Threatfire false positives ?

Discussion in 'malware problems & news' started by damian666, Apr 9, 2008.

Thread Status:
Not open for further replies.
  1. damian666

    damian666 Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    63

    Attached Files:

  2. damian666

    damian666 Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    63
    Hi
    Bit more detail
     

    Attached Files:

  3. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Have to be honest, I only did a search for the system 32 interop entry. Too hard to transcribe the other names, and I'm a bit tired. Plus I have no intimate knowledge of the files, nor Vista.
    The Google around indicated that C:\Windows\System32\Interop.Shell32.dll doesn't look malware-ish at all.
    A few options:
    Try contacting Threatfire support.
    For the entires on the file system list, try uploading them (in turn) to http://www.virustotal.com/ for an online scan and multiple second opinions.
    I'd be inclined to suspect FP's. What protection setting do you use?
     
  4. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    PS there were at least two other users posted issues regarding that file, also. One of them had lost his system restore (vista). Don't know if any of them were using TF. Didn't see any instances of the files being reported "bad", yet they'd been quarantined or removed via other means for some reason.
    That's what led to my above musing.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    PSS (sorry to womble on) Do you reckon "patch Tuesday" might have something to do with this? FWIW my TF is set to default, 3/5, no warnings triggered, 6 updates downloaded. XP.
    All yours appear to be valid MS system or update files.
     
  6. damian666

    damian666 Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    63
    Hi
    Ive left message with threatfire support,threatfire is set to 5 could this be to high as default was 3.I also have found after the quarantine of the found items,windows media player seem to reconfirm its self as though it was the first time id used it.Computer is a few months old now,i use pc tools threatfire and firewall with avast
    Thanks again for your time
     
  7. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I think so. It's a behaviour blocker. It's own file says, "5. Alerts on any suspicious action. This level will display the most alerts."
    Basically means it will alert you to almost any system changes which could be due to malware, whether they are or not. Any alert popped at this level needs research before quarantining, and in my limited experience of behaviour blockers, most of the flagged items are likely to be harmless.
    Try setting it back to three.
    I'm also using Avast, keep everything up to date, and consider the protection pretty good. My demand scans never find a thing, except the occasional FP, which is as it should be.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    ThreatFire reported also a false positive : "C:\$ISR\0\ISRCOPYXP.EXE"
    I got this warning while I was creating my freeze storage.
    This an object of FirstDefense-ISR, not a threat.
    I already reported this at Wilders yesterday, but everybody was praising ThreatFire so much into heaven, that they didn't even see my post or didn't want to see my post.
    Again, there is nothing to find on my system partition except f/p's and ThreatFire just made a mistake like several other scanners made a mistake.
     
    Last edited: Apr 9, 2008
  9. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Tell the truth, Erik, I saw that post, but didn't view it as requesting an acknowledgment; more an informative statement along the lines of "this is what it does- you should sometimes expect this sort of thing, etc", for the benefit of the OP and anyone else reading.
    Really, when it comes to behaviour blockers, even those with some kind of blacklist component, I'm thinking "false positive" is probably the wrong terminology. Perhaps "precautionary alert" or "harmless detection" would be more appropriate.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Why doesn't ThreatFire create a whitelist of all objects on my system partition, like Anti-Executable in order to avoid these false positives.
    TF doesn't need to protect me against already installed objects, TF has to protect me against NEW objects, that try to install themselves.
     
  11. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    What, you mean like Comodo Firewall 3.#, Defense + in training mode?
    I see from an earlier post that you've been looking for a firewall, that one might just suit.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No not in training mode. TF has to create this whitelist during its installation, like AE does.
     
  13. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Well, appears it doesn't. So your choices appear clear.
    Personally I'm real happy with what TF does, but I've had some limited experience of HIPS by using SpywareTerminator, so no stranger to alerts.
     
  14. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    I also saw that remark... I got the same when I used FDISR...Skipped it because I reckognized it as a behaviour warning more than FP...I also had the same with aston.exe...FP differs from dangerous behaviour warnings in my point of view. Unexperienced users can suffer from it though if they don´t know what to do and makes the wrong choice...
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I know it doesn't, I've seen it with my own eyes. That doesn't mean it can change in the future.
    False positives regarding existing clean objects can be avoided if there is a whitelist.
     
    Last edited: Apr 9, 2008
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    A bunch of senseless, off-topic and argumentative posts removed. Stop that.
     
  17. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    Personally, I like the no auto whitelist approach. It allows me to judge for myself on each warning TF gives.
    wextract is a Windows program used to extract and create CAB files and clean up after temp CAB files are extracted.
    iexpress is used to create self extracting files that run a set up program inside the file (like an exe. or ini. file) and then clean up after the set up is run. It is used by MS for updates.
    So it appears Tarq57's guess is a good one. It may have been MS Update that set TF off.
    I have TF set to 5 as well, and you will run in to some FPs on that setting
     
    Last edited: Apr 9, 2008
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Threatfire isn't a scanner, although it has a rootkit scanner.
    AE (or any other whitelisting software) assumes that every executable in your system are deemed clean by you. Other security software don't make this assumption.

    BTW, rootkit scanners don't produce FPs, because they report every hidden/cloaked item, although most "user-friendly" ARK have measures to reduce the number of alerts.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I know it's not a scanner. That's why I installed it. I don't use signature/blacklist security softwares. That doesn't mean it has no false positives, this thread is full of them.

    The full rootkit scanner didn't detect anything, which is normal, it's a clean and unused system partition, there is nothing to find.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Crank the setting to 5 and see if that statement still applies.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Than you get even more f/p's.
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, how did you get the FP on FD-ISR? It was deemed suspicious at the default setting of 3? Which behaviour was reported?
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't remember, if it was 3 or 5. I never expected that TF would gave a warning on a clean system partition.
    I tried to create my freeze storage again with level 3 and 5, but TF doesn't give that warning anymore, maybe it remembers my decision of the first time.
    I have to rollback to my clean archive to reproduce this situation.
    On level 5 : opening Firefox is even HIGH security threat. LOL.
     
  24. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I think that either you really don't understand much at all about behaviour blockers, (unlikely) or else that you're on some kind of (pardon the terminology) crusade. A crusade to garner support for getting TF to make available a feature which, let's face it - quite a few users, self included, neither want nor feel is needed.

    Why don't you ask the good folk at TF to include an auto-whitelist feature?
    It seems there is not so much support for that, here.

    (BTW, on "5", anything trying to make an internet connection is likely to be reported on, at least until it's allowed. And I for one am extremely happy it does this.)
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Using level 5 means that Threatfire doesn't focus on reducing FPs anymore. It becomes a sort of classic HIPS.
     
Thread Status:
Not open for further replies.