Sent EWIDO three FP's just now.

Discussion in 'other anti-trojan software' started by spy1, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         11:19:24 AM, 3/13/2004
    + Report-Checksum:      57934070

    + Date of database:      3/13/2004
    + Version of scan engine:   v1.1

    + Duration:            8 min
    + Scanned Files:         19465
    + Speed:            38.46 Files/Second
    + Infected files:         3
    + Removed files:         0
    + Files put in quarantine:      0
    + Files that could not be opened:   22
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\

    + Scan result:
       C:\Compaq\CPQInet\LchApp.exe -> TrojanSpy.Algus.10 -> Ignored
       C:\Compaq\EAKDRV\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored
       C:\cpqdrv\misc\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored

    Nice little program!

    I set it to "Ignore All" just so I could get results only.

    Added "securitysuite.exe" to PG and gave it the "Read" access it was clamoring for (I'd already started the scan before I did that, so it may account for some of the 22 "Files that could not be opened", I'm not sure).

    No problems d/l'ing, installing or running it - and, it was certainly simple enough! Pete
     
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Fixed with the latest update :)
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, sir. At work at the moment, but I'll get the update when I get home. Pete
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    And fixed it is:

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         10:12:30 AM, 3/14/2004
    + Report-Checksum:      FD03011D

    + Date of database:      3/14/2004
    + Version of scan engine:   v1.1

    + Duration:            7 min
    + Scanned Files:         19367
    + Speed:            44.37 Files/Second
    + Infected files:         0
    + Removed files:         0
    + Files put in quarantine:      0
    + Files that could not be opened:   22
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\

    + Scan result:
       C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
       C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
       C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened
       C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened
       C:\Documents and Settings\spy1\Application Data\Phoenix\Profiles\default\x9eoecei.slt\parent.lock -> File could not be opened
       C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
       C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
       C:\Documents and Settings\spy1\NTUSER.DAT -> File could not be opened
       C:\Documents and Settings\spy1\NTUSER.DAT.LOG -> File could not be opened
       C:\hiberfil.sys -> File could not be opened
       C:\pagefile.sys -> File could not be opened
       C:\WINDOWS\system32\config\default -> File could not be opened
       C:\WINDOWS\system32\config\default.LOG -> File could not be opened
       C:\WINDOWS\system32\config\SAM -> File could not be opened
       C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened
       C:\WINDOWS\system32\config\SECURITY -> File could not be opened
       C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened
       C:\WINDOWS\system32\config\software -> File could not be opened
       C:\WINDOWS\system32\config\software.LOG -> File could not be opened
       C:\WINDOWS\system32\config\system -> File could not be opened
       C:\WINDOWS\system32\config\system.LOG -> File could not be opened
       C:\WINDOWS\system32\drivers\procguard.sys -> File could not be opened


    ::Report End
     
  5. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi,I just downloaded ESS and finished first scan, so far so good! :)
    This program has really beautiful GUI, I love it.

    ESS reported that Advanced Process Manipulation(from DiamondCS) is infected by Backdoor.Netsend.
    http://www.diamondcs.com.au/index.php?page=apm
    I think this is another false positive, would you analyze this program.?

    Best Regards.

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         0:00:37, 2004/03/16
    + Report-Checksum:      D47FA012

    + Date of database:      2004/03/15
    + Version of scan engine:   v1.1

    + Duration:            18 s
    + Scanned Files:         617
    + Speed:            33.65 Files/Second
    + Infected files:         1
    + Removed files:         0
    translation error0
    translation error0
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\Documents and Settings\Sumire\My Documents\Application\Utility

    + Scan result:
       C:\Documents and Settings\Sumire\My Documents\Application\Utility\DiamondCS\APM\apm.exe -> |PACKED| Backdoor.Netsend -> Ignored


    ::Report End
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sumire,

    False positive indeed. Please inform ESS.

    regards.

    paul
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Code:
    ---------------------------------------------------------
     ewido security suite - Scan report
    ---------------------------------------------------------
    
     + Created on:         16:38:44, 15.03.2004
     + Report-Checksum:      BF0608A6
    
     + Date of database:      15.03.2004
     + Version of scan engine:   v1.1
    
     + Duration:            201 ms
     + Scanned Files:         14
     + Speed:            69.65 Files/Second
     + Infected files:         0
     + Removed files:         0
     + Files put in quarantine:      0
     + Files that could not be opened:   0
     + Files that could not be removed:   0
    
     + Ignore extension:   Yes
     + Binder:      Yes
     + Crypter:      Yes
     + Memory:      Yes
     + Archives:      Yes
     + Heuristic:      Yes
    
     + Scanned items:
       M:\Whitelist\DiamondCS\APM\Links
       M:\Whitelist\DiamondCS\APM\TestDLL
       M:\Whitelist\DiamondCS\APM\apm.dll
       M:\Whitelist\DiamondCS\APM\apm.exe
       M:\Whitelist\DiamondCS\APM\apmhelp.chm
       M:\Whitelist\DiamondCS\APM\uninstal.exe
       M:\Whitelist\DiamondCS\APM\uninstal.ini
    
     + Scan result:
       No infected files found!
    
    
    ::Report End
    Could you please send your apm.exe to submit@ewido.net? It seems to be a different version. Thanks!
     
  8. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    @Paul
    I'm sorry, I'll follow your instruction.

    @fish25
    Thank you for your quick response, I'll send you apt.exe.

    Many thanks
     
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    apt.exe? ;)
     
  10. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    I'm sorry , I sent wrong sample, :'( next sample is true.

    best regards
     
  11. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Fixed with the current update :)
     
  12. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    I confirmed that false positive was fixed :)
    Thank you very much. Please keep on good work :)

    Best Regards
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    fish - I see you also added TrojanSimulator to your detection sigs - and properly identified it as not being an actual trojan.

    C:\Magnus Test\TrojanSimulator.exe -> Not-a-virus.Trojansimulator -> Ignored
    C:\Magnus Test\TSServ.exe -> |PACKED| Not-a-virus.Trojansimulator -> Ignored
     
Thread Status:
Not open for further replies.