is this a F-Prot F/P?

hi, i downloaded a program called GSpot and F-Prot thinks it's malware, i couldn't use Jotti's because F-Prot wouldn't let me near the file so i let it delete it. it's the GSpot221.exe download. there is a trojan called GSpot that i think F-Prot is getting muddled up with. can someone let me know if it's a F/P please? i'm certain it is a F/P, but i don't know
this is the download page don't download it it could be a trojan
http://www.headbands.com/gspot/download.html

here's the home page incase you wondered what the program is...
http://www.headbands.com/gspot/index.htm

 

The only one that is flagging it on Jotti's is f-prot. TrojanHunter and TDS-3 don't flag it either... I would send the file to them.

 

It gotta be a false positive.

 

hi, thanks for your help, NAMOR and hbkh. i'll have alook for it and zip it to them. thanks again

 

Hi iceni60,

Looks like a false positive. F-Prot flags the install and uninstall executables, but not gspot.exe or anything else in its program folder. I installed and ran it and got no alerts from BOClean. TDS3 saw nothing in its scan.

Nick

 

I just downloaded it. Kav isn't detecting anything.

 

hi Nick, Ron and Mr2cents must be a F/P then, probably because they decided to call it GSpot. you'd think they'd change the name oh well, what can you do

 

hi, i just sent them an email. i wonder how long it will take for them to sort it out i used the page below, i couldn't find an email address.
http://www.f-prot.com/support/contact_support.html

 

I believe it will take a maximum of five days...though I do not have proof.

 

5 days, i don't think i can wait that long, sounds about right though. i can't install it just incase it is malware can i?. i'll let you know how it goes.

 

here is the reply i got from F-Prot Support -

Hello and thank you for your mail.

I downloaded the program from the path you sent and installed it. I then
scanned it with F-Prot and it was not detected as being infected.

We would appreciate it if you could send us a zipped copy of the file that
is being detected as infected on your computer for analysis.

Best regards,
Valtýr Jónasson
F-Prot Antivirus Technical Support

i tried again after i got this reply last night and i got no alert from F-Prot. i did make a mistake when i filled out the Contact Technical Support page. it asks for the date of the defs you are using. i had had an update by then and therefore didn't have the date for the defs that had flagged GSpot, so i just put in the date of the defs i had in at the time. as they were just one update different from the alerting defs i thought there would be the same F/P, obviously not. i have written and told them but i don't think they are too impressed with me, i don't blame them, they just sent me an automated reply saying they had got mt last email.

*note* i don't have the file any more to zip to them too does anyone have it? if so do you think i should send it to them if you send it to me?

 

Maybe hbkh could help you iceni...But F-Prot support seems nice enough.

 

so is that quite common - you get a F/P from not one of the world's most well know programs and it gets fixed with the next update, before you get a chance to tell them? wouldn't that more likely happen with a sig. and not heuristics which i think is what flagged in my case? can you tell if it was a sig. or heuristics it was flagged as W32/Downloader.AGR, it's not important i'm just interested to learn something

 

W32/Downloader.AGR seems to be a sort of 'generic' signature, where a malware type was identified as a certain type dubbed '.AGR'

Thats all I know...Heuristic engines are very very complex.

Regards,
Firecat

 

hi, Firecat and Ron. i know what W32/Downloader means so is the AGR part the part that makes you think it is generic?

i can't complain, not that i want to i'm going to go and check my email to see if they have emailed me again, i don't think they will have after i gave them the wrong info.

 

Well I think its a generic signature becuase of the following:

1)First of all its a downloader i.e. it is a file dropped by a Trojan which connects to malicious web sites to download more malware

2)If it was simply identified as W32/Downloader, then it might be heuristic, but the .AGR says that the generic signatures classified it as a specific type of downloader.

This is why I say it was detected by a generic signature.

Loved the response time, but it does not apply to me because I always ask 'unusual' doubts which takes companies a longer time to answer...Thats what happened with Trend Micro and MicroWorld. Trend took two days instead of the normal one day and MicroWorld took up to 5 days (normally its less than a day). All of these were specific to my doubts of course...dunno why, guess its my bad luck!

Regards,
Firecat

 

W32/Downloader.AGR is a signature detection.
W32/Downloader is a malware "name" while AGR is it's revision.
Similar to MyDoom-A, MyDoom-B, MyDoom-C etc, but there is so many Downloaders that they have reached 3 "digit" revision name/number.
For example avast! detects Win32:SpyBot-1263.
This is a signature detection,first part is the name,while numbers mean which one is.

 

hey iceni, do you want the gspot.exe file, or the installer? I can send you the gspot.exe but I don't have the installer for the stand alone program because it came as part of my codec pack, sorry. Great tool, I use it often.

 

hi thanks for all your help, malware is a subject i want to learn about so it's nice to have your help with this.

hi, erikguy. sorry for being abit slow here i think i'll be OK now i have re-downloaded the file and, with the latest F-Prot updates, the download is no longer flagged by F-Prot. thank you for your offer though

 

i just want to say it makes sense now. i don't know why i wasn't sure in the first place. if there are letters identifying which version it is, it's not possible it could be heuristics

 

You know, this happens a lot. Recently with AVG Anti-Virus certain files in EA Games folders were being detected as infected with W32/Mkar. Repeated emails to Grisoft had replies asking whether the game copy was pirated, etc...And guess what, it was fixed with next update without notification!