is this a F-Prot F/P?

Discussion in 'other anti-virus software' started by iceni60, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, i downloaded a program called GSpot and F-Prot thinks it's malware, i couldn't use Jotti's because F-Prot wouldn't let me near the file so i let it delete it. it's the GSpot221.exe download. there is a trojan called GSpot that i think F-Prot is getting muddled up with. can someone let me know if it's a F/P please? i'm certain it is a F/P, but i don't know
    this is the download page don't download it it could be a trojan
    http://www.headbands.com/gspot/download.html

    here's the home page incase you wondered what the program is...
    http://www.headbands.com/gspot/index.htm
     
  2. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,528
    Location:
    St. Louis, MO
    The only one that is flagging it on Jotti's is f-prot. TrojanHunter and TDS-3 don't flag it either... I would send the file to them.
     
  3. hbkh

    hbkh Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    128
    Location:
    Ohio, USA
    It gotta be a false positive. :rolleyes:
     

    Attached Files:

    Last edited by a moderator: Feb 28, 2005
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, thanks for your help, NAMOR and hbkh. i'll have alook for it and zip it to them. thanks again :)
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi iceni60,

    Looks like a false positive. F-Prot flags the install and uninstall executables, but not gspot.exe or anything else in its program folder. I installed and ran it and got no alerts from BOClean. TDS3 saw nothing in its scan.

    Nick
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,874
    Location:
    Texas
    F-Prot is calling it W32/Downloader.AGR
     
  7. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    I just downloaded it. Kav isn't detecting anything.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi Nick, Ron and Mr2cents :) must be a F/P then, probably because they decided to call it GSpot. you'd think they'd change the name :rolleyes: oh well, what can you do o_O
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,874
    Location:
    Texas
    F-Prot is good about getting back to you.
     
  10. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,874
    Location:
    Texas
    That's the page.

    Let us know.
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    I believe it will take a maximum of five days...though I do not have proof.
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    5 days, i don't think i can wait that long, sounds about right though. i can't install it just incase it is malware can i?. i'll let you know how it goes.
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    here is the reply i got from F-Prot Support -

    Hello and thank you for your mail.

    I downloaded the program from the path you sent and installed it. I then
    scanned it with F-Prot and it was not detected as being infected.

    We would appreciate it if you could send us a zipped copy of the file that
    is being detected as infected on your computer for analysis.

    Best regards,
    Valtýr Jónasson
    F-Prot Antivirus Technical Support

    i tried again after i got this reply last night and i got no alert from F-Prot. i did make a mistake when i filled out the Contact Technical Support page. it asks for the date of the defs you are using. i had had an update by then and therefore didn't have the date for the defs that had flagged GSpot, so i just put in the date of the defs i had in at the time. as they were just one update different from the alerting defs i thought there would be the same F/P, obviously not. i have written and told them but i don't think they are too impressed with me, i don't blame them, they just sent me an automated reply saying they had got mt last email.

    *note* i don't have the file any more to zip to them too :oops: does anyone have it? if so do you think i should send it to them if you send it to me?
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    Maybe hbkh could help you iceni...But F-Prot support seems nice enough.
     
  16. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    so is that quite common - you get a F/P from not one of the world's most well know programs and it gets fixed with the next update, before you get a chance to tell them? wouldn't that more likely happen with a sig. and not heuristics which i think is what flagged in my case? can you tell if it was a sig. or heuristics it was flagged as W32/Downloader.AGR, it's not important i'm just interested to learn something :D
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    W32/Downloader.AGR seems to be a sort of 'generic' signature, where a malware type was identified as a certain type dubbed '.AGR'

    Thats all I know...Heuristic engines are very very complex.

    Regards,
    Firecat
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,874
    Location:
    Texas
     
  19. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, Firecat and Ron. i know what W32/Downloader means so is the AGR part the part that makes you think it is generic?
    i can't complain, not that i want to :D i'm going to go and check my email to see if they have emailed me again, i don't think they will have after i gave them the wrong info. :oops:
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    Well I think its a generic signature becuase of the following:

    1)First of all its a downloader i.e. it is a file dropped by a Trojan which connects to malicious web sites to download more malware

    2)If it was simply identified as W32/Downloader, then it might be heuristic, but the .AGR says that the generic signatures classified it as a specific type of downloader.

    This is why I say it was detected by a generic signature.

    Loved the response time, but it does not apply to me because I always ask 'unusual' doubts which takes companies a longer time to answer...Thats what happened with Trend Micro and MicroWorld. Trend took two days instead of the normal one day and MicroWorld took up to 5 days (normally its less than a day). All of these were specific to my doubts of course...dunno why, guess its my bad luck!

    Regards,
    Firecat
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    W32/Downloader.AGR is a signature detection.
    W32/Downloader is a malware "name" while AGR is it's revision.
    Similar to MyDoom-A, MyDoom-B, MyDoom-C etc, but there is so many Downloaders that they have reached 3 "digit" revision name/number.
    For example avast! detects Win32:SpyBot-1263.
    This is a signature detection,first part is the name,while numbers mean which one is.
     
  22. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    hey iceni, do you want the gspot.exe file, or the installer? I can send you the gspot.exe but I don't have the installer for the stand alone program because it came as part of my codec pack, sorry. Great tool, I use it often.
     
  23. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi thanks for all your help, malware is a subject i want to learn about so it's nice to have your help with this.
    hi, erikguy. sorry for being abit slow here :oops: i think i'll be OK now i have re-downloaded the file and, with the latest F-Prot updates, the download is no longer flagged by F-Prot. thank you for your offer though :)
     
  24. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just want to say it makes sense now. i don't know why i wasn't sure in the first place. if there are letters identifying which version it is, it's not possible it could be heuristics :oops:
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    You know, this happens a lot. Recently with AVG Anti-Virus certain files in EA Games folders were being detected as infected with W32/Mkar. Repeated emails to Grisoft had replies asking whether the game copy was pirated, etc...And guess what, it was fixed with next update without notification!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.