ewido false positive?

Discussion in 'other anti-trojan software' started by Labrie, May 31, 2005.

Thread Status:
Not open for further replies.
  1. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    hi guys!

    ewido have found as worm.finaldo a file named accwiz.exe in my windows system folder...well i run a scan over jotti´s place and none av has found nothing...i wonder if its a false positve?

    tx.
     
  2. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Look at the other thread on Ewido's beta 3.5. I think it very well might be a fp.
     
  3. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  4. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I have sent in the following information. A lot of false positives after a full scan:

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 13:19:18, 31-5-2005
    + Report-Checksum: 680D03C

    + Scan result:

    [3316] C:\WINDOWS\system32\mscomctl.ocx -> Backdoor.Ciadoor.13
    C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
    C:\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    C:\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    C:\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
    C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor
    C:\Program Files\Advanced System Optimizer\BackupManager.exe -> Heuristic.Win32.Worm
    C:\Program Files\LeechGet 2004\LeechGet.exe -> Heuristic.Win32.Dialer
    C:\Program Files\LeechGet 2004\LGOptions.exe -> Heuristic.Win32.Dialer
    C:\Program Files\MSN Messenger\msnmsgr.exe -> Heuristic.Win32.Backdoor
    C:\WINDOWS\pchealth\helpctr\System\NetDiag\dglogs.htm -> Trojan.Io
    C:\WINDOWS\system32\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
    C:\WINDOWS\system32\MSCOMCTL.OCX -> Backdoor.Ciadoor.13
    E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Kaspersky Anti-Virus 5\KAV_Registry_Clean.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    E:\Warez\LeechGet\crack\LeechGet.exe -> Heuristic.Win32.Dialer
    E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Norton Internet Security 2005\Setup\support\navtools\repair\gaobot\fxgaobot.exe ->

    Heuristic.Win32.HostFile
    E:\Warez\Norton Internet Security 2005\Setup\support\redist\msredist\mscomctl.ocx -> Backdoor.Ciadoor.13
    E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\Outpost firewall\OutpostProInstall.exe/OUTPOST.EXE -> Heuristic.Win32.AVKiller
    E:\Warez\PCMedik\crack\crack.rar/PcMedik.exe -> Heuristic.Win32.Backdoor
    E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor
    E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.TSUpdate.i
    E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.TSUpdate.i
    H:\backup13mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup13mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup13mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\Karperskyremove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\Kasp_Reg_Remove.zip/KAV_Registry_Clean.exe -> Heuristic.Win32.AVKiller
    H:\backup22mei\Downloads\software\mwav.exe/mwavscan.com -> Heuristic.Win32.AVKiller


    ::Report End
     
  5. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    sent it ;)
     
  6. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Ewido-guys: please add an ignore function to the program. This mscomctl.ocx, for instance, is an active X component which I don't want or need to loose. But Ewido's guard is bugging me every time the pc starts up that it is there. And I can do remove or none... the last is my best option now but it is no option because the next time I startup Ewido sounds the alarm again...and again...
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    An ignore list will be implemented in 3.6... As "mscomctl.ocx" is a real false positive and not a possible (un)wanted app, the best way to deal with it is to fix it :)
     
  8. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    And will that happen soon? The FP's deleted I mean :)
     
  9. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    it was a fp..tx for the nice and quick rply EWIDO TEAM :D
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hi,

    I only got this FP left (Sygate). I will submit it.
    Cheers,

    Gerard
     

    Attached Files:

    Last edited by a moderator: Jun 1, 2005
  11. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    On my side I still see urUninstaller flagged as a false positive... and there is absolutely nothing wrong with this program.
     
  12. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Have you already submitted it?
     
  13. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Here's some FP:


    C:\Documents and Settings\me\Desktop\OutpostProInstall.exe -> TrojanDownloader.TSUpdate

    C:\Program Files\Bluetack\Blocklist Manager\MSCOMCT2.OCX -> Backdoor.Ciadoor.13
    C:\Program Files\Bluetack\Blocklist Manager\MSCOMCTL.OCX -> Backdoor.Ciadoor.13

    It also quarantined over 2000 cookies
     
  14. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I sent in the txt file after a scan where all the false positives were on... so I hope you guys saw it.

    Ewido flagged a lot of legitimate programs wrongly as nasties. That is now over, apart from some programs, alas. But maybe tomorrow the next good update? :)
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    The mscom files are no longer seen as nasties in Ewido as far as I can tell. About Outpost you are right... Some more work to be done.
     
  16. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I ran this last night while in bed. So there's an update?
    It also quarantined over 2000 cookies
     
  17. Here are a few more false positives...there are a few FW leak tests, but the
    ones for NetVeda, XPlite and visioneer are true FPs.
    I already sent them in......Sure is a lot less than first scans.



    C:\Documents and Settings\WORK1\Desktop\Downloads\xplite_trial.zip/XPlite_TRIAL.exe -> Heuristic.Win32.Backdoor2
    C:\Documents and Settings\WORK1\Desktop\Tests\surfer.exe -> Heuristic.Win32.Downloader
    C:\Documents and Settings\WORK1\Desktop\Tests\tooleaky.exe -> Heuristic.Win32.Downloader
    C:\Documents and Settings\WORK1\Desktop\Tests\TrojDemo.exe -> Heuristic.Win32.Backdoor2
    C:\Program Files\AxBx\PC Security Test 2005\PCSecurityTest.exe -> Heuristic.Win32.Backdoor2
    C:\Program Files\NetVeda\Safety.Net\ipcsvc.exe -> Heuristic.Win32.Backdoor3
    C:\Program Files\Visioneer\PaperPort\Pplinks.exe -> Heuristic.Win32.Keylogger
     
  18. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    And a few from my scan of a few minutes ago: ( a full scan by the way!)

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 21:27:35, 1-6-2005
    + Report-Checksum: 4C97F27B

    + Scan result:

    C:\Apps\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
    C:\Downloads\yu2005dev.zip/urUninstaller.exe -> Heuristic.Win32.Backdoor2
    E:\Warez\Audiograbber\agsetup.exe -> TrojanDownloader.Wiser
    E:\Warez\Look 'n'Stop firewall\LNSFW1-d1.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
    E:\Warez\Look 'n'Stop firewall\LNSFW1-d2.zip/LNSFW1.sys -> Heuristic.Win32.Downloader
    E:\Warez\McAfee personal Firewall plus\McAfeePersonalFirewallPlus.exe -> TrojanDownloader.Wiser
    E:\Warez\Norton Internet Security 2005\Setup\symsetup.exe -> Heuristic.Win32.AVKiller
    E:\Warez\Outpost firewall\OutpostProInstall.exe -> TrojanDownloader.Wiser
    E:\Warez\Your Unistaller 2005\urUninstaller.exe -> Heuristic.Win32.Backdoor2
    E:\Warez\ZoneAlarm Pro 5\zapSetup_51_011.exe -> TrojanDownloader.Wiser
    E:\Warez\ZoneAlarm Suite 5.1.033\zaSuiteSetup_51_033_000.exe -> TrojanDownloader.Wiser

    ::Report End

    I have send in the files now, by the way
     
    Last edited: Jun 1, 2005
  19. It shure likes to pick on FWs doesn't it.
     
  20. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    lol - "Warez" - I'd be suspicious of those for sure.

    I have uruninstaller and it did not pick up on that.*edit - mine is 2004 version though.

    **edit - something funny about that. I checked and there is no such thing as Your Unistaller 2005
     
    Last edited: Jun 1, 2005
  21. he he he....I just noticed that myself after double reading his report.

    tsk tsk ....shame shame
     
  22. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    In fact it's even spelled wrong!

    I'd venture to say it may not be a FP
     
  23. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    It's about the files...not about the directory names.

    And I have a dir in my E drive with the name warez where I put all the files that I download from legitimate corporate websites. I beta test urUninstaller for instance for the company which produces it... Just as I test Ewido, for the matter :)

    That you guys have such funny ideas tell me something about you.
     
  24. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    It's not my idea, it's yours (to put legit downloads and label it "warez") :D It say s something about you, not us.
     
  25. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I am from Holland, maybe that makes it that I choose names that you can't understand. It could have been software too... will rename the dir, ok? ;)

    NB: I renamed the urUninstaller dir and still the same result. Of course...
     
Thread Status:
Not open for further replies.