False Positives??

Discussion in 'ESET Smart Security' started by DonVa, Nov 10, 2008.

Thread Status:
Not open for further replies.
  1. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    I seem to have two files quarateened that I believe have been around for sometime. They appear to have only recently been quarantined though.

    The first is:
    C:\Windows\System32\drivers\secdrv.sys

    Which I believe is a macrovision security driver but identified as win32\nulprot trojan.

    The second is:
    C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup which is identified as win32\Bagle.QC worm


    Maybe they really are viral but I am fairly sure they have been around for a long time.

    Could they be false positives??
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Possibly, you can zip them both up with the password "infected" and send them to samples("at")eset.com with "False Positive" - this threads URL as the subject. You can also use VirusTotal which may or may not give you a more in-depth details to whether it's a false positive or not. You will need to temporarily disable protection to restore the files from quarantine, which is accessible through the right click menu of the eye.
     
  3. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    Thanks for the tip about Virus Total - that's a really good tool.

    The secdrv.sys was identified by 14/35 as a threat.

    The second one got a clean bill of health.
    However, this file was replaced so I renamed it and restored the quarantined version and that came back with 25/36 saying it was a threat.

    So looks like these files have beem modified recently and are probably bad.

    I am going to hunt down what installed them now...
    (and do a full scan...)


    Thanks
     
Thread Status:
Not open for further replies.