Threatfire false positives ?

Hi
Can anyone tell me if Threatfire has got this right,as when i quarantined these my computer was taking so long to restart.I held power button in until pc (vista 32)turned off then turned it back on and everything seems ok for now
Thank you
https://www.wilderssecurity.com/attachment.php?attachmentid=199120&stc=1&d=1207725465
Threatfire.JPG

 

Hi
Bit more detail

 

Have to be honest, I only did a search for the system 32 interop entry. Too hard to transcribe the other names, and I'm a bit tired. Plus I have no intimate knowledge of the files, nor Vista.
The Google around indicated that C:\Windows\System32\Interop.Shell32.dll doesn't look malware-ish at all.
A few options:
Try contacting Threatfire support.
For the entires on the file system list, try uploading them (in turn) to http://www.virustotal.com/ for an online scan and multiple second opinions.
I'd be inclined to suspect FP's. What protection setting do you use?

 

PS there were at least two other users posted issues regarding that file, also. One of them had lost his system restore (vista). Don't know if any of them were using TF. Didn't see any instances of the files being reported "bad", yet they'd been quarantined or removed via other means for some reason.
That's what led to my above musing.

 

PSS (sorry to womble on) Do you reckon "patch Tuesday" might have something to do with this? FWIW my TF is set to default, 3/5, no warnings triggered, 6 updates downloaded. XP.
All yours appear to be valid MS system or update files.

 

Hi
Ive left message with threatfire support,threatfire is set to 5 could this be to high as default was 3.I also have found after the quarantine of the found items,windows media player seem to reconfirm its self as though it was the first time id used it.Computer is a few months old now,i use pc tools threatfire and firewall with avast
Thanks again for your time

 

I think so. It's a behaviour blocker. It's own file says, "5. Alerts on any suspicious action. This level will display the most alerts."
Basically means it will alert you to almost any system changes which could be due to malware, whether they are or not. Any alert popped at this level needs research before quarantining, and in my limited experience of behaviour blockers, most of the flagged items are likely to be harmless.
Try setting it back to three.
I'm also using Avast, keep everything up to date, and consider the protection pretty good. My demand scans never find a thing, except the occasional FP, which is as it should be.

 

ThreatFire reported also a false positive : "C:\$ISR\0\ISRCOPYXP.EXE"
I got this warning while I was creating my freeze storage.
This an object of FirstDefense-ISR, not a threat.
I already reported this at Wilders yesterday, but everybody was praising ThreatFire so much into heaven, that they didn't even see my post or didn't want to see my post.
Again, there is nothing to find on my system partition except f/p's and ThreatFire just made a mistake like several other scanners made a mistake.

 

Tell the truth, Erik, I saw that post, but didn't view it as requesting an acknowledgment; more an informative statement along the lines of "this is what it does- you should sometimes expect this sort of thing, etc", for the benefit of the OP and anyone else reading.
Really, when it comes to behaviour blockers, even those with some kind of blacklist component, I'm thinking "false positive" is probably the wrong terminology. Perhaps "precautionary alert" or "harmless detection" would be more appropriate.

 

Why doesn't ThreatFire create a whitelist of all objects on my system partition, like Anti-Executable in order to avoid these false positives.
TF doesn't need to protect me against already installed objects, TF has to protect me against NEW objects, that try to install themselves.

 

What, you mean like Comodo Firewall 3.#, Defense + in training mode?
I see from an earlier post that you've been looking for a firewall, that one might just suit.

 

No not in training mode. TF has to create this whitelist during its installation, like AE does.

 

Well, appears it doesn't. So your choices appear clear.
Personally I'm real happy with what TF does, but I've had some limited experience of HIPS by using SpywareTerminator, so no stranger to alerts.

 

I also saw that remark... I got the same when I used FDISR...Skipped it because I reckognized it as a behaviour warning more than FP...I also had the same with aston.exe...FP differs from dangerous behaviour warnings in my point of view. Unexperienced users can suffer from it though if they don´t know what to do and makes the wrong choice...

 

I know it doesn't, I've seen it with my own eyes. That doesn't mean it can change in the future.
False positives regarding existing clean objects can be avoided if there is a whitelist.

 

Personally, I like the no auto whitelist approach. It allows me to judge for myself on each warning TF gives.
wextract is a Windows program used to extract and create CAB files and clean up after temp CAB files are extracted.
iexpress is used to create self extracting files that run a set up program inside the file (like an exe. or ini. file) and then clean up after the set up is run. It is used by MS for updates.
So it appears Tarq57's guess is a good one. It may have been MS Update that set TF off.
I have TF set to 5 as well, and you will run in to some FPs on that setting

 

Threatfire isn't a scanner, although it has a rootkit scanner.

AE (or any other whitelisting software) assumes that every executable in your system are deemed clean by you. Other security software don't make this assumption.

BTW, rootkit scanners don't produce FPs, because they report every hidden/cloaked item, although most "user-friendly" ARK have measures to reduce the number of alerts.

 

I know it's not a scanner. That's why I installed it. I don't use signature/blacklist security softwares. That doesn't mean it has no false positives, this thread is full of them.

The full rootkit scanner didn't detect anything, which is normal, it's a clean and unused system partition, there is nothing to find.

 

Crank the setting to 5 and see if that statement still applies.

 

Than you get even more f/p's.

 

So, how did you get the FP on FD-ISR? It was deemed suspicious at the default setting of 3? Which behaviour was reported?

 

I don't remember, if it was 3 or 5. I never expected that TF would gave a warning on a clean system partition.
I tried to create my freeze storage again with level 3 and 5, but TF doesn't give that warning anymore, maybe it remembers my decision of the first time.
I have to rollback to my clean archive to reproduce this situation.
On level 5 : opening Firefox is even HIGH security threat. LOL.

 

I think that either you really don't understand much at all about behaviour blockers, (unlikely) or else that you're on some kind of (pardon the terminology) crusade. A crusade to garner support for getting TF to make available a feature which, let's face it - quite a few users, self included, neither want nor feel is needed.

Why don't you ask the good folk at TF to include an auto-whitelist feature?
It seems there is not so much support for that, here.

(BTW, on "5", anything trying to make an internet connection is likely to be reported on, at least until it's allowed. And I for one am extremely happy it does this.)

 

Using level 5 means that Threatfire doesn't focus on reducing FPs anymore. It becomes a sort of classic HIPS.