is this a F-Prot F/P?

Discussion in 'other anti-virus software' started by iceni60, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, i downloaded a program called GSpot and F-Prot thinks it's malware, i couldn't use Jotti's because F-Prot wouldn't let me near the file so i let it delete it. it's the GSpot221.exe download. there is a trojan called GSpot that i think F-Prot is getting muddled up with. can someone let me know if it's a F/P please? i'm certain it is a F/P, but i don't know
    this is the download page don't download it it could be a trojan
    http://www.headbands.com/gspot/download.html

    here's the home page incase you wondered what the program is...
    http://www.headbands.com/gspot/index.htm
     
  2. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    The only one that is flagging it on Jotti's is f-prot. TrojanHunter and TDS-3 don't flag it either... I would send the file to them.
     
  3. hbkh

    hbkh Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    128
    Location:
    Ohio, USA
    It gotta be a false positive. :rolleyes:
     

    Attached Files:

    Last edited by a moderator: Feb 28, 2005
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, thanks for your help, NAMOR and hbkh. i'll have alook for it and zip it to them. thanks again :)
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi iceni60,

    Looks like a false positive. F-Prot flags the install and uninstall executables, but not gspot.exe or anything else in its program folder. I installed and ran it and got no alerts from BOClean. TDS3 saw nothing in its scan.

    Nick
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    F-Prot is calling it W32/Downloader.AGR
     
  7. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    I just downloaded it. Kav isn't detecting anything.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi Nick, Ron and Mr2cents :) must be a F/P then, probably because they decided to call it GSpot. you'd think they'd change the name :rolleyes: oh well, what can you do o_O
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    F-Prot is good about getting back to you.
     
  10. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    That's the page.

    Let us know.
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I believe it will take a maximum of five days...though I do not have proof.
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    5 days, i don't think i can wait that long, sounds about right though. i can't install it just incase it is malware can i?. i'll let you know how it goes.
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    here is the reply i got from F-Prot Support -

    Hello and thank you for your mail.

    I downloaded the program from the path you sent and installed it. I then
    scanned it with F-Prot and it was not detected as being infected.

    We would appreciate it if you could send us a zipped copy of the file that
    is being detected as infected on your computer for analysis.

    Best regards,
    Valtýr Jónasson
    F-Prot Antivirus Technical Support

    i tried again after i got this reply last night and i got no alert from F-Prot. i did make a mistake when i filled out the Contact Technical Support page. it asks for the date of the defs you are using. i had had an update by then and therefore didn't have the date for the defs that had flagged GSpot, so i just put in the date of the defs i had in at the time. as they were just one update different from the alerting defs i thought there would be the same F/P, obviously not. i have written and told them but i don't think they are too impressed with me, i don't blame them, they just sent me an automated reply saying they had got mt last email.

    *note* i don't have the file any more to zip to them too :oops: does anyone have it? if so do you think i should send it to them if you send it to me?
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Maybe hbkh could help you iceni...But F-Prot support seems nice enough.
     
  16. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    so is that quite common - you get a F/P from not one of the world's most well know programs and it gets fixed with the next update, before you get a chance to tell them? wouldn't that more likely happen with a sig. and not heuristics which i think is what flagged in my case? can you tell if it was a sig. or heuristics it was flagged as W32/Downloader.AGR, it's not important i'm just interested to learn something :D
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    W32/Downloader.AGR seems to be a sort of 'generic' signature, where a malware type was identified as a certain type dubbed '.AGR'

    Thats all I know...Heuristic engines are very very complex.

    Regards,
    Firecat
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
     
  19. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, Firecat and Ron. i know what W32/Downloader means so is the AGR part the part that makes you think it is generic?
    i can't complain, not that i want to :D i'm going to go and check my email to see if they have emailed me again, i don't think they will have after i gave them the wrong info. :oops:
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Well I think its a generic signature becuase of the following:

    1)First of all its a downloader i.e. it is a file dropped by a Trojan which connects to malicious web sites to download more malware

    2)If it was simply identified as W32/Downloader, then it might be heuristic, but the .AGR says that the generic signatures classified it as a specific type of downloader.

    This is why I say it was detected by a generic signature.

    Loved the response time, but it does not apply to me because I always ask 'unusual' doubts which takes companies a longer time to answer...Thats what happened with Trend Micro and MicroWorld. Trend took two days instead of the normal one day and MicroWorld took up to 5 days (normally its less than a day). All of these were specific to my doubts of course...dunno why, guess its my bad luck!

    Regards,
    Firecat
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    W32/Downloader.AGR is a signature detection.
    W32/Downloader is a malware "name" while AGR is it's revision.
    Similar to MyDoom-A, MyDoom-B, MyDoom-C etc, but there is so many Downloaders that they have reached 3 "digit" revision name/number.
    For example avast! detects Win32:SpyBot-1263.
    This is a signature detection,first part is the name,while numbers mean which one is.
     
  22. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    hey iceni, do you want the gspot.exe file, or the installer? I can send you the gspot.exe but I don't have the installer for the stand alone program because it came as part of my codec pack, sorry. Great tool, I use it often.
     
  23. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi thanks for all your help, malware is a subject i want to learn about so it's nice to have your help with this.
    hi, erikguy. sorry for being abit slow here :oops: i think i'll be OK now i have re-downloaded the file and, with the latest F-Prot updates, the download is no longer flagged by F-Prot. thank you for your offer though :)
     
  24. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just want to say it makes sense now. i don't know why i wasn't sure in the first place. if there are letters identifying which version it is, it's not possible it could be heuristics :oops:
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    You know, this happens a lot. Recently with AVG Anti-Virus certain files in EA Games folders were being detected as infected with W32/Mkar. Repeated emails to Grisoft had replies asking whether the game copy was pirated, etc...And guess what, it was fixed with next update without notification!
     
Loading...
Thread Status:
Not open for further replies.