False positives / Missing detections thread

Discussion in 'Prevx Releases' started by EraserHW, Jun 14, 2009.

Thread Status:
Not open for further replies.
  1. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Hello,

    if you have encountered a false positive or Prevx is not detecting a malicious file, please follow the instructions listed inside the thread HowTo: reporting false positives / missing detections.

    Moreover, if you want you can write in this thread what you're going to report by e-mail.

    Please use only this thread for false positive or missing detection reports, this will help us to get everything more organized.

    Thank you and enjoy Prevx :)

    Marco
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    I couldn't ask in the other thread so I'll ask here, anything in specific wrong with zip files? :p
     
  3. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    They are filtered by the mail service :)
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    You should add that to the post.
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    That's why password protected RAR archive is underlined :D I'll add this note too :)

    Thank you! :)
     
  6. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    Prevx detected portable spiderplayer.exe medium risk malware.I think this is a false positive.I ran a virustotal scan and only prevx marks it as malware.Also there is an oggenc.exe in spider player file,it is marked as malware too.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Can you send both of these files in a RAR archive with a password to report@prevxresearch.com ?

    We will analyze them and correct the determinations ASAP :)
     
  8. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    I sent the log and immediately got a reply from Prevx.Yes it is a false positive and will be corrected soon.Thanks for such a quick response.
     
  9. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  11. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thanks. :thumb:
     
  12. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Last edited by a moderator: Jun 25, 2009
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    I'm not sure why you attached the file, as stated all that's needed is the file's PX code from the log.
     
  14. sputnik451

    sputnik451 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    17
    Hi,
    Prevx detected operatorres.dll as medium risk malware.
    I have emailed the log as requested here
     
  15. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Undetected file submitted last night re: fraudulent security program from errorfix.com.
     
  16. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Because of missing reply to my Post #12 i sent the win2log at avira research lab. They could not find a virus or virulent components in the file so it is a FP.

    So plz fix this:
    In the same log Prevx marked this:
    But i dont get an infection message showing up by Prevx.
    Why?

    greetz
     
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Just checking your submissions :) Sorry for the delay, I've been a bit busy :doubt:
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Yes, I was going to reply to your e-mail right now :)

    First one is a false positive, I've just fixed it. Try again a scan, the second has been automatically marked as good by the database. So, you should not receive any other notification now.

    Best regards,

    Marco
     
  19. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    =) Thank you very much.
     
  20. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    And no problem about that! ;)

    best regards.
     
  21. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Has this been checked? The executable is still undetected.
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Sorry for the delayed response :) We added protection a few minutes after you sent in the email - often it takes longer to send the response back than add protection :D

    I'll make sure that we reply faster in the future :)
     
  23. sputnik451

    sputnik451 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    17
    thanks for fix :)
     
  24. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    We're simply not meant to be together... (for now? :D) :D First time that I run Prevx now, four entries in the results are all FPs as it seems. :D I'm sure you can clarify the middle-ones, cause the other two - bottom and top - I know about.

    See attached image.

    The one at top is a part of GameGuard. Now this thing is kinda tricky... I got it explained elsewhere that it uses something like rootkit-techniques, even if it indeed should be completely harmless. It's very, very common for free online-games, and even more for the "manga-type" ones.

    The one at bottom is, as can be seen on the directory, a part of Vista Codec Pack. I too think it's suspicious with something like settings32.exe for a prog. like that, but neither Avira (which, BTW, is running with heur. set to High) or MSE is detecting it as malware. To be sure I also uploaded it to VirusTotal, which only showed some lame heuristical detections. ;) :p

    BTW, the same goes for gameguard.des, which would indeed trigger at any time as I run the game often (named Dragonica). :D


    Please see what you can find out what's up with the two with same name, different locations in the registry, and just tell me if you need a scan-log for the entries in your db.


    EDIT: Nah, WTH - I attach that too while I'm still on it. :D
     

    Attached Files:

  25. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Thanks for adding protection for this fraudulent program.

    What I don't understand is since you added this to the database soon after I sent the email why wasn't it detected when I did an on-demand scan of the file a few times during the day, including at the time of post #21.
     
Thread Status:
Not open for further replies.