False Postive & TrueCrypt Possible issue

Discussion in 'Prevx Releases' started by Romagnolo1973, Jul 20, 2010.

Thread Status:
Not open for further replies.
  1. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    for Joe:
    one FP about new Foobar beta version http://www.foobar2000.org/


    Prevx Scan Log - Version v3.0.5.182
    Log Generated: 20/7/2010 22:51, Type: 0,1
    Windows 7 (Build 7600) 32bit|1033
    Hostname: Cris-PC
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 2, Pop: 2, Heu: 4 (Dir: 1)
    Last Scan: Tue 2010-07-20 22:51:04 W. Europe Daylight Time. Number of Scans: 228. Last Scan Duration: 6 minutes 13 seconds.
    (ACTIVE) c:\program files\foobar2000\components\foo_ui_std.dll [PX5: 2A1D01140002599632F9118CB35E8300AD80004F] Malware Group: Medium Risk Malware


    Just another thing, prevx scan my drive Z that is my crypted partition using TrueCrypt
    Prevx find here some files seems windows system files but to tell the trueth on the encrypted volume Z I only have my personal data (foto, documents, curriculum) and the prevx scan is slower, it needs 5 minutes , unusual, before was 2 or 3 maximum
    Clicking here you can see the issue, Prevx check Z and z as driver and find here file does not exist
    [IMG=http://img822.imageshack.us/img822/4430/immaginecq.th.jpg][/IMG]

    Uploaded with ImageShack.us
     
    Last edited: Jul 21, 2010
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  3. guest

    guest Guest

    Re: Prevx 3.0 with SafeOnline build 3.0.5.182

    Sorry TH, but I disagree strongly with this 'let's keep fp's under the radar' strategy and that it is. People here should IMHO know if there is a problem with false positives. And as I reported already yesterday an absurd fp 'advpack.dll' via email and got no answer back from Prevx I prefer now to write here in public as another fp got on my nerves after a scan. - Both detections I checked with Virustotal and of course Prex was again the only vendor that had found 'malware', with default settings btw. :rolleyes:

    http://img697.imageshack.us/img697/8194/prevxdetection.jpg

    This time it's Focus Photoeditor 6.2.3 that's the bad guy.

    JFYI, I'm not posting this to get 'help', the only reason is to tell Prevx I am not happy about the amount of fp's I experience when using Prevx but that's no news of course. And I just mark it via GUI as false positive as always but that doesn't solve the problem: too much fp's regardlessly what PrevxHelp says to that. ;)
     
  4. jmc777

    jmc777 Registered Member

    Joined:
    Aug 6, 2004
    Posts:
    244
    Re: Prevx 3.0 with SafeOnline build 3.0.5.182

    Maybe the Prevx CEO would consider breathing some life into an idea he had in 2007?

    I don't think I was paying attention to Prevx back then — did that ever materialise?
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Re: Prevx 3.0 with SafeOnline build 3.0.5.182

    This is the only reason I suggest sending a scan log Directly to Prevx and close possible FP reports!
    Also there is a Sticky on the subject: HowTo: reporting false positives / missing detections

    HTH,

    TH
     
    Last edited: Jul 21, 2010
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Re: False Postives

    I have split this thread and moved it to the correct forum because it has nothing to do with the new RC build 3.0.5.182 but I will leave it open for the Prevx Mods can make there comments and feelings made clear!

    TH
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Re: Prevx 3.0 with SafeOnline build 3.0.5.182

    You could PM PrevxHelp in this situation & he could look into why your email was not responded to. It's not about shielding things from the public; it's about getting things done quickly and quietly in the background. I have done this with other security vendors as well as Prevx.
     
  8. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    Re: Prevx 3.0 with SafeOnline build 3.0.5.182

    :thumb:
    I ever post directly to Joe's email every FP I find but the point is that watching Prevx scanning the FP I see the other issue that affect time running scan and could be a possible problem for every trueCrypt user if there are incompatibility
    So post here the TrueCrypt issue and via email the FP was losting time, this is why
    For that reason if you changed the title you give on this 3D as TrueCrypt Possible issue 'cause is more focused on the real issue (FP is not a problem)
     
    Last edited: Jul 21, 2010
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I understand completely I was just referring to the possible FP only because I can't split your post into two parts! ;) Also send them a scan log and explain the TrueCrypt problem as stated in this post: https://www.wilderssecurity.com/showpost.php?p=1662381&postcount=1

    TH
     
    Last edited: Jul 21, 2010
  10. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    TH I know how make a log, I personally cure the Italian thread about Prevx :thumb:
    In the log there is no trace of any activity on Z (the encripted volume), only C is on the log, so i think is non my log important for see the issue (possible issue)
    But if Joe think is important I send a log file to him, no problem is not the first and wil' not be the last


    My system is Seven Ultimate 32bit
    The TrueEcrypt version is the new 7 (but same issue with the old 6 v), the encrypted volume is a entire partition called Z (not a folder encrypted) and without any other encrypted volume inside on it (possibility allowed but that i don't need, I am not a CIA agent :D ), volume password is a code not a file
    Z don't have any system file as it seems looking prevx scan
    Z is a partitin on my secondary HD (not a partition of C Volume)
    If Joe can try an encripted partition in a test system I think have the same strange issue

    BTW if someone here use TC can try and see if is the same or not
    Thanks
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Like I said I understand as you have to install TrueCrypt v7 on your OS and those files will be in the log so it could be a simple fix that Prevx can do at there end with regards with TrueCrypt v7! ;)

    TH
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Romagnolo1973 - because of TrueCrypt encrypting partitions, it would generally take Prevx longer to scan through there. You may want to uninstall/reinstall Prevx to try to clear down the file caches which should improve the scan speed.

    Regarding false positives - we've explained this several times: there is no benefit to publicly reporting every minor FP which occurs because most are fixed within minutes. guest - your FP was fixed and responded to in about two hours (I responded to it :p) so I'm not sure where the complaints come from.

    Prevx is at its all-time low of FP rates, about five times lower from where it was last year, even though our detection are at an all time high. Unless the 40,000+ users who receive correct detections every day want to come into Wilders and post on every detected file (which I'd strongly recommend against doing :D), false positives get disproportionately emphasized.

    Being that we have the PM system here, the report@ email address, our customer support inbox, the product itself (via Report as a false positive and Detection Overrides), and the filenames pages on our website itself, starting a thread here would honestly be many degrees of overkill and therefore is unnecessary.

    If you have any FPs which aren't getting fixed fast enough, feel free to send me a PM but in the meantime, I'm closing this thread :)
     
Thread Status:
Not open for further replies.