F-Prot false positive

Discussion in 'other anti-virus software' started by ronjor, Nov 17, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    F-Prot was detecting Java 1.4.2_06 as 228 suspicious objects on my machine.
    It was confirmed to be a false positive and corrected with the 11/17/04 update.(today)
     
  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Ongoing discussion on this at dslr. A serious flaw has been detected in F-Prot by a couple of posters in that thread. One devised a test and the results are quite troubling.

    It appears that F-Prot, if set to disinfect, and if not possible to do that to use the "move file to" does not work! Even when the "move file to" location is set up manually by the user before scanning rather than depending on F-Prot to create the file and location itself when needed, F-Prot, if it cannot disinfect, then DELETES the file! It does NOT move it or copy it to the designated "move file to" location.

    This is a BIG flaw IMO. Default setting is delete. That is very bad. It should be "report only". When I tested F-Prot, I knew that a quarantine did not exist. But I thought that meant that there was no location where a suspect file could be isolated and encrypted. I thought "move file to" functioned in other respects (than the two I just mentioned) as a type of quarantine. I thought that if you chose "disinfect" and if this cannot be done "move file to" would do just that. Evidently, that is not the case. F-Prot attempts to disinfect and if it cannot it then DELETES without further permission! It "moves file to" ONLY if it cannot delete it!

    Whoa! Am I glad I did not choose disinfect because I completely misunderstood what would happen if I had chosen that as my action. I certainly would have been very upset had F-Prot proceeded to delete all files it could not disinfect without first asking me especially if I had run a scan after getting the definitions that had the false positive that was causing the deletion of Java files. Luckily, I had F-Prot set to "report only".

    I still don't have an AV on my computers and I was leaning strongly toward buying F-Prot until I read this thread. Now I am hesitant. I believe F-Prot intends to introduce a proper quarantine in the next version but we don't when that will be or how the quarantine will be set up.

    http://www.dslreports.com/forum/remark,11881163~mode=flat#11886913
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    They did come out with a revised version today. 3.16. Only problem is, I can't find what revisions they made.

    I found the problem doing an on demand scan. I DID have it set to disinfect. For some reason, it did nothing.

    Edit: The files would be considered in use during a scan so F-Prot couldn't do anything with them in that state.
     
    Last edited: Nov 17, 2004
  4. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Did you read the thread at dslr? What is your opinion of Netfixer's testing? I think it is damn good and I just asked him if he has sent his results to Frisk. I'm hesitant to buy F-Prot now. F-Prot has some serious problems it appears.
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    Mele20

    That thread is interesting. If his testing is sent to F-Prot, I would like to see their reply.
    I'll keep it around as on demand only. I'm still waiting for the change log on 3.16.
     
  6. .....

    ..... Guest

  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    Thanks. Useful changes I would say. They also fixed the splash screen so it doesn't hover over the gui. It flashes and is gone.
     
    Last edited: Nov 18, 2004
  8. karll

    karll Guest

    Same here, I got about 360 false positives yesterday, updated it and it went away.
     
  9. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii

    Ahhh...good changes. I see F-Prot fixed the problem I reported to them. I was beginning to think they would do nothing.
    "This version includes a more generic JPEG GDI+ exploit detection (Microsoft Security Bulletin MS04-02:cool: than the previous version."

    The F-Prot scanner was one of very few that did not detect the variations on this exploit. I sent them the samples but it took them (at least the techs I was talking to by email) quite a while to even grasp why they needed to detect the variations. Other AV that did not detect updated rapidly to detect. I think F-Prot took too long to fix this but I'm glad to see it is finally fixed. The other changes all look good.
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Netfixer got an automated reply to his submission. Nothing else yet. However, kpatz did more useful testing with real live viruses (Schouw pointed out flaws with using eicar for the testing) and very interesting his findings. It appears that one needs to use either "report ony" or "rename/move" as the options for the on demand scanner. "Disinfect" should not be chosen as the option.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    I changed my settings today to report only. That is the way I usually have my antivirus programs setup anyway.
    What was I thinking? :)
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Ohhhhhhh JOY! Yokata! Haku sama YO!

    Here are some highlights about version 3.16...
    I heading over there to buy a license right this minute. Kachunga!!!! :D
     
  13. Buzkashi player

    Buzkashi player Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    11
    Haven't tried 3.16 yet, but i hope it doesn't have a little issue i had with versions 3.14 and 3.15: When opening a compressed file and fstopw was running suddenly CPU use rises to the top and everything goes slow down, after some seconds the slowdown dissapears and the file is opened. This happens with Win98/Me, in XP it works smoothly. Anyone have this problem? Maybe is because my PC is really old (k6-2 450) but I have tried in XP using the same machine and there is no problem.
     
  14. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I am trialling F-Prot 3.15b at the moment. I have noticed this 'quirk' as well. I was just about to download and install 3.16 and see if it does the same. Will let you know.

    muf
     
  15. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Just downloaded and installed version 3.16 and tested it. It still does it, at least on my system it does. I'm using Win ME. It's not something i'm bothered about as it's only there a couple of seconds. I will continue with my trial which still has 19 days left.

    muf
     
  16. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am running KAV 4.5.104 in real-time. Does F-Prot have to option to run in on-demand mode so that I can evaluate it as a backup for KAV? Thanks.
    Rich
     
  17. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Yes it has. During installation process you can chose what to install.


    tECHNODROME
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    Yes. And you can change at anytime from the add/remove programs without a complete uninstall/reinstall.
     

    Attached Files:

  19. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi ronjor,

    Thanks alot for the info.

    Rich
     
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    You're welcome Rich. :)
     
  21. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Using F-Prot 3.16 I noticed that every time i opened ACE Utilities that everything slows down to a crawl for about 10 seconds until ACE utilities opens. Then everything runs fast again. I tried opening a few other application's like Excel and Word and it didn't do it with those. Any ACE utilities users out there who use F-Prot 3.16? If there is then can you test it. I had the monitor set to 'all files'. I uninstalled and went back to version 3.15b and ACE utilities opens as normal(as in fast).

    muf
     
  22. hbkh

    hbkh Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    128
    Location:
    Ohio, USA
    I'm having similar minor problems (although, nothing that I would stop using F-Prot about), only not with Ace Utilities. Do you think it might have something to do with F-Prot's new found enhanced unpacking ability?

    hbkh
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    As noted above, I just bought version 3.16. I had tried earlier F-Prot versions & liked them, but was wary of FP's inability to handle any runtime-packed stuff. Accordingly, I had decided to wait for version 4.0.

    When I saw that 3.16 was handling some packers, I decided to buy it now, strictly for use as an on-demand scanner (DrWeb is my realtime monitor).

    Even so, I ran 3.16 as the realtime monitor (RTM) for one full day -- just to get the feel of it. I discern that 3.16's RTM is significantly heavier & slower than the version I tried several weeks ago (3.15a, as I recall). Also, FP slowed Ace Utilities down for me horrendously, just as it did for muf.

    In threads elsewhere at Wilders, Blackcat has commented that FP's programmers are probably having a tough time in trying to keep the forthcoming version 4.0 as a *Light & Fast AV program*. In BC's opinion, that is a main reason why version 4.0 Beta has been slow in coming.

    Based on what people are reporting herein about 3.16, it looks pretty obvious that Blackcat is spot-on accurate in his prognostication.

    From what I have read in other Wilder's threads, FP 4.0 is slated to add even more unpackers, plus a better right-click scan, plus much more configurability to the RTM, plus other improvements. Can Frisk add all those bells & whistles, & still keep FP light & fast? I sure hope so!
     
  24. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    GOOD NEWS Y'ALL, F Prot has responded on the slowdown issue and has a virus update fix in. Go to the website and check the support section and they have posted information pointing to possible solutions/answers. I am trialing it now and so far so good.... :rolleyes:
     
  25. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Link.
    http://www.f-prot.com/support/windows/3_16.html
     
Loading...
Thread Status:
Not open for further replies.