Positive Identification?

Discussion in 'Trojan Defence Suite' started by frogfoot, Aug 19, 2004.

Thread Status:
Not open for further replies.
  1. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Hi,
    I have just downloaded Visual Studio .NET2003 Professional from MSDN, when I tried to run the executable archive TDS reported a positive Identification, There was no entry in the name column, I assumes that a 'positive ID' meant there the file definatley contains a trojan. and a 'Possible ID' may or may not be a trojan.
    I assume there is no trojan in the download as it comes from a trusted source (MSDN downloads)
    Surely if there is a positive ID there should be a reason in the 'Name' column?

    NOTE: A manual scan of the file shows it to be clean?

    Thanks
    Tom
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can you locate the exact file which was alarmed on? Or is it the download as a whole, the many big MB large file?
    Which exactly was the alarm? It would say something like
    suspicious ..... <adv> or positive identification ..<adv>
    possible.... something.
     
  3. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    The file downloaded was a self expanding archive called en_vs.net_2003_pro_full.exe it is 560 MB (588,120,576 bytes)

    When I tried to run the file TDS execution protection denied it, the error was as shown in the screen dump.

    When I manually scanned the file with TDS The positive Id was not there!
     

    Attached Files:

    Last edited by a moderator: Aug 19, 2004
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi frogfoot....

    There is no name for the positive id in that shot.... which is unusual... but by looking at the file name, it could have alarmed because it looked like it has dual extensions [ . ] being read as extension, but even then, it usually says so.

    A manual scan by TDS gives no alarms also, correct?... seems odd..

    how about you send the file to DCS... submit@dcs.com.au *I think*...

    or... give link, someone may download and test...

    also.... go HERE FOR KASPERSKY SINGLE FILE SCAN

    Just browse to the file and it will upload and be scanned... just to be sure.

    TAS
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Frogfoot,

    I have removed your personal information from your attachment (the blanked out sections in turquoise). If you do post any other images, please blank out any personal information like emails, registration #'s, names, etc., for security reasons. ;)

    Regards,

    snap
     
  6. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Tassie,
    The file is 560MB and would take several hours (6 or so) to upload (256k uplink) , plus the fact that distribution is against the terms of the MDSN license. Maybe one of the DCS developers has a MSDN subscription and can download it?

    The 'unusual filename' option has been unchecked on my TDS config as I have many 'double extension files. So I dont think it was that.
     
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    LOL.. oh ok.. I shall just dl that on dial up.. :)

    ok mate, sorry, did not realise it was like that... but it does seem it would be fine if it came from the genuine site, and you are the owner of it.

    I take it you did scan it with your AV also.

    If TDS is blocking it from execution, you may have to temporarily disable TDS and install it like that, provided of course you are confident it's clean.

    Cheers, TAS
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Normally TDS would have big problems to scan such a large file, you could not upload it to DCS nor the KAV online scanner (which is limited to 1 MB )
    Think you can risk installing it and scan very deep and carefully after that before doeing anything else.
    If you took it from the original site and nothing else shows up on your system... But it IS strange.

    I did never configure anothing to not show unusual file names etc, i want to know everything, even double extensions :)

    It's always a risk with exe files in stead of zipped which you can at least scan inside file by file and give extra attantion to suspicious ones.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Frogfoot, Most likely to do with the large file size, TDS3 sometimes hiccups on large files of this nature.
    If you are sure it is from a trusted source you can exclude it from the TDS scan using Scan Control - Scan exclusions.

    HTH Pilli
     
  10. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Thanks for all your help.
    I assumed that it was to do with the file size, I just thought I would bring it the developers attention.
    Bye
    Tom
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It is very good that you did, looking forward to scan results after installing it.
     
Thread Status:
Not open for further replies.