Hitman Pro false positive

Discussion in 'other anti-malware software' started by cet, Oct 17, 2009.

Thread Status:
Not open for further replies.
  1. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    Just scanned with Hitman Pro and it labeled the Look'n Stop firewall driver Insfw1.sys as malware.Where can I send this false positive to be corrected.
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Here is the link to email support I will send one also!

    Code:
    support@caretaker.nl

    TH
     
  4. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    you can also post in this thread. The developers frequent it as well
     
  5. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    I also had a false positive a while back and it got taken care of by sending an email to this address info@surfright.nl

    sorry just remembered:D
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    i will just post this to show the vender!
     

    Attached Files:

  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    You have Early Warning Scoring enabled. This means that Hitman Pro will report on files that are suspicious. It is for the expert users who have knowledge about their files. Files reported by Early Warning Scoring have a blue shield.

    The listed driver file is probably poorly written as the driver is not signed, has no uninstall information, has no publisher or version information, it starts automatically and has recently appeared on your computer.

    If you don't want Hitman Pro to report on these files then uncheck Early Warning Scoring under Settings (default unchecked).

    For more detailed information on Early Warning Scoring see this post.
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thanks for the info erik! But the second I know for a fact that Prevx does not detect this file as I use Prevx 3.0 but Hitman Pro keeps flagging it!

    TH
     

    Attached Files:

    Last edited: Oct 18, 2009
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, I can confirm this driver is unfortunately not signed for the win32 release (lnsfw.sys, the other driver, is signed).
    For x64 release, both drivers are signed.

    Regards,

    Frederic
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Change the drop down?
     

    Attached Files:

  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I did weeks ago and still it detects it!

    TH
     
  12. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    hitman pro uses a cache of the signatures, so it takes some time for the cache to be updated (hope i explained that right).
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    But weeks have gone by and still not fixed?

    TH
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Hitman Pro rescans all uploaded files for 2 months so that vendors can fix their false negatives/positives and the Hitman Pro database reflects those fixes. After that 2 month period, a file keeps its determination. As this file was first scanned in June, it is outside the rescan period. The Report file as safe function provides help though for files outside the rescan period.

    But ...
    You are the only one reporting the file as a false positive. At least 2 or 3 people need to flag the file as false positive in order for another rescan. We have reports where users flag a file (Virut virus) as false positive but all vendors (7 scanners) flag it as bad :blink: . People have no clue on when to use this report function...

    I just threw away the determination of your file in question so that it is re-uploaded, scanned and rescanned for another 2 months.

    Try it now.
     
  15. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    If I understand you correctly it will be still flagged and it is after a scan I just did. But like I said it's a flag by Prevx within Hitman Pro and I use Prevx 3.0 also and no flag!
     
    Last edited: Oct 22, 2009
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    It will still be flagged if one of the scanners in the Scan Cloud marks it as bad. You can expand the row (click on the arrow in front of the row) to see which vendor did.

    I was hoping that the vendor(s) that marked the file as bad in June fixed the false positive.

    If the file is still marked as bad than I will have to manually override the determination of the file as you are the only one having the FP.
     
  17. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I'm talking about the second one on the list with regards to Prevx within Hitman Pro!

    I also run Prevx 3.0 and it does not flag it at all!

    Prevx scan Log: c:\program files\soft4ever\looknstop\pluginappfilter.dll [PX5: DA6EFFE60016A729DCD70152BD285800B7AA562C]

    https://www.wilderssecurity.com/attachment.php?attachmentid=213114&stc=1&d=1256250559
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've checked in our database and the file was marked as "Unknown" (not determined as bad or good) and isn't detected by us as far as I can see.
     
  19. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thanks Joe!

    TH
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Doh, I totally focussed on the wrong file here. Try it now. If it is still flagged as bad then I have to contact Prevx about this.
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thanks Erik that did it no more detection!

    Cheers,

    TH
     
Loading...
Thread Status:
Not open for further replies.