How to deal with a false positive?

Discussion in 'other anti-virus software' started by kinwolf, Oct 19, 2006.

Thread Status:
Not open for further replies.
  1. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Hi,

    I have a file on my computer, favtool2.exe, that keeps getting flagged as Trojan.Startpage.TC by Bitdefender(latest signatures used). That file is part tool files by HP that get installed on a new computer so I am not big on removing it. I know it is not a virus, I also think I know what it does(it changes IE startpage to HP homepage as a starter). I sent the file to bitdefender so they could check on it and see it's not a virus, but weeks after it's still reported as a virus. I am getting a bit tired of this.

    Should I re-Contact Bitdefender support or switch to HP support? Or is that kind of file truly considered a trojan because it changes the default IE page?(As far as I know it change the default page only when it's installed, not afterward)

    Thanks,
    Kin
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Well the first thing I would do is use a multi-engine online scanner (see here) to see if in fact that file is clean.. That way more that one product is being used. Also, you said it was only for changing the IE homepage. It sound like BD could be saying it's malicious because of the very nature of the program; IE start page selection should be up to the user not a third party program. If that is the case then BD is correct. In any case, it sounds like it's trivial and not needed. Why not just delete it and be done with it.

    Also, this was not part of your question, at least not directly, but I feel it needs to be said. Any time you buy a preconfigured system from Dell, Gateway, HP, etc., it is important to do an HJT! scan or scan with autoruns to make sure that what is being launched at startup is only what you want and authorize. You would be amazed at the level of "crap" that is launched without your knowledge. You probably only need about 1/5 of what is being launched. Your system will be noticeably faster afterwards.
     
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i agree with that advise and i had to run autoruns two days ago on my neighbors new dell laptop. it had like aol, tiscali,google,90days trial etc so much crap and after that it was really fast. it was powered by core duo 1.8.
    thats why if i got a laptop i would either ask for the disc and reinstall from scratch or buy from a company that dont load crap on it.
     
  4. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Well, to follow on the recommendation I scanned with both Kaspersky online scanner and mcaffe online and both came back negative for the file. So only Bitdefender has a problem with it. I'll send it again to the virus submission email with a FP comment and ask for a reply if possible and see what they say.

    thanks,
    Kin
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Well if you do a scan of the file here as I suggested the results will be analyzed and set to the respective virus companies. If there is a FP in the results it will then be corrected.

    Also, you can send the file here to be sure everyone has it.

    v3sos@ahnlab.com; virus@arcabit.com; virus@avast.com; virus@grisoft.cz; virus@avira.com; virus_submission@bitdefender.com; virus@ca.com; vms@drweb.com; submit@emsisoft.com; esafe.virus@eAladdin.com; samples@eset.com; submit@ewido.net; submitvirus@fortinet.com; viruslab@f-prot.com; samples@f-secure.com; hauri98@hauri.co.kr; analyse@ikarus.at; newvirus@kaspersky.com; vsample@avertlabs.com; avsubmit@submit.microsoft.com; analysis@norman.no; virussamples@pandasoftware.com; viruslab@quickheal.com; samples@sophos.com; avsubmit@symantec.com; virus_doctor@trendmicro.com; newvirus@unasoft.com.ua; newvirus@anti-virus.by; virus@virusbuster.hu
     
  6. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Sorry, somehow I had missed the link in your reply. So now I sent them and just got back the result from virustotal. Only bitdefender and Fortinet found something wrong with the file.

    [ file data ]
    * name: favtool2.exe
    * size: 53248
    * md5.: 372c9916b1d99387c7a2c62d990283bc
    * sha1: 845a5cb3626199e2c0bdeaa7a26369b84298cdd2

    [ scan result ]
    AntiVir 7.2.0.31/20061019 found nothing
    Authentium 4.93.8/20061019 found nothing
    Avast 4.7.892.0/20061019 found nothing
    AVG 386/20061019 found nothing
    BitDefender 7.2/20061019 found [Trojan.Startpage.TC]
    CAT-QuickHeal 8.00/20061019 found nothing
    ClamAV devel-20060426/20061019 found nothing
    DrWeb 4.33/20061019 found nothing
    eTrust-InoculateIT 23.73.28/20061019 found nothing
    eTrust-Vet 30.3.3143/20061019 found nothing
    Ewido 4.0/20061019 found nothing
    F-Prot 3.16f/20061019 found nothing
    F-Prot4 4.2.1.29/20061019 found nothing
    Fortinet 2.82.0.0/20061019 found [W32/Startpage.TC!tr]
    Ikarus 0.2.65.0/20061019 found nothing
    Kaspersky 4.0.2.24/20061019 found nothing
    McAfee 4877/20061019 found nothing
    Microsoft 1.1603 /20061019 found nothing
    NOD32v2 1.1816/20061019 found nothing
    Norman 5.80.02/20061019 found nothing
    Sophos 4.10.0/20061015 found nothing
    TheHacker 6.0.1.101/20061019 found nothing
    UNA 1.83/20061019 found nothing
    VBA32 3.11.1/20061019 found nothing
    VirusBuster 4.3.7:9/20061019 found nothing
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Then you were right in assuming it was an FP. It should be dealt with now as every vendor listed is now aware of the file. You can now go ahead and delete it if you want. It is clearly not a required file.
     
  8. quding

    quding Registered Member

    Joined:
    Oct 20, 2006
    Posts:
    42
    Location:
    China
    excludability
     
Loading...
Thread Status:
Not open for further replies.