Spy Sweeper detecting TrojanHunter LiveUpdate as masked Rootkit

The latest definitions 650 for Spy Sweeper is detecting the files in the TH LiveUpdate folder as a potentially masked rootkit. This is obviously a FALSE POSITIVE in Spy Sweeper.

Do not let SS remove these files in your TH LiveUpdate folder.

Spy Sweeper log shown below.

10:00 PM: | Start of Session, Wednesday, April 05, 2006 |
10:00 PM: Spy Sweeper started
10:00 PM: Sweep initiated using definitions version 650
10:00 PM: Starting Memory Sweep
10:05 PM: Memory Sweep Complete, Elapsed Time: 00:04:59
10:05 PM: Starting Registry Sweep
10:05 PM: Registry Sweep Complete, Elapsed Time:00:00:31
10:05 PM: Starting Cookie Sweep
10:05 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:05 PM: Starting File Sweep
10:19 PM: Found System Monitor: potentially rootkit-masked files
10:19 PM: g20060322_0800.trf (ID = 0)
10:19 PM: g20060331_0444.trf (ID = 0)
10:19 PM: gen.dll (ID = 0)
10:19 PM: liveupdate.exe (ID = 0)
10:19 PM: cumulative20060322.trf (ID = 0)
10:20 PM: settings.ini (ID = 0)
10:20 PM: updatelist.txt (ID = 0)
10:20 PM: updatelist.txt (ID = 0)
10:20 PM: liveupdate.ini (ID = 0)
10:20 PM: m20060322_0800.trf (ID = 0)
10:20 PM: 29. liveupdate.lnk (ID = 0)
10:20 PM: liveupdate.lnk (ID = 0)
10:20 PM: File Sweep Complete, Elapsed Time: 00:14:29
10:20 PM: Full Sweep has completed. Elapsed time 00:20:01
10:20 PM: Traces Found: 12
1:35 AM: Updating spyware definitions
1:35 AM: Your definitions are up to date.
2:01 AM: Updating spyware definitions
2:01 AM: Your definitions are up to date.

 

Why is this posted in the Ewido forum?

 

I ran a Spy Sweeper scan this morning after your post and Spy Sweeper found nothing on TrojanHunter 4.5 build 920 on my system.

 

The option of scanning for rootkits is not selected by default.
Did you set SS to sweep for rootkits? (under sweep options).

Fax

 

This is not the Ewido forum. It's the Other anti-trojan software section.

I'm running the latest Build 922 of TH...released on 05-Apr-2006. Changes were made in LiveUpdate for allowing LiveUpdate to run on Limited User Accounts, so maybe this is why SS is detecting it.

Yes, I would prefer it to do so. But not in TrojanHunter's LiveUpdate

 

Yes the option is selected, in fact I have all the options selected for my scans.

 

Than as suggested by Siliconman it is a problem of build 922. Or better to say: its a problem of SS 4.5 with build 922 of TH!

Fax

 

Better explanation by SS staff here: Castelcops SS forum

Cheers,
Fax

 

Magnus's response on Castlecops

"TrojanHunter removes the ACL for everyone except the Users group for the RuleFiles folder. Apparently that is causing the problem. If Spy Sweeper runs under the System account it will get access denied errors trying to read the folder contents. Then again, any folder to which Spy Sweeper doesn't have access would be flagged as a potential rootkit-masked folder...

I will make sure the ACL gets edited instead in the next release."

 

I can see that, but wasn't it posted first in the Ewido section last night before being moved?

 

If it was in the Ewido section, that certainly was not my intent !!

 

This thread isn't designated with a "Moved" sticky, and I remember reading it when it was first posted and noone else had replied. I also remember seeing it in the "Other Anti-Trojan" forum because I rarely check the ewido forum since they haven't released anything new to even check into lately (cough, cough....ahem, ahem....) and I'm not currently using ewido. Anyway, no biggie...just wanted to point out that I believe it was in the right place to begin with

 

Nope, it has not been moved - I just checked.

 

But, it does say removed, if you access it from the Other anti-trojan software section.

Ok, ok, i stand corrected.