False positive?

Prevx detected two Rootkits on my PC. The .exe is xpsviewer.exe.

I think it is a false positive...

 

Any trust in Prevx that I started to acquire is now gone!

Prevx File Investigation Report:
http://www.prevx.com/filenames/X5512832529437851-X1/XPSVIEWER.EXE.html

Windows Hardware Developer Central - View and Generate XPS:
http://www.microsoft.com/whdc/xps/viewxps.mspx

Explore the features: XPS documents:
http://www.microsoft.com/windows/windows-vista/features/xps.aspx

NOTE: XPSViewer.exe is an hidden system file:
http://www.fileinspect.com/fileinfo/xpsviewer-exe/


HKEY1952

 

Why is it gone?

 

You seem to have completely missed the point. You can't assess if a file is malware only from its name! LOL
But you need more information like the size, location, the behaviour, unique hash code, etc...

The web page at Prevx is telling you that XPSVIEWER.EXE, doing XXXX, with yyyy size, located in zzzz and identified in qqqq countries is malware, not the one installed on your PC.

Cheers,
Fax

 

Any malware scanner will inevitably at some point generate an false positive or an false negative, this is expected and acceptable, however,
this particular false positive concerning the Microsoft XPSViewer.exe is totally out of context and unacceptable, especially the ludicrous Prevx File Investigation Report details.
This is one time Sir, that I will not argue my point, because I know that I am right.....and the road ends.....right here.


HKEY1952

 

I agree.


The file in Pain of Salvation's log is this one:
http://info.prevx.com/aboutprogramtext.asp?PX5=F4E38556001A95720E8D00D21C7C2200B79BCD14

It is not marked as malicious in the Prevx database. Guess a strange behavior of this file triggered the Rootkit.MFTHide detection.

 

Hello all,
This false positive is caused because of a mismatch between usermode data and kernel mode data and is detected within our rootkit scanner. I suspect most other antirootkit programs would detect this as well and it literally means that the file has a missing entry within the file system (which is a technique used by some advanced rootkits today).

However, the cause of it generating a false positive is very rare and usually would only happen either from harddisk corruption, another AV blocking that specific file (which I doubt in this case), or a file having just been written to the disk/created.

This FP in particular affected only one user (Pain of Salvation) and the file in his log has never been seen on any other PC, which leads me to believe that it had just been created on the system or possibly has been corrupted in some form.

Let me know if you have any questions!

 

Respectfully.....your entire Post is misleading and wrong.....

There are two files for the XPSViewer:

01)- XPSViewer.exe.mui
(a) Internal Name = XPSViewer.exe
(b) Original File Name = XPSViewer.exe.mui

02)- XPSViewer.exe
(a) Internal Name = XPSViewer.exe
(b) Original File Name = XPSViewer.exe




That's All Folks


HKEY1952

 

Sorry, but it isn't - you have misread his log:

[R<11000020>] c:\windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.0.6001.22221_es-es_b2545417a9a413f3\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide
[R<11000020>] c:\windows\winsxs\x8a9e0~1.181\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide

This is not referring to xpsviewer.exe. These files are identical - the issue came because one of them was not flushed all the way to disk so Prevx was seeing that it was hidden from the Master File Table.

 

Lol, sorry but, right or not, and as explain by Joe, you are still ... missing the point

Fax

 

You are out of your playpen again fax


HKEY1952

 

I am sorry but I for one do not understand the reason for overreaction. One false positive, which occurred in one system, due to some odd condition. Where's the problem?

There is no problem.

It's not like this is some system-crippling bug affecting thousands of systems a la unmentioned european company

 

Yeap

 

Directory Hard Links


HKEY1952

 

Pen which pen? The heuristics on your end seems to generate a lot of false positives
Sorry couldn't resist, peace...love and music forever

 

Hmm, I am not encountering this false positive. I'm using Windows 7 x64 RTM.

 

No one else encountered the FP - it was literally limited to Pain of Salvation and wasn't a signature detection, as pointed out by ctrlaltdelete, so no other user could ever have been affected by it.

 

Hi Joe can you confirm this as a FP.
I have marked them as such and just require confirmation from you or one of your team.
Thank you

 

Yes, it is We corrected this FP yesterday and the misdetection should be removed automatically on a re-scan

 

A note to all - we strongly encourage reporting FPs by using the methods in this thread: https://www.wilderssecurity.com/showthread.php?t=245129

To prevent this thread turning down unproductive routes, please follow the instructions in that post to submit false positives. I'm now closing this thread but feel free to send me a PM if you have any questions.

Thank you for your support!