False positives

Discussion in 'other anti-trojan software' started by ErikAlbert, Nov 28, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    I ran TrojanHunter v5.0 and my computer is infected with these 5 trojans.
    IZArc, Script Defender, File Defender and PortBlocker are all TROJANS or FALSE POSITIVES.
    What do you think ?

    Found trojan file: C:\Program Files\IZArc\SFXS\IZArcRAR.dat (Generic.RarDrop.B)
    Found trojan file: D:\Software5 - To Keep\Script Defender\sdefendi.exe (Generic.Trojan.A)
    Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender\Activate.exe (SDBot)
    Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender.zip/Activate.exe (SDBot)
    Found trojan file: D:\Software9 - To Try\PortBlocker\pblocki.exe (Generic.Trojan.A)

    OMG all these poor users of IZArc, Script Defender, File Defender and PortBlocker are also infected, just like me. That's life. :'(
     
    Last edited: Nov 28, 2007
  2. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Great Trojan Hunter 4.6

    Have you ruled out the possibility that you have a trojanized copy of these programs? Hackers have actually gained control of servers and put up subverted versions of well known "safe" programs for others to download..


    PS I'm sure it's a FP, but for someone as paranoid as you, you should check out the possibility that you actually have a trojanised copy of a "safe" program. I'm sure you know how to rule out that possibility right?
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    Yes, I know they are FP's. I only wanted to show Wilders how good TrojanHunter is : too good IMO.
    My theory was : if a scanner ever finds a malware on my computer, it must be a false positive. Well TrojanHunter confirmed that theory 5 times. :D
     
  4. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Great Trojan Hunter 4.6

    How do you know? For the sake of our less knowledgable users, could you tell them how you can tell if some program you downloaded is the actual real version and not a trojanised copy?

    Nice theory. Might even be right most of the time. But what's the evidence?

    I know you can wipe out malware anytime and go to your "safe" config aBut how do you know your "safe" config is safe? Could your safe config actually be unsafe because you got fooled into thinking you are using a real copy of izarc?

    And yes I know you got your backups offline. But if you keep thinking your safe config is safe (but it isn't), you could continue to be fooled... so you won't think to go back to your offlines....
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    If you are trying to scare me, try someone else and you call me paranoid ? :D
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Great Trojan Hunter 4.6

    Hi ErikAlbert,

    Please submit those files to the TH-company.
    See here for instructions:
    http://www.misec.net/forum/board/FAQ/1139308293

    PS:
    I suppose you were using the latest version of TH and the latest defs? ;)
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    I've sent an email to the support with these 5 false positives. If they care about their product, they will care about these false positives too.

    Instead of creating such a complicated procedure for simple users, they better provide a function in TrojanHunter to report false positives via the program itself, just like SUPERAntiSpyware did.

    I'm not interested in TrojanHunter or any other kind of scanner and I'm not going to join that forum for ONE job.

    It works like this : occasionally, while I'm reading posts at Wilders, I see sometimes a name of a scanner.
    If I'm in the right mood, I search for the homepage, download and install the trial version of that scanner.
    Then I run it and they always report nothing.
    Then I boot-to-restore and everything is gone, including the scanner.
    My choice is always at random, I never keep the scanner, just one scan and that's it.
    I do this since my reinstallation of September, just to see how good (or bad) my security works.

    TrojanHunter was the first one that detected something : 5 false positives. That is the same as nothing.

    Scanners are not supposed to find anything on my system partition, because there is nothing to find, not if my theory is right.
    I remove ANY malware during each reboot in less than 2 minuts and that's the way I like it, because I don't like to spend time on bad things or bad guys.
    I don't even know, if I was infected, I just want my clean system back, that's all.
    I do the same with my spam-emails, no opening, no reading, immediately removed.
     
  9. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Great Trojan Hunter 4.6

    trying to scare you?

    It's a simple , basic and fair question, how do you know what you really have is really a copy of Izarc or whatever application you think is safe?

    People have indeed being fooled into running software that isn't what they think it is. whether it is because they got it from the wrong source, or the site got hacked (there's a famous case involving a open source, security related piece of software but i forgot the name).... it happens.

    Of course other people at least have a chance of being warned by scanners because they aren't **** sure that they are 100% clean.

    There's a equally simple answer to the question I was looking for, but it seems you don't know the answer?

    Hint, it has nothing to do with FDISR or boot to restore or offline backups...
    Nor scanners for that matter.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    I understand you very well and thank you for your concern.
    I'm convinced that my system, snapshots, archives, images are clean after my last installation, because they are full of legitimate softwares and they have been hardly on-line.
    If my actual system has been on-line for several months, I don't trust it anymore no matter how strong my security is.
    I just replace it with clean archives or images.
    I like to keep my harddisk under control and nothing changes in my system partition, unless I want it myself.

    You are right regarding modified installation files and I always download them from the homepage and if they are modified, then I have indeed bad luck. I ran regulary scanners on my clean images, KAV, NOD32, SAS, ... but they can't find anything and I only need to run them ONE time, because these clean images hardly go on-line.
    I have TWO system partitions : a clean one and a daily one and the clean one keeps the daily one clean.

    You can do a simple test : install IZArc and run TrojanHunter, if you have the same false positives, the chance is very big that I don't have a modified installation file of IZArc.
     
    Last edited: Nov 29, 2007
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    That's fast and good for the average users, who might delete them and damage their own system partition.

    BTW. : I don't use Script Defender anymore, because it has a serious uninstalling bug and the bug report website of SD is dead. I assume the developper isn't interested anymore.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Great Trojan Hunter 4.6

    Searching the hash/checksum in Google, looking at the digital certificate (?)
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    Oh that hash thingy. Wasn't there a poll about this recently, where I said "I don't know what it is" ?
    Yes I should learn this, but I can't learn everything at once. I was very lucky to have all the right installation files without hash and the most advanced+ scanners don't seem to find anything in these installation files, isn't that weird ?
     
  15. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Re: Great Trojan Hunter 4.6

    ErikAlbert,

    after reading this thread I've decided to let TH scan my system. I also must have a trojanised version of IZArc, it found exactly the same file, but only one, not five! As far as FPs (or maybe trojanised FPs) my system is definitely cleaner than yours!

    One thing for sure in 2 years that I've been running my system virtualized, this is the second time (first time was SuperAntiSpyware) that I get one FP (if it is a trojan it must be a very friendly one). It's also worth noting that Kaspersky, Eset, and Avira never reported anything.

    I think TH like BOClean and the others are fine for average users, but with a little bit of knowledge, a sandbox and a firewall are enough to keep you clean most of the time.
     
  16. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Great Trojan Hunter 4.6

    Well it isn't rocket science. Just spend less time here posting the same thing over and over again and boasting you know more than experts and spending more time learning the basics maybe?

    Just because you are lucky now, doesn't mean you will be in the future...

    Besides given your concerns about other even more far sketched possibilities, downloading trojanized versions of software, isn't really such an impossibility is it?

    I would say it is even more critical for you to cover this hole, because you are absolutely sure that you have a "safe" setup...

    Isn't that weird, that you come here boasting to all and sundry you have a near perfect defense, having all types of contigency plans and fail to cover something as simple as basic as that?

    Makes you wonder what other obvious holes there are in your defenses, that you don't know about doesnt it? Nah, it's always Erikalbert 1, Security expert 0 right? :)
     
    Last edited: Nov 30, 2007
  17. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Great Trojan Hunter 4.6

    That only works if there are clean copies of izarc out there and you was just unlucky enough to get the wrong one.

    If the main server was subverted, all users of Izarc would have the same bad copy.... So yeah, maybe Osaban might indeed have the same trojan... :)

    Or another scenario, the author turns bad and starts installing keylogging functions in there....

    Everyone else trusts the scanner and terminates izarc, everyone except the overconfident ones who are sure by *definition* it's HAS to be FP....
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    No, your system isn't cleaner than mine, because you don't have what I have.
    Regarding the trojans, it wasn't only IZArc, 3 other legitimate applications were involved who caused 4 other false positives.
    Besides, TrojanHunter wasn't updated before the scan.
    You can't even update the trial version of TrojanHunter, unless you buy it.
    No wonder this scanner has false positives. Also a very good trick to make you buy TrojanHunter.
     
    Last edited: Nov 30, 2007
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Great Trojan Hunter 4.6

    Wrong.

    How to Manually Update TH Rulesets?
    http://www.misec.net/forum/board/FAQ/1142067076
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Great Trojan Hunter 4.6

    Manually ? Which scanner is still doing this in 2007 ? The Dark Ages are over.
    The more I learn from TrojanHunter, the more I don't like it.
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Great Trojan Hunter 4.6

    I'm sorry that you don't understand the difference between the trial version and the payed-for version.
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Re: Great Trojan Hunter 4.6

    I hope you didn't think I was seriously boasting about how good my system is compared to yours. As for the FPs, they were really FPs (as far as my file is concerned, it was checked by Virus Total, and only Previx found a 'suspicious behaviour'). The 3 other legitimate applications were in your computer not mine, that's the reason I only found 1.

    Even though TH has been updated, I still think it was a bit too trigger happy finding 5 FPs in one computer.
     
  23. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    :D I have the full version of TH .... In over two years now the program has only produced FP's. The latest ones were related to Dell's Musicmatch (now fixed) and another tbhook.dll related to Netscape 8.0.

    I have sent Misec Support two emails about the tbhook.dll with the file attached .... they never even responded. I am now using TH5.

    This tbhook.dll has been scanned with every other security program I could find access to .... including Kaspersky online file scanner and McAfee online scan. They all say this file is clean. This detection goes back at least 6 weeks now. As new definitions come out I continue to check and yet TH5 remains the only program to detect this file.

    HR :cool:
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Try VirusTotal and Jotti, your file will be scanned by more than 30 scanners.
    http://www.virustotal.com/
    http://virusscan.jotti.org/
    The maximum volume = 10 MB.
     
  25. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    :D Thanks for the response and the links Erik Albert. It's greatly appreciated !!

    BTW .... I know we have crossed paths before at Wilders .... but it was quite some time ago. :thumb:

    HR :cool:
     
Thread Status:
Not open for further replies.