ewido false positive?

Discussion in 'other anti-trojan software' started by Labrie, May 31, 2005.

Thread Status:
Not open for further replies.
  1. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    hi guys!

    ewido have found as worm.finaldo a file named accwiz.exe in my windows system folder...well i run a scan over jotti´s place and none av has found nothing...i wonder if its a false positve?

    tx.
     
  2. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    Look at the other thread on Ewido's beta 3.5. I think it very well might be a fp.
     
  3. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  4. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    I have sent in the following information. A lot of false positives after a full scan:

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 13:19:18, 31-5-2005
    + Report-Checksum: 680D03C

    + Scan result:

    [3316] C:\WINDOWS\system32\mscomctl.ocx -> Backdoor.Ciadoor.13
    C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
    C:\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    C:\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    C:\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
    C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor
    C:\Program Files\Advanced System Optimizer\BackupManager.exe -> Heuristic.Win32.Worm
    C:\Program Files\LeechGet 2004\LeechGet.exe -> Heuristic.Win32.Dialer
    C:\Program Files\LeechGet 2004\LGOptions.exe -> Heuristic.Win32.Dialer
    C:\Program Files\MSN Messenger\msnmsgr.exe -> Heuristic.Win32.Backdoor
    C:\WINDOWS\pchealth\helpctr\System\NetDiag\dglogs.htm -> Trojan.Io
    C:\WINDOWS\system32\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
    C:\WINDOWS\system32\MSCOMCTL.OCX -> Backdoor.Ciadoor.13
    E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Kaspersky Anti-Virus 5\KAV_Registry_Clean.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    E:\Warez\LeechGet\crack\LeechGet.exe -> Heuristic.Win32.Dialer
    E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Norton Internet Security 2005\Setup\support\navtools\repair\gaobot\fxgaobot.exe ->

    Heuristic.Win32.HostFile
    E:\Warez\Norton Internet Security 2005\Setup\support\redist\msredist\mscomctl.ocx -> Backdoor.Ciadoor.13
    E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Outpost firewall\OutpostProInstall.exe/OUTPOST.EXE -> Heuristic.Win32.AVKiller
    E:\Warez\PCMedik\crack\crack.rar/PcMedik.exe -> Heuristic.Win32.Backdoor
    E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
    E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.TSUpdate.i
    H:\backup13mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup13mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup13mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller


    ::Report End
     
  5. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    sent it ;)
     
  6. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    Ewido-guys: please add an ignore function to the program. This mscomctl.ocx, for instance, is an active X component which I don't want or need to loose. But Ewido's guard is bugging me every time the pc starts up that it is there. And I can do remove or none... the last is my best option now but it is no option because the next time I startup Ewido sounds the alarm again...and again...
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    An ignore list will be implemented in 3.6... As "mscomctl.ocx" is a real false positive and not a possible (un)wanted app, the best way to deal with it is to fix it :)
     
  8. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    And will that happen soon? The FP's deleted I mean :)
     
  9. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    it was a fp..tx for the nice and quick rply EWIDO TEAM :D
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,749
    Location:
    EU
    Hi,

    I only got this FP left (Sygate). I will submit it.
    Cheers,

    Gerard
     

    Attached Files:

    Last edited by a moderator: Jun 1, 2005
  11. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    On my side I still see urUninstaller flagged as a false positive... and there is absolutely nothing wrong with this program.
     
  12. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Have you already submitted it?
     
  13. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Here's some FP:


    C:\Documents and Settings\me\Desktop\OutpostProInstall.exe -> TrojanDownloader.TSUpdate

    C:\Program Files\Bluetack\Blocklist Manager\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
    C:\Program Files\Bluetack\Blocklist Manager\MSCOMCTL.OCX -> Backdoor.Ciadoor.13

    It also quarantined over 2000 cookies
     
  14. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    I sent in the txt file after a scan where all the false positives were on... so I hope you guys saw it.

    Ewido flagged a lot of legitimate programs wrongly as nasties. That is now over, apart from some programs, alas. But maybe tomorrow the next good update? :)
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    The mscom files are no longer seen as nasties in Ewido as far as I can tell. About Outpost you are right... Some more work to be done.
     
  16. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I ran this last night while in bed. So there's an update?
    It also quarantined over 2000 cookies
     
  17. Here are a few more false positives...there are a few FW leak tests, but the
    ones for NetVeda, XPlite and visioneer are true FPs.
    I already sent them in......Sure is a lot less than first scans.



    C:\Documents and Settings\WORK1\Desktop\Downloads\xplite_trial.zip/XPlite_TRIAL.exe -> Heuristic.Win32.Backdoor2
    C:\Documents and Settings\WORK1\Desktop\Tests\surfer.exe -> Heuristic.Win32.Downloader
    C:\Documents and Settings\WORK1\Desktop\Tests\tooleaky.exe -> Heuristic.Win32.Downloader
    C:\Documents and Settings\WORK1\Desktop\Tests\TrojDemo.exe -> Heuristic.Win32.Backdoor2
    C:\Program Files\AxBx\PC Security Test 2005\PCSecurityTest.exe -> Heuristic.Win32.Backdoor2
    C:\Program Files\NetVeda\Safety.Net\ipcsvc.exe -> Heuristic.Win32.Backdoor3
    C:\Program Files\Visioneer\PaperPort\Pplinks.exe -> Heuristic.Win32.Keylogger
     
  18. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    And a few from my scan of a few minutes ago: ( a full scan by the way!)

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 21:27:35, 1-6-2005
    + Report-Checksum: 4C97F27B

    + Scan result:

    C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
    C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor2
    E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.Wiser
    E:\Warez\Look 'n'Stop firewall\LNSFW1-d1.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
    E:\Warez\Look 'n'Stop firewall\LNSFW1-d2.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
    E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.Wiser
    E:\Warez\Norton Internet Security 2005\Setup\symsetup.exe -> Heuristic.Win32.AVKiller
    E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.Wiser
    E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
    E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.Wiser
    E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.Wiser

    ::Report End

    I have send in the files now, by the way
     
    Last edited: Jun 1, 2005
  19. It shure likes to pick on FWs doesn't it.
     
  20. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    lol - "Warez" - I'd be suspicious of those for sure.

    I have uruninstaller and it did not pick up on that.*edit - mine is 2004 version though.

    **edit - something funny about that. I checked and there is no such thing as Your Unistaller 2005
     
    Last edited: Jun 1, 2005
  21. he he he....I just noticed that myself after double reading his report.

    tsk tsk ....shame shame
     
  22. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    In fact it's even spelled wrong!

    I'd venture to say it may not be a FP
     
  23. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    It's about the files...not about the directory names.

    And I have a dir in my E drive with the name warez where I put all the files that I download from legitimate corporate websites. I beta test urUninstaller for instance for the company which produces it... Just as I test Ewido, for the matter :)

    That you guys have such funny ideas tell me something about you.
     
  24. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    It's not my idea, it's yours (to put legit downloads and label it "warez") :D It say s something about you, not us.
     
  25. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    I am from Holland, maybe that makes it that I choose names that you can't understand. It could have been software too... will rename the dir, ok? ;)

    NB: I renamed the urUninstaller dir and still the same result. Of course...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.