PassView False positive?

Discussion in 'NOD32 version 2 Forum' started by Paul2, Feb 10, 2006.

Thread Status:
Not open for further replies.
  1. Paul2

    Paul2 Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    16
    The utility program offered here:

    http://www.nirsoft.net/utils/pspv.html

    is reported by NOD32 as infected with Win32/PassDump.160. That web site says their utility generates false positives on some av scanners.

    So is this a false or real positive? In the future, how can I answer such questions myself?
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Re: False positive?

    Send it to samples[at]eset.com and wait a few days. If nothing comes up, it's quite clean of any nasties.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: False positive?

    I'd say it's a potentially dangerous application and is detected intentionally.
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Re: False positive?

    well, perhaps it can be used by some hackers as an exploit or seomthing, isn't it? :D
     
  5. Happy Bytes

    Happy Bytes Guest

    It's included in some worms and dropped to gain access to password.
    Dumaru Worm for example.
     
  6. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    So programs from there are actually nothing to worry about(that is, if you download it on purpose and not by some worm/trojan)?
     
  7. rws

    rws Guest

    Re: False positive?

    That would be ok, but again, there is no option to avoid denial of access, except excluding the filename or some folder.

    That is dangerous! If evil person knows what filename you are potentially going to exclude, it is no problem to plant something on your computer.

    Or, are you saying that you have the authority to forbid usage of that program?
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: False positive?

    The only legal & legit reason to use that utility would be if you have forgotton your password

    I don't reccomend keeping it on your computer so if you use it deleet it when you have used it

    To stop NOD detecting it just turn off NOD resident protection for the few minutes you are running it, BUT make sure you are disconnected from the net first

    Asothers have said it is used & simialr applications are used by lots of malwares to find yur paswords so it is very important for NOD & other AV's to detect it
     
  9. MaxLaMenace

    MaxLaMenace Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    1
    I have the same problem

    sorry
    but, this the most stupid discussion I've ever heard...!!!

    the fact that this program is potentially dangerous, is not very important, and i'ts (potential) use by other virus, has to be proved...

    this program is very useful, and I use it with all my customers ( because people never forget their password)

    I will have to change nod32 with an other antivirus, because of that !!!

    I work in computers since "sinclair Zx81", and that's the kind of things I'm fighting against, without success, for years...

    advice: try Sigmund Freud , obessionnals...ans you will understand.
     
  10. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    As Happy Bytes, who is a virus analyst by the way, already said:
    "It's included in some worms and dropped to gain access to password.
    Dumaru Worm for example."

    I'm sure if you think about it that you understand it will fit under the "Potentially dangerous application" category? But if you have trouble with password-revealers, keyloggers/monitoring applications, process killers/viewers etc (which have also been used in worms and trojans) being detected by NOD32, feel free to disable the detection of such:
    AMON --> Setup --> Options , then untick "Potentially dangerous applications"
    IMON --> Setup --> Miscellaneous --> Setup , then untick "Potentially dangerous applications"
    (and do this for the rest of the modules and the on-demand scanner)

    There's no need to switch scanner if you are just willing to sacrifice a little time fine-tuning your settings. You can even exclude the file from AMON if you want (AMON --> Setup --> Exclusions)
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Indeed current version is correctly detected as 'Win32/PassView.163 application'

    If I didn't intentionally install it on my PC then I would want to know it was there... and so would my customers...

    Nice utility.

    Cheers :)
     
  12. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    passview.JPG

    If you look at a Virustotal result page with the .zip file, you will find that NOD32 isn't the only one that picks up this program as a potentially dangerous app. Also, since it is not listed, Symantec 10.1 picks up the app as a HackTool as well.

    So saying NOD32 is picking this up as a FP is decidedly an incorrect statement.

    -Cov
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    What's interesting to me about that screenshot is that VirusTotal appears to have truncated what NOD32 calls this utility as was posted above 'Win32/PassView.163 application'
    Still, that's only academic i guess...
     
Thread Status:
Not open for further replies.