Twister-AntiTrojenVirus Thread.

There are 2 ways for online submission.

1) Tools ---> Submission --> Online submit false positive. In that case, you will have to browse to the file and select it. It will then be uploaded to Filseclab.

2) Via email. Put the file(s) that are false positives in a zipped file and send them to <falsealarm [at] filseclab.com> (it's the mail address that appears if you click "email false positive under Tools-->Submission".

"What file"?

- The exact file that Twister flagged as virus. You can check the log to see exact path and name.

Csv file?? No, you must sent exactly the file that caused the false positive.

 

Wow, i have more than 300 FPs..... got to do it 300 times...
i tried but it doesnt allow any connection

i have done this instead...but as a csv file...

 

300?! We have a new winner! In this case, it's best to copy them all in a folder, zip it and send it via email. If they are all in a folder you can also "mass-online submit them", by holding down the mouse key and selecting them all. An online submission window will start and will start uploading all the selected one by own without further input from you.

Where did this csv file come up from? Anyway, csv won't be of any help. They need the real code. Check your PM.

 

maybe i do it wrongly..... i click "Log" and export...

 

Ah, i see! Yes, unfortunately the log won't help. They 'd have to download all your applications in there (assuming they can understand which they are) and install them.

I am afraid you have to see in the log which is the executable and path and put it in a new folder and send it to them. With 300 that will be nasty...

You must find each of the files mentioned in the log, copy it to a new folder and when you are finished, zip the folder and email it with title "False positives".

If you have trusted the files, they must also be listed in "extended options". So if you see (for example) C: Program Files/Abiword/bin/Abiword.exe, you have to browse your C disk, go to Abiword folder, bin subfolder, copy the Abiword.exe in a new folder with the files to send to Filseclab. So it's the "Abiword.exe" the one you must send in this example.

 

i see... thanks for the clarifications.

There is this file size limit of 2.0MB by Filsecab..
i have this file "gimp-2.6.exe" that is 4.5MB.
I select this file through the online submission...

 

sorry i zipped it up and trying the submission now...

 

While Submission fails...

Status "Cannot connect to server"

 

Yes, the 2MB limit is unfortunate... In such cases, the only way is to send it via email (zipped).

Don't be sorry... I wish Twister didn't have so many false positives... It's not your fault.

 

Are you sure your firewall isn't blocking it? In my case, i just tested to submit something and it did. For online submissions, if i remember well, you need to give permission to Twister.exe, port 80 outbound.

 

Still unable to upload. Even though i have disabled CIS..
I have no problem with the usual liveupdate..

 

I have CIS too and submission works fine... Try to put all files in a folder, zip it and send it to Mr. Chu's mail... I don't know what to say. Live Update and submission use different internet access btw, if i remember correctly. The update uses filup.exe. The submission must be using Twister.exe. Maybe your ISP has dns problems towards China at this moment?

 

nevermind i will try later.
thanks

 

In case you haven't rebooted since the last program update yesterday, try rebooting too before trying to re-submit them again. You never know...

 

Well it did disable and relaunch itself, but it's still the old version! Also I had to disable live update, as when live update ran it started downloading the updated version again. So I disabled it so it doesn't download and install at 45 meg update every three hours.

Yes I was thinking I might have to do that, but I'll see what happens when I reboot. Since I always have many web pages open and several programs running I only ever reboot when Windows stops working and is no longer usable and I "have" to reboot.

 

If anyone needs to submit any FP's its more easy to just RAR them up and send them to Bright Chu, since he will prioritise them for you, hes nice like that

Also good knews for twister update!

 

i uninstalled SSM, Threatfire, CIS and AppGuard...
but upload Online FPs still fail to connect....

Don't think is firewall problem...cos i have tried with PCTools and now OA free...

 

here is the error..... did i know it wrongly?
http://img25.imageshack.us/img25/1916/fpsqg5.png

 

this is my settings ...

 

anyone uses this?

 

Bryan Joe, i don't know what to say... If it isn't the firewall, it must be some conflict. I don't think it's the settings, but anyway, you can try mine.

http://img23.imageshack.us/img23/866/86732543bi1.png

The upload works for me.

http://img22.imageshack.us/img22/9962/79679030dy8.png

If all fails, you can uninstall and reinstall the new installer and see if things run better. In the meantime, send the false positive via email to Mr. Chu.

BTW, most probably the reason that you get so many false positives, is that you have enabled the "Enable virus infection disease" and "enabled virus immunity system". They both warn on inceased number of false positives and that it's not reccommended. Same for the extended database. Try disabling them temporarily and do a new scan. See if false positives are less. Twister is already paranoid enough at default settings.

I 've never had to use it... fortunately.

 

Well, BryanJoe, i installed the Gimp over Shadow Defender, and soon enough, about 172 false positives, ALL of them flagged as Trojan Zzzeeelatiiin of course.

So i uploaded them:

http://img7.imageshack.us/img7/7102/85621589mc2.png

Practically, it's every plug in + the main gimp executable. Now i will also send them via email (the gimp.exe is over 2MB), just to make sure this will attract their attention.

 

I have sent the first mail to Mr. Chu, i am sending a second with all samples to the "official" false positive email...

I must say, BryanJoe, you 've hit the jackpot with this one. You are officially the new false positive champion in a single Twister scan!

http://img518.imageshack.us/img518/9820/55597297cl7.png

Zhelatin baby!

Honestly, i haven't searched what this Zhelatin does. But it's the most common false positive in Twister. If i were them, since they obviously can't fix it, i would remove its signature all together and if someone gets infected by the REAL Zhelatin, well, bad luck.

The worse thing, is that i am afraid , dear Bryan Joe, that it can happen like with Abiword. And so, they will fix this now, but when the next Gimp comes out, it may flag AGAIN all new exes as Zhelatin. And sending 170+ files everytime, isn't fun.

Mr. Chu, please do something about Zhelatin! Once and for all!

I want to see new names in false positive alerts!

 

From the Filseclab website (Chinese page) using Google translation:

Second edition V7 R3 (7.32) new features (2009.02.04):

- Solve some system to monitor state of network access to share files slow situation.
- VISTA enhanced under FAT/FAT32 file system support.
- To further upgrade the kernel to optimize efficiency.
- To improve the auto-update feature to achieve complete silence.
- To improve the registry monitoring of TXT / INI associated alarm sensitivity.
- Optimization of all the virus database and re-packaging.

 

Thank you Miyagi! I wish they were informing more, us , poor english speaking users, too... I don't understand the first one. Anyway, better than nothing.