Dr.Web false positive: Threatfire

Discussion in 'other anti-virus software' started by Firebytes, Jun 10, 2008.

Thread Status:
Not open for further replies.
  1. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I believe that in the past Dr.Web AV had some false positives with Threatfire and it seems it is doing so again. I downloaded Dr.Web CureIt and ran a complete scan on my system. CureIt advised that the Threatfire installer (tfinstall.exe) was infected. It only reported the installer as infected and not the running Threatfire program. No other scanner on my system is indicating a problem with the file which has been on my system for quite some time.

    I attempted to send the file to Dr.Web via a link on their webpage but for some reason it would not go through. Anyone know a better way to report the false positive to them?
     

    Attached Files:

  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    just email vms@drweb.com
    and simply tell them the download
    link to threatfire version you downloaded.

    State, its an FP and ask for it to be fixed asap :)
     
  3. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Thanks C.S.J :thumb:
     
  4. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    It says "probably..". Does this mean the result didn't come from a virus signature match, but due to heuristics?
     
  5. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Thats what I assumed.
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    They also flag mbam.exe (malware bytes anti-malware).
    According to malwarebytes forum, dr.web has shown no interest in solving this...
     
  7. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Well, whether they will fix it or not I don't know, but I sent an email to Dr.Web at the address provided by C.S.J advising them of the false positive. Let's hope they get it and the MBAM detections fixed. I wonder why they would not want to correct issues with FPs as soon as possible? o_O
     
  8. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Does Dr.Web just have a lot of false positives with installers and archives due to its heuristics? Today was the first time I had ever used Dr.Web CureIt's full scan. I had always just used the quick scan before. Besides the TF false positive on both my systems, CureIt also alarmed on a msi file (on my several years old desktop) from a software that came with the system. Dr.Web stated again that it was "probably" a trojan. The name it gave for the trojan was STPage if I remember right. No other scanner I have ran detected anything with that file either.
     
  9. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    Not really. Usually it's software with code of poor quality :)

    Have you sent it to VMS@ drweb.com? Please do it if not.

    Could you please also let me know the ticket numbers you should've received with auto-reply?
     
  10. DjMaligno

    DjMaligno Hispasec/VirusTotal

    Joined:
    Feb 22, 2005
    Posts:
    63
    Location:
    Spain
    So poor quality software should also be detected by AV engines?
     
  11. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Then y only DrWeb detects poor quality software?
     
  12. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    Should not, of course. But that's an excuse for us ;)
     
  13. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    Different AVs different heuristics. I remember MS detected windows explorer :)
     
  14. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    BTW, Dr. Web Cureit, flags the latest Comodo installer as adware, because of the well known toolbar.
     
  15. Jaki

    Jaki Guest

    It is not only Dr Web that flags the Comodo toolbar as an adware, NOD32 and Avira both did as well.
     
  16. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Isn't it adware? When we are talking about adware do we always mean bad adware?

    For example:
    -Good adware is installed with user consent, bad adware isn't.
    -Good adware allows its self to be uninstalled usually through Add/Remove Programs in Control Panel or another way, bad adware is very difficult or even impossible to uninstall.
    -Good adware offers a very "light" access to adversiments or info (my english start to give up on me), bad adware often hijacks the browser and constanlty throws up pop-ups.

    So when an AV makes a detection adware does it mean bad adware?
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I consider adware as harmless, just irritating advertising.
    The problem with adware is that it also can be abused to spy on me and then it becomes spyware. Spyware is dangerous.
    In practice, I don't allow any object that doesn't belong to my original installation.
    It doesn't matter what it is : junk files, goodware or badware, adware, spyware, viruses, worms, etc. it's all garbage and ballast on my system, that must be removed as quick and complete as possible. :)
     
    Last edited: Jun 11, 2008
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If the ware was bad it would be mal not ad, as in MALicious softWARE
     
  19. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Adware is bad when it's not optional.
     
  20. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Just a curious thought. Is it possiable for malware or any other nasty to pigy back the adware to jump off so to speak and left behind,even If adware Is removed at a latter.I really Do not have much knowledge on such matters, so please for give my dumbness.
     
  21. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    Hero! :D
     
  22. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i think what he means to say is:

    "virusmakers usually are not good programmers and our heuristics sometimes reacts on poor coding style"

    maybe, not as rude then. :rolleyes:
     
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    That doesn't make any sense. If I install a trojan that while silently steals password but I introduce it through social engineering (it claims to be something useful, and/or does something useful while doing its nasty tricks) and I put an uninstallation option, it's still a trojan.

    Adware is bad when it doesn't clearly state what it does and what are the privacy risks for the user, and it's bad if it introduces any high privacy risk. An adware that tracks all the visited user URLs and sends them to a remote server is bad, and must be detected, even if it provides the option to be uninstalled.
     
  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hi TNT,Is It possiable what I asked In post twenty thanks.
     
  25. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, it's possible.
     
Loading...
Thread Status:
Not open for further replies.