dll (Tentacles III virus)"

    Not getting any hits from any of my other programs on those two. Fixing to send it to etrust for analysis. Anybody else seeing this? Pete

    *I may need to update the eTrust engine - didn't they go to version 6 something just here lately?
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re: Possible false positives with latest eTrust sc

    Did you recently use or install Panda Antivirus Pete ?


    Technodrome
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Possible false positives with latest eTrust sc

    I've got the Panda cleaner on here that you can get from our d/l page on here, TD. I recognized that one, it was the  other one I wasn't sure about. Of course, they're both being picked up from PAV, so that's probably where both FP's are coming from.

    Now I'm trying to remember whether I used my old or new email addy. when I emailed them - oh, well!  :D Pete
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re: Possible false positives with latest eTrust sc

    Yup!
    Imscan.dll file, if I do recall this right, comes with Pandas Active Scan as well, and is the anti-virus scanning engine.

    Technodrome
     
  5. Pete

    Pete Guest

    Re: Possible false positives with latest eTrust sc

    That's what it was - I ran an ActiveScan at the PCPitStop site not too long ago. Pete
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Possible false positives with latest eTrust sc

    Okay, here's the response from etrust:

    Dear  spy1,
    This is to notify you of the results of the testing carried out by the
    Virtue system on the files that you sent to us.

    Unfortunately you have encountered a false positive in our product, which
    was not found by our extensive testing in QA. We will fix this problem
    asap and notify you of the solution within 48 hours.

    =========================================================================



    The analysis of the 1st file submitted as "imscan.zip" has been completed.

    The PkWare Zip Archive file has been determined to be clean.
    There are however
    some files contained within this file, which this section of your report
    does not cover. Results of the analysis of these files can be found later
    in this report.

    #########################################################################


    The analysis of the  file submitted as "imscan.dll" has been completed.

    The Windows Dynamic Link Library file has been determined to be clean.
    A human researcher has analysed the file and found nothing suspicious. Researcher comment:
    This is a DLL part of Panda Antivirus software. It contains search strings for detecting viruses, but these search strings are not encrypted. Because of this, the file may appear infected to other scanners."

    Hasn't been corrected yet - probably in Monday's update. Pete
     
Loading...
Thread Status:
Not open for further replies.