Ewido 4.0 False Positive?

Discussion in 'ewido anti-spyware forum' started by TheKid7, Jul 22, 2006.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I have three PC's. I just changed from Ewido 3.5 to Ewido 4.0 on all of them. On one PC the following item showed up:

    Name Shown in Ewido: Trojan.Bat.Delete.BM
    Location: C:\WINDOWS\spupdsvc.log

    I have not been able to scan it with McAfee, Bitdefender 8 free and a2free 1.65 because that PC is currently in use by my wife. For antivirus I am using McAfee Enterprise 7.1 with the latest DAT file.

    I have restored the file from Quarantine until I am confident that it is a real threat.

    Nothing was detected on the Ewido 4.0 scan of the other 2 PC's.

    Could this be a False Positive?

    Thank you.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Upload the file here:-

    http://virusscan.jotti.org/

    If none of the other scanners finds anything wrong you could submit it to ewido stating you think it is a FP:-

    http://www.ewido.net/en/malware/

    You may care to keep it quarantined until you've checked because it is not inevitably a FP. It might be possible that something is hiding in an Alternate Data Stream attached to the file, for example. The fact the file itself may seem OK is no guarantee.
     
  3. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    C:\WINDOWS\spupdsvc.log

    This is a Windows update log file. If you open it in Notepad and look at it you may notice that it may have performed some commands:

    blablabla.exe /delete

    And it may be something in the log, some commands that Windows update performed, that Ewido is reacting to (commands that are similar to that of the trojan it is being detected as). Besides, I doubt .log files can be executed and should therefore be harmless.

    EDIT: From a Microsoft site:
     
    Last edited: Jul 22, 2006
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I scanned the individual file with the following:
    McAfee Enterprise 7.1
    BitDefender8 Free Edition
    a2free 1.65
    Jotti's malware scan
    All of the above found nothing.

    I opened the file and noticed that there are several Deletes after blablabla.exe's.

    I just uploaded the file to Ewido for analysis.

    Thank you.
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I got a reply from Ewido. They said that it is a false positive and that the problem with by fixed by the next signature update.
     
Thread Status:
Not open for further replies.