launching SpywareBlaster causes strange Trojan alerts by DrWeb

Since I updated to current version 2.5.3 I'm getting a warning by Spiderguard (DrWeb's RTM) every time I launch SpywareBlaster:

" C:\...\...\SPYWAREBLASTER.EXE probably infected with BACKDOOR.Trojan"

I'm pretty sure there is no Trojan (TrojanHunter Guard also does not give any alert), but only DrWeb's oversensitive heuristic scanning, so I just ignore it. But as I did not get this alert with the previous version of SpywareBlaster, I wonder what has changed in the update to trigger that alert? ... And before I add the file to DrWeb's permanent ignore list I would just like to make sure whether there is anything to worry about?

TIA
Tat


---
having login problems, the site doesn't accept my password; and when I want to post as guest with my name, it's telling me that I cannot use it because that name is used by another member already ... - yeah of course it is - by ME... grmbl...

 

I can assure you there is no "backdoor trojan" in SpywareBlaster and that there is nothing to worry about.

There were some previous problems with Dr. Web giving heuristic "probable" alerts on SpywareBlaster before - looks like I'll have to go contact them again.

Thanks for posting this information, though. I don't have Dr. Web myself so your post allows me to report the false-positive much sooner.

EDIT: But just to be on the safe side, you might want to try re-downloading from http://www.wilderssecurity.net/spywareblaster.html There is always the possibility that something malicious infected the spywareblaster executable (but then, you would probably have a much bigger problem on your hands, as most other executables on your system would be infected). If you still get the detection after a reinstall, then you can be sure it is a F/P. (I'm mentioning this as I haven't had any reports of this particular issue yet - better safe than sorry!)

EDIT [2]: Here's the old thread about Dr. Web falsely detecting spywareblaster.exe with its heuristics - https://www.wilderssecurity.com/showthread.php?t=7929

Best regards,

-Javacool

 

Javacool,

Thanks for your fast reply!

I'm pretty sure too that it's a false positive (as I said - Trojan Hunter doesn't detect anythig on that file) - but to make sure I'll download again and uninstall/reinstall.

That's strange to me because I didn't have any of those false alerts prior to the update. That's why I thought if you might have made any change which trigger the alert.

let's see the result of the new install... I'll be back soon...

 

Javacool,

Just FYI: I just re-installed v.2.5.3 from a new download (I used the wilders.org link for download), and I'm still getting the same warning. DrWeb also alerted me (same text) during installation: "... probably infected with BACKDOOR.trojan"

The heuristics of DrWeb ARE very sensitive. But I rather bare with some false positives (it's not so many...) than disabeling heuristics and getting anything pass onto my system...

regards,
Tat

 

hi,

Its happening to me too, with the new version of 2.5.3.

its happened about 3 times and this last time I have put it down to when I updated spywareblaster as that was the only security prog that I did on this particular day.

my anti-virus is coming up with the trojan JS_Seeker.R but says its a virus. but it does get cleaned off. and does not reappear till next update.

not 100% but thinking last time it happened was when I downloaded this latest version, but for sure with the last update a few days ago.

anti-virus picks it up on next boot up from download.

any ideas
cheers for any help.

 

forgot to mention... my antivirus is pc-cillin 2000 version.

cheers.

 

Well thank you for the information - I can assure you that the SpywareBlaster executable and the associated updates (definitions) are clean of any infections. Unless something is present on your system and is infecting those files, both of these sounds strongly like false-positives.

It might do some good if both of you could contact the makers of your anti-virus software - I'll try to do so myself but sometimes these things are fixed faster if customers contact the company.

Best regards and thanks,

-Javacool

 

I just downloaded SpywareBlaster and installed it, then I downloaded the updates for SpywareBlaster installed them, McAfee found nothing.

 

Well I can personally confirm that the following products do not give any false-positive reading on the spywareblaster.exe:
-Norton AntiVirus
-NOD32
-BOClean
-TDS

So it does sound like rather sensitive/strong heuristics are the cause here (the more powerful the heuristic detection in an AV/AT many times means the more frequent the false positives). Thanks to all who have reported results from various AV/AT products.

Best regards,

-Javacool

 

Javacool, thanks for the quick reply,

I shall do as suggested and contact me AV people.
cheers for the info.

 

from my experience I'd say you can add TrojanHunter to that list!

I'm still curious though what actually could cause such an alert...

 

Strong heuristics can catch many unknown viruses - but they also tend to make a lot of false-positive detections. In many cases, an anti-virus program with heuristics might take a look at a file and go through a checklist of items - if a certain number (or any in some cases) are found to be true, then the heuristics will flag a file as "possible".

Of course, because legitimate files ALSO share some of the same characteristics as malicious files, they will undoubtedly be flagged too. From what I understand, many different, perfectly safe executables are also flagged by Dr. Web's heuristics as "possible virus/trojan". SpywareBlaster is flagged (and is perfectly safe, mind you ) - I have attempted to contact the makers of Dr. Web, but since this is simply a heuristic detection (and the heuristics are understood to incorrectly detect files on occasion) I don't know if/when it will be fixed.

Best regards,

-Javacool

 

Well - I for me personally it's not so many. Besides SpywareBlaster I only have 2 other programs which trigger the same 'possible Backdoor.trojan' alert and those are the only false positives I ever got from DrWeb. And as I already mentioned above - I'd rather bear with a few false positives but have the benefit of a higher safety level with the heuristics enabled...

At least I can say that much, that they didn't fix it in their latest program update v. 4.29c which was released today. I just updated and then started SpywareBlaster for checking it out, and immediately got the same alert again... ...

Regards,
Tat

---
Edit: typo corrected

 

Tat - Since you use DW - have you contacted them about it? Pete

 

Pete - as I did not get that alert in previous versions of SpywareBlaster, there must have been some change from the former to this version, which now triggers the alert. Maybe in your eyes this doesn't make sense, but I actually hoped it would be possible to find out what that is, _before_ contacting DrWeb - as I think Javacool will know much better what he changed, than DrWeb does.

However... - yes, I meanwhile also sent a report to DrWeb with a link on this topic.

 

Just got reply from DrWeb support... - wow - THAT was fast!

*. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *.

Date: Thu, 17 Apr 2003 11:45:19 +0400
From: Support DrWeb <support@drweb.ru>
To: Tatjana Luck <xxxxxxx>
Subject: Re: false probable trojan alert on scanning spywareblaster.exe

Hello Tatjana!

Yes, it seems like false alarm on this software, we'll try to fix it in
future release. As temporary solution we can recommend you to add
SpyWareBlaster's path to the "excluded folders and paths" to prevent
SpIDer's false alarms.

Tatjana Luck wrote:
> Hello,
>
> I'm running DrWeb 4.29c on Win98SE. Since a recent upgrade of
> 'SpywareBlaster' to version 2.5.3 I'm getting an alert by Spiderguard
> every time I launch SpywareBlaster:
>
> " C:\...\...\SPYWAREBLASTER.EXE probably infected with BACKDOOR.Trojan"
>
> An on demand scan of the SpywareBlaster program folder produces the
> following log file entry:
>
> --- 8<------------------------------
>
> [Scan path] C:\PROGRAM FILES\SPYWAREBLASTER
> C:\PROGRAM FILES\SPYWAREBLASTER\unins000.exe - Ok
> C:\PROGRAM FILES\SPYWAREBLASTER\spywareblaster.exe probably infected with BACKDOOR.Trojan
> C:\PROGRAM FILES\SPYWAREBLASTER\updatersup.exe - Ok
> C:\PROGRAM FILES\SPYWAREBLASTER\sbhelp.chm - Ok
>
> -----------------------------------------------------------------------------
> Scan statistics
> -----------------------------------------------------------------------------
> Objects scanned: 6
> Infected objects found: 0
> Objects with modifications found: 0
> Suspicious objects found: 1
> Objects cured: 0
> Objects deleted: 0
> Objects renamed: 0
> Objects moved: 0
> Scan speed: 394 Kb/s
> Scan time: 00:00:03
>
> --- 8<------------------------------
>
> In previous versions of SpywareBlaster I never got this alert, so I
> reported the problem in the SpywareBlaster support forum at
>
> http://www.wilderssecurity.com/showthread.php?t=8424
>
> Following the vendor's advice I tried to uninstall/reinstall
> SpywareBlaster from a fresh download but I'm still getting the same
> alert as before. Yesterday I also updated DrWeb from version 4.29b to
> the current version 4.29c, still the problem remains.
>
> In case there is any relevance - these are my settings for SpiderGuard:
>
> * Scan:
> OnAccess scan: smart
> Heuristic analysis [ x ]
> Virus activity control [ x ]
> System Kernel Protection [ x ]
>
> * File Types
> [ x ] By Formates
> [ x ] Archives
> [ x ] Packed Executables
> [ x ] Mail
>
> I'm well aware that the above described alert is only a warning, most
> likely caused by DrWebs quite sensitive heuristic scan - still it is
> annoying, as it turns up every time I start the SpywareBlaster. I
> would be grateful if you could perhaps look into it and if there was
> any possibility to get this problem fixed somehow?
>
> Any help would be very much appreciated!
>
> Best Regards,
> Tatjana Luck <xxxxxxx>

--
Best regards,
ID Anti-Virus Lab. Ltd. Welcome to: www.drweb.ru
SalD Ltd. Mail to: support@drweb.ru

*. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *. *.

cheers,
Tat


---
edit: typo

 

thanx Paul!

cheers,
Tat

 

Tat - Asking JC about it made sense (up to a point) - my point was that when you're dealing with a trusted program (like anything by JC! ) my first email/post would have been to the manufacturer of whatever program had found something "wrong" with it (even in the most indirect way - such as a heuristic detection like you got).

For example, when I update my defs in SpyCop, NOD or TDS and wind up with a "hit" on something that's been on my computer forever, I don't email/question the "hit on" software - I question whomever "hit" on it - especially when heuristics are involved (also when it's a hit that might be due to a generic "detection" due to a plain-text string of some kind, when/if such a detection method is used).

Not to mention the fact that five posts over a three day period here could have been saved by simply emailing DW support to start with (and kudos to DW for such a rapid, effective response!).

Glad everyone can stop "wondering" now. Pete

 

well Pete - you have your preferences how to get things done, I have mine; and I told you already why I did it this and not the other way around. - And I would always do it in the same order again in a similar situation, as for me this is not a matter of which application I trust more, but which of the suddenly conflicting applications has changed and thus caused the conflict.

Agreed!

Me too!

cheers,
Tat