False Positives

Discussion in 'Trojan Defence Suite' started by Whynot, Jan 24, 2005.

Thread Status:
Not open for further replies.
  1. Whynot

    Whynot Registered Member

    Joined:
    Feb 8, 2004
    Posts:
    50
    Below is a copy of an e-mail I sent off to DCS, to which they promptly replied - thanks guys - and rather than bug them as to reasons for this I thought I'd throw it open to the knowledgable people on these forums :D

    I'm running XP + SP2 with Office setup on RAID drives. Firefox 1.0 browser TDS3, NOD32, ZAPro and Netgear Firewalls and a few anti-spyware proggies. XP is on F:\, Definitely NO C:\
    A week ago, I purchased a second hand HP 2210 printer/fax/scan/copier from a friend. Recently some of the sites I regularly visited were redirected to sites I'd never visited, namely www1.dell.co.uk and www. yves-rocher.co.uk. As my PC sometimes seemed sluggish I re-installed from an image, all OK. Re-installed the printer and updated Office - asked to restart. Immediately TDS began alarming me to infections, all on C:\ - which I could see in both Computer Management ans explorer, however when I attempted to browse I was asked to insert a disk. I could eject this "removable" disk as an option using the USB icon. When I unplugged the printer USB cable, TDS stopped reporting traces - I even managed to delete a couple of them as it was running. Any ideas as to what is going on - surely a printer can't be the source of nasties ?

    Any thoughts people ?
     
  2. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Whynot,
    seems to be on the install disc.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    The TRACE scanner looks for known file locations, and some of these are hard-coded to check C:\ and other fixed file locations. If this is not a hard drive, then what you have seen is the result, because the scanner has a problem accessing files on the disk (removable, flash drive, whatever)

    At the time we created these signatures I was unaware it was even possible to have C:\ as a non hard drive. We have made many changes to the trace scanner to make it more powerful, and of course to fix these. We are converting everything over to the TDS4 scanner so until then you can ignore any trace scan results which say file trace C:\<anything>
     
  4. Whynot

    Whynot Registered Member

    Joined:
    Feb 8, 2004
    Posts:
    50
    Thanks Gavin. The C: is what the OS is calling the USB connection to the printer. Interestingly enough this "phenomnenon" only occurs if the printer cable is attached at boot-up. I've tried it with a removable USB Flash drive and it is rcognised properly. Once again thanks for the reply - hope this didn't impact on the release date of TDS4 :D
     
Thread Status:
Not open for further replies.