win32:ircbot-KL

Discussion in 'other anti-virus software' started by beethoven, Dec 19, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Avast came up with an alert to show that gss.exe has been infected by win32:ircbot_Kl Trojan. I have not yet been able to run the file via jotti or kaspersky online. As this file is more than 1mb, how could I get some independant confirmation?
    Could that be a false positive?
     
    Last edited: Dec 19, 2005
  2. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Not sure why this was moved - I still think it is likely that the alert is a false positve and as such would be interesting to the developer of Ghost security and the other users there.
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Given that your Avast AV program is giving you an alert and given that you would like an "independant confirmation"....to me personally it resides in an appropriate Forum whereby users of an AV program might frequent and give you that confirmation if they also use regdefend.

    Of course that would have been my reasoning for moving it if I had seen it first ;)
     
  4. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Install KAV or Bitdefender's online scanner and see if it finds it.
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Downloading KAV right now :)
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Jotti works with samples up to 10MB.
    Also, is it so hard to verify source of the program? Google it maybe?
     
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Kav is still scanning overal but looking at the individual files, nothing showed up.
    Jotti also did not show anything including Avast. This brings me back to the original thought that Avast is showing gss.exe as a false positive and perhaps Jason might want to contact Avast?
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Almost all threads where a False positive has been mentioned....programmers request the user contact the guilty program.
     
  9. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    If I were the developer of a software program I would not want to rely on users to act on my behalf. Some of them maybe lazy, don't know how to approach the correct people...
    Personlly I would find it important to ensure that my software is not incorrectly shown as problematic and most likely I have existing contacts in the industry to get things sorted out quicker. But then again, I maybe wrong.;)
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    If a company adds a false positive into its signature database, the onus is on them to fix it, not every developer they falsely claim is a virus/worm/spyware. Does it make you feel secure knowing your anti-virus company is having problems adding signatures to their database that it incorrectly flags other programs? :)
     
  11. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Jason, I fully agree that the mistake for FP is with the AV program and that they have to fix it. My point was just that not every user will take the steps to let the "faulty" program know that they should do something.
    While I did send an email to their address, I don't know when and if they will take any amendment. If I am right and it is a FP, the longer it takes the more people will be unnecessarily alarmed by the innocent software, in this case RD.

    As for FP in general, I had them a few times. Some progs seem to better at avoiding them than others, still I guess we have to live with them to a certain degree.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I don't get it, whats the problem? It's a well known thing that FP's are fixed by AV vendor only. So, usually you send the FP report to AV vendor and they'll fix it. There were false positives by several AV vendors on my programs and users reported it to me FIRST. So i dealt with the FP by myself as developer.
    So basically there ARE two ways, depends how people react.
    Honestly, false positives aren't such a big deal imo. They happen to everyone, starting at Norton and going through NOD32, BitDefender, McAfee, Kaspersky, avast!, AVG, AntiVir blablabla etc etc...
     
  13. jbarr

    jbarr Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    20
    Hi Beethoven,

    I was experiencing the same problem as you. But it appears that Avast! has taken care of the issue with its latest virus definition update:
    VPS file version: 0551-1, Compilation date: 12-20-05

    The RegDefend program did not open at startup, however upon manually opening it, the program opened without a virus warning.

    Hoping Avast!'s technicians will acknowledge this assumption on my part. See my post on Avast! support forum:

    http://forum.avast.com/index.php?topic=18152.0
     
  14. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Exclude the directory where the app is located or exclude the file itself from scans. I think at this point you can confirm it's a FP. If you still aren't comfy, scan with BitDefender's Online Scanner.
     
    Last edited: Dec 20, 2005
  15. jbarr

    jbarr Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    20
    Thanks tazdevl, an avast! support forum moderator has confirmed that this issue has been resolved with their virus database update earlier today.

    But, in the future, I'll certainly keep your suggestion in mind, to exclude the file from an AV scan, in an effort to determine if the warning is a false positive one. Your feedback is appreciated:)
     
Thread Status:
Not open for further replies.