SpyReveal; about some other scanners giving warnings on it

Discussion in 'other anti-malware software' started by FanJ, May 9, 2012.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    Before I start, I want to make clear that:
    1. this thread is only about some other scanners giving warnings on some SpyReveal files and/or its website;
    2. this thread is not about other anti-keylogger software;
    3. this thread is not about how good SpyReveal is;
    4. I am not affiliated with the SpyReveal company (but yes I post sometimes database updates of it as I did in the past for SpyCop).

    ===

    Several friends asked me recently questions in private about a warning from TrojanHunter on a file of SpyReveal. See https://www.wilderssecurity.com/showthread.php?t=323445
    It was quickly fixed by Gavin. Unfortunatily Gavin is having at the moment a nasty flu, so it could well be that he just dropped the definition without looking at my submission. Folks, we are all human; health comes first!

    I am usually reluctant to tell which file of SpyReveal and in which location it is placed. The SpyReveal company changes that from time to time.

    The file on which TrojanHunter gave a warning, is called infozip.exe
    SHA-256 - 64E6477FD422E1544D2042DC9798C2DB0B92655F0E164CFFC227AC01341F4390

    A few scanners are giving warnings on some SpyReveal files. I scanned them at VirusTotal.

    Two other of these files:
    welcome.exe
    SHA-256 - DCADD8ED9BCA188DFD1B1C25CC72321E4C41BE5404A1BA852B793C2EFDFA22D1
    start.exe
    SHA-256 - 8C465C513D11465EA9C1A990392D3C86534877EC60E594C3662BC55859B151EB

    I think they are all FP's. Of course until an expert proves otherwise; but they have to prove it and tell why.
    So, if you have SpyReveal installed and another scanner (AV/AT/AS) is giving a warning about one of its files, submit it to that other company and ask them to take a serious look at it.

    The same goes for the site of SpyReveal: http://antikeyloggers.com/welcome

    Are those files, and is this site, really infected?
    If they are, it has to be proven. Only a cloud "proof" is not good enough. An expert has to look at it.
    So submit them to your AV/AT/AS company.

    If I'm wrong then I stand to be corrected.
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    It's been over a week and I'm still waiting to hear back from SurfRight (HitManPro)
    on two files "welcome.exe" and "start.exe"
    I e-mailed them direct to erik, guess I'll give it another day or two and send them again.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Here is what SpyReveal had to say 5 days ago when I sent them info regarding the VirusTotal, Jotti and TrafficLight warnings. They seem to be implying that the vendors whose scans found malware are not "well regarded".

    ~Private communication removed. See the TOS.~
     
    Last edited by a moderator: May 12, 2012
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hey guys,

    It wasn't my intention at all to start any "war" between company X and company Y, not at all! Please be assured of that.

    BTW, about "welcome.exe":
    1. sometimes its name changes.
    2. its checksum changes with every update (as will know everyone who uses some kind of file-integrity-checker).
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Nor is it my intent to start a war.
    Posting the company's response to my inquiry seemed like a helpful thing to do.
    But since doing so is against TOS, I have asked for the sender's permission to post the response in a public forum.
    If granted, is that then sufficient?
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Update..........
    Still have not heard back from SurfRight (HitManPro)
    Resent e-mail earlier,
    Rescanned with HitManPro results are as follows,
    "welcome.exe" is no longer being detected as malicious,
    "start.exe" is still being detected as malicious (another FP, I believe)

    2012-05-13_195523.png
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi LoneWolf,

    Thanks for the update.

    1.
    Good to see that "welcome.exe" is no more flagged by HitManPro. Let's see what happens after the next SpyReveal update.
    2.
    The current version of "start.exe" is about three years old now, as far as I can tell at the moment.
    As far as I can see from your screenshot, that detection Gen:Trojan.Heur.bmLfbLT!OBgi is the one from BitDefender/F-Secure/GData.
    *edit to add* These three AV scanners share some engine cq. database as far as I know. I too think it is an FP (of course until proven otherwise).
     
    Last edited: May 13, 2012
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Page42,

    Of course it is understood that you too didn't want to start a "war".

    About your question: If you get permission from the SpyReveal company, maybe it is still wise to ask the Wilders Security Forums staff for advice in private. What the SpyReveal company itself does, is their responsibility; for example: they have the possibility to say what they want to say in the SpyReveal "Latest News" window in the program itself.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    From the SpyReveal FAQ:
    http://antikeyloggers.com/faq.htm

     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Related postings/threads:

    https://www.wilderssecurity.com/showpost.php?p=2056908&postcount=4361

    https://www.wilderssecurity.com/showthread.php?t=324345

    The file start.exe has been submitted to virus_submission@bitdefender.com

    I strongly believe that it is a False Positive.
    Checksums of start.exe :
    MD5 - 4FDCA077CADE7F412497E7A7FB7B24C7
    SHA-256 - 8C465C513D11465EA9C1A990392D3C86534877EC60E594C3662BC55859B151EB

    If somebody else could post it at the BitDefender forum, please by all means:
    http://forum.bitdefender.com/
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    As I posted in reply # 8, the SpyReveal company has the possibility to give info in the window "Latest News". They did so recently in a more general way. I give the screenshot of it; I left out the complete irrelevant part about what they recommand for AV (ough).

    SpyReveal_2012_05_20_2.gif
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Erik just posted here that it should be fixed (white-listed) now in HitManPro :thumb:
     
  15. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Thank you :thumb:
     
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    You're welcome, LoneWolf, and thanks to you too !

    ===

    About that file start.exe :

    Although I didn't get a reply on my submission to BitDefender, and although there was only a probably automatically (?) reply in the FP thread at the BitDefender forum, I just noticed at VirusTotal that all three scanners BitDefender/F-Secure/GData are no more giving a warning on it :)
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    There is now a reply at the FP thread at the BitDefender forum from Christian (BitDefender Technical Support) telling that the file is clean.
    Thanks much, Christian :thumb:
     
Loading...
Thread Status:
Not open for further replies.