False Positive from F-Prot?

Shortly after installing Returnil, I received a Message that claimed Returnil (or, rather, F-Prot) had found the following: Adware(W32/FakeInstall.A.gen!Eldorado, Identified by matching) detected: \DEVICE\HARDDISKVOLUME1\PROGRAMFILES\THE KMPLAYER\KMPLAYER.EXE

I use KMPlayer a lot to play .AVI files, and I've never had a problem with it nor received any warning about it. After receiving the message from Returnil, I scanned the file with McAfee Anti-Virus, Malwarebytes Anti-Malware Pro, and Spybot, all with the most current definitions. None of them found any malware. I also came upon a message or two on the web from other people who had received this alert from F-Prot which they believed was a false positive. I am assuming that this is, indeed, a false positive. I couldn't find a button to press to tell Returnil to Ignore this file. Can I use the method ColdMoon recommended to fitzalon on Nov. 23 for dealing with a false positive? He suggested:

1. Select to quarantine the detected file using the button in the alert message
2. Open the quarantine list and then select the file just quarantined
3. Select restore with the added option to add it to your VG exclusion list

Also, I'm somewhat concerned about the presence of F-Prot in Returnil. I've always been told that I should not have more than one active anti-virus program on my computer. Since I already have McAfee Enterprise Edition AV (along with a firewall and Malwarebytes Anti-Malware Pro), shouldn't I turn off F-Prot?

Thanks in advance for your help.

 

Hi,

You are correct if you are trying to run two stand-alone AV solutions AND implement their resident scanners at the same time. In practice, multiple AVs are possible as long as one is the "master" (resident scanner) and the other(s) are configured as demand-only scanners.

From a design perspective, a traditional AV solution starts with the assumption that it will be the primary focus of the user's security strategy and as a result needs to include extensive system hooking and other features to monitor for malicious activity. When you then install another stand-alone AV, it attempts to control the same things as the first AV installed and as a result you have conflict.

When you install an AV and an AS however, you will notice that their resident scanners do not conflict for the most part as they are designed to monitor and/or hook different areas of the OS and are less likely to conflict (there are exceptions of course).

In RVS, we do not need to implement extensive system hooking for the Virus Guard as it is only targeted at specific things:

1. Incoming content - Ex.: That file you are downloading
2. New content saved to the real System Partition - Does the file contain malicious content?
3. Content that is known to circumvent virtualization

Further, with the Anti-Execute option enabled, RVS monitors adds a check to see if the content already exists on the real system and then block or allow based on this.

The RVS Virus Guard and System Safe (virtualization) features are designed from the assumption that the user will be using virtualization and thus anything not detected or falls outside of the focus will be removed at restart. So the focus here is not in the detection of every potential malware; it is about reducing the time needed to realize the removal of that malware.

No AV/AS/AM can detect everything and never will as there is too much incentive for the malware developers to overwhelm traditional detection technology. What we are trying to demonstrate with RVS is that detections are less important than removals...

The procedure should work as described for adding this file to the exclusion list. I will follow up with the research and development teams for information regarding the investigation of this detection as it has been reported previously.

Mike

 

Thanks very much, Mike, for your response. However, both McAfee and F-Prot are apparently set to look at files that I download (your item 1). Hence, I'm concerned about the possibility of conflict between the two programs. To be honest, given all the security software I already have in place and the fact that I almost never have real malware, I think I'd be more comfortable turning off F-Prot. Removing/disabling F-Prot would eliminate a potential source of conflicts and false positives. Moreover, as you point out, even if I were to download undetected malware, it would vanish as soon as I reboot.

Great. Many thanks once again.

 

What's an AS?

 

Hi Len,

AS: Antispyware
AV: Antivirus
AM: Antimalware

Mike

 

Hi cyberdiva,
The detection is valid but is for a PUP (Potentially Unwanted Program). The flag is on ASK content within the player. If you wish to keep using the player and agree to using the ASK content, you should keep the player in your Virus Guard exclusion list so it is not detected in the future.

Mike

 

OK, thanks very much, Mike. The one nasty thing about KMPlayer is that, like so many freeware programs these days, it tries to generate more income from questionable tie-ins like the one for the Ask toolbar. I said NO and unchecked the box, so the Ask toolbar was not installed. One does not have to agree to having the Ask toolbar in order to use KMPlayer.

In any event, I'll add KM Player to the Virus Guard exclusion list.

Again, many thanks.