False Positive from F-Prot?

Discussion in 'General Returnil discussions' started by cyberdiva, Nov 30, 2009.

Thread Status:
Not open for further replies.
  1. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Shortly after installing Returnil, I received a Message that claimed Returnil (or, rather, F-Prot) had found the following: Adware(W32/FakeInstall.A.gen!Eldorado, Identified by matching) detected: \DEVICE\HARDDISKVOLUME1\PROGRAMFILES\THE KMPLAYER\KMPLAYER.EXE

    I use KMPlayer a lot to play .AVI files, and I've never had a problem with it nor received any warning about it. After receiving the message from Returnil, I scanned the file with McAfee Anti-Virus, Malwarebytes Anti-Malware Pro, and Spybot, all with the most current definitions. None of them found any malware. I also came upon a message or two on the web from other people who had received this alert from F-Prot which they believed was a false positive. I am assuming that this is, indeed, a false positive. I couldn't find a button to press to tell Returnil to Ignore this file. Can I use the method ColdMoon recommended to fitzalon on Nov. 23 for dealing with a false positive? He suggested:

    1. Select to quarantine the detected file using the button in the alert message
    2. Open the quarantine list and then select the file just quarantined
    3. Select restore with the added option to add it to your VG exclusion list

    Also, I'm somewhat concerned about the presence of F-Prot in Returnil. I've always been told that I should not have more than one active anti-virus program on my computer. Since I already have McAfee Enterprise Edition AV (along with a firewall and Malwarebytes Anti-Malware Pro), shouldn't I turn off F-Prot?

    Thanks in advance for your help.
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    You are correct if you are trying to run two stand-alone AV solutions AND implement their resident scanners at the same time. In practice, multiple AVs are possible as long as one is the "master" (resident scanner) and the other(s) are configured as demand-only scanners.

    From a design perspective, a traditional AV solution starts with the assumption that it will be the primary focus of the user's security strategy and as a result needs to include extensive system hooking and other features to monitor for malicious activity. When you then install another stand-alone AV, it attempts to control the same things as the first AV installed and as a result you have conflict.

    When you install an AV and an AS however, you will notice that their resident scanners do not conflict for the most part as they are designed to monitor and/or hook different areas of the OS and are less likely to conflict (there are exceptions of course).

    In RVS, we do not need to implement extensive system hooking for the Virus Guard as it is only targeted at specific things:

    1. Incoming content - Ex.: That file you are downloading
    2. New content saved to the real System Partition - Does the file contain malicious content?
    3. Content that is known to circumvent virtualization

    Further, with the Anti-Execute option enabled, RVS monitors adds a check to see if the content already exists on the real system and then block or allow based on this.

    The RVS Virus Guard and System Safe (virtualization) features are designed from the assumption that the user will be using virtualization and thus anything not detected or falls outside of the focus will be removed at restart. So the focus here is not in the detection of every potential malware; it is about reducing the time needed to realize the removal of that malware.

    No AV/AS/AM can detect everything and never will as there is too much incentive for the malware developers to overwhelm traditional detection technology. What we are trying to demonstrate with RVS is that detections are less important than removals...

    The procedure should work as described for adding this file to the exclusion list. I will follow up with the research and development teams for information regarding the investigation of this detection as it has been reported previously.

    Mike
     
  3. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Thanks very much, Mike, for your response. However, both McAfee and F-Prot are apparently set to look at files that I download (your item 1). Hence, I'm concerned about the possibility of conflict between the two programs. To be honest, given all the security software I already have in place and the fact that I almost never have real malware, I think I'd be more comfortable turning off F-Prot. Removing/disabling F-Prot would eliminate a potential source of conflicts and false positives. Moreover, as you point out, even if I were to download undetected malware, it would vanish as soon as I reboot.

    Great. Many thanks once again.
     
  4. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    What's an AS?:oops:
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Len,

    AS: Antispyware
    AV: Antivirus
    AM: Antimalware

    Mike
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi cyberdiva,
    The detection is valid but is for a PUP (Potentially Unwanted Program). The flag is on ASK content within the player. If you wish to keep using the player and agree to using the ASK content, you should keep the player in your Virus Guard exclusion list so it is not detected in the future.

    Mike
     
  7. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    OK, thanks very much, Mike. The one nasty thing about KMPlayer is that, like so many freeware programs these days, it tries to generate more income from questionable tie-ins like the one for the Ask toolbar. I said NO and unchecked the box, so the Ask toolbar was not installed. One does not have to agree to having the Ask toolbar in order to use KMPlayer.

    In any event, I'll add KM Player to the Virus Guard exclusion list.

    Again, many thanks.
     
Thread Status:
Not open for further replies.