Sent EWIDO three FP's just now.

Discussion in 'other anti-trojan software' started by spy1, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         11:19:24 AM, 3/13/2004
    + Report-Checksum:      57934070

    + Date of database:      3/13/2004
    + Version of scan engine:   v1.1

    + Duration:            8 min
    + Scanned Files:         19465
    + Speed:            38.46 Files/Second
    + Infected files:         3
    + Removed files:         0
    + Files put in quarantine:      0
    + Files that could not be opened:   22
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\

    + Scan result:
       C:\Compaq\CPQInet\LchApp.exe -> TrojanSpy.Algus.10 -> Ignored
       C:\Compaq\EAKDRV\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored
       C:\cpqdrv\misc\STARTDRV.exe -> Backdoor.Enculator.01 -> Ignored

    Nice little program!

    I set it to "Ignore All" just so I could get results only.

    Added "securitysuite.exe" to PG and gave it the "Read" access it was clamoring for (I'd already started the scan before I did that, so it may account for some of the 22 "Files that could not be opened", I'm not sure).

    No problems d/l'ing, installing or running it - and, it was certainly simple enough! Pete
     
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Fixed with the latest update :)
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, sir. At work at the moment, but I'll get the update when I get home. Pete
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    And fixed it is:

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         10:12:30 AM, 3/14/2004
    + Report-Checksum:      FD03011D

    + Date of database:      3/14/2004
    + Version of scan engine:   v1.1

    + Duration:            7 min
    + Scanned Files:         19367
    + Speed:            44.37 Files/Second
    + Infected files:         0
    + Removed files:         0
    + Files put in quarantine:      0
    + Files that could not be opened:   22
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\

    + Scan result:
       C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
       C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
       C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened
       C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened
       C:\Documents and Settings\spy1\Application Data\Phoenix\Profiles\default\x9eoecei.slt\parent.lock -> File could not be opened
       C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
       C:\Documents and Settings\spy1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
       C:\Documents and Settings\spy1\NTUSER.DAT -> File could not be opened
       C:\Documents and Settings\spy1\NTUSER.DAT.LOG -> File could not be opened
       C:\hiberfil.sys -> File could not be opened
       C:\pagefile.sys -> File could not be opened
       C:\WINDOWS\system32\config\default -> File could not be opened
       C:\WINDOWS\system32\config\default.LOG -> File could not be opened
       C:\WINDOWS\system32\config\SAM -> File could not be opened
       C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened
       C:\WINDOWS\system32\config\SECURITY -> File could not be opened
       C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened
       C:\WINDOWS\system32\config\software -> File could not be opened
       C:\WINDOWS\system32\config\software.LOG -> File could not be opened
       C:\WINDOWS\system32\config\system -> File could not be opened
       C:\WINDOWS\system32\config\system.LOG -> File could not be opened
       C:\WINDOWS\system32\drivers\procguard.sys -> File could not be opened


    ::Report End
     
  5. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi,I just downloaded ESS and finished first scan, so far so good! :)
    This program has really beautiful GUI, I love it.

    ESS reported that Advanced Process Manipulation(from DiamondCS) is infected by Backdoor.Netsend.
    http://www.diamondcs.com.au/index.php?page=apm
    I think this is another false positive, would you analyze this program.?

    Best Regards.

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on:         0:00:37, 2004/03/16
    + Report-Checksum:      D47FA012

    + Date of database:      2004/03/15
    + Version of scan engine:   v1.1

    + Duration:            18 s
    + Scanned Files:         617
    + Speed:            33.65 Files/Second
    + Infected files:         1
    + Removed files:         0
    translation error0
    translation error0
    + Files that could not be removed:   0

    + Ignore extension:   Yes
    + Binder:      Yes
    + Crypter:      Yes
    + Memory:      No
    + Archives:      No
    + Heuristic:      No

    + Scanned items:
       C:\Documents and Settings\Sumire\My Documents\Application\Utility

    + Scan result:
       C:\Documents and Settings\Sumire\My Documents\Application\Utility\DiamondCS\APM\apm.exe -> |PACKED| Backdoor.Netsend -> Ignored


    ::Report End
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sumire,

    False positive indeed. Please inform ESS.

    regards.

    paul
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Code:
    ---------------------------------------------------------
     ewido security suite - Scan report
    ---------------------------------------------------------
    
     + Created on:         16:38:44, 15.03.2004
     + Report-Checksum:      BF0608A6
    
     + Date of database:      15.03.2004
     + Version of scan engine:   v1.1
    
     + Duration:            201 ms
     + Scanned Files:         14
     + Speed:            69.65 Files/Second
     + Infected files:         0
     + Removed files:         0
     + Files put in quarantine:      0
     + Files that could not be opened:   0
     + Files that could not be removed:   0
    
     + Ignore extension:   Yes
     + Binder:      Yes
     + Crypter:      Yes
     + Memory:      Yes
     + Archives:      Yes
     + Heuristic:      Yes
    
     + Scanned items:
       M:\Whitelist\DiamondCS\APM\Links
       M:\Whitelist\DiamondCS\APM\TestDLL
       M:\Whitelist\DiamondCS\APM\apm.dll
       M:\Whitelist\DiamondCS\APM\apm.exe
       M:\Whitelist\DiamondCS\APM\apmhelp.chm
       M:\Whitelist\DiamondCS\APM\uninstal.exe
       M:\Whitelist\DiamondCS\APM\uninstal.ini
    
     + Scan result:
       No infected files found!
    
    
    ::Report End
    Could you please send your apm.exe to submit@ewido.net? It seems to be a different version. Thanks!
     
  8. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    @Paul
    I'm sorry, I'll follow your instruction.

    @fish25
    Thank you for your quick response, I'll send you apt.exe.

    Many thanks
     
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    apt.exe? ;)
     
  10. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    I'm sorry , I sent wrong sample, :'( next sample is true.

    best regards
     
  11. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Fixed with the current update :)
     
  12. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    I confirmed that false positive was fixed :)
    Thank you very much. Please keep on good work :)

    Best Regards
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    fish - I see you also added TrojanSimulator to your detection sigs - and properly identified it as not being an actual trojan.

    C:\Magnus Test\TrojanSimulator.exe -> Not-a-virus.Trojansimulator -> Ignored
    C:\Magnus Test\TSServ.exe -> |PACKED| Not-a-virus.Trojansimulator -> Ignored
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.