ZoneAlarm A/S False positive Win32.Application.Adware.WinAntiVirus

Discussion in 'other anti-malware software' started by gorgelink, Nov 16, 2006.

Thread Status:
Not open for further replies.
  1. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi,

    Have ZoneAlarm Pro Antispyware.

    Just downloaded antispyware definitions file 525.

    It found what I believe to be a false positive:

    Win32.Application.Adware.WinAntiVirus

    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{56FFCC30-D398-11d0-B2AE-00A0C908FA49}
    RegistryKey: HKEY_CURRENT_USER\Software\Opera Software
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VxD
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Administrative Tools

    WHY I BELIEVE IT IS A FALSE POSITIVE

    I don't have WinAntiVirus installed on my computer.

    1. I scanned the registry with Adaware, AVG Antispyware (ewido), and NAV. It's clean.

    2. No other security software heard of this malware Win32.Application.Adware.WinAntiVirus

    3. The first registry key is often misidentified as a false positive in other security products (Google for it):

    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{56FFCC30-D398-11d0-B2AE-00A0C908FA49}

    It is actually the key for the Microsoft Office Antivirus API.

    4. ZAP Antispyware found no appliaction installed on my computer - only registry keys.

    Many thanks.

    G.
     
    Last edited: Nov 16, 2006
  2. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    Yes that's very odd, I had the same problem this morning with ZA at home, but I've choosen to remove that key because I don't like keys in my reg that doesn't match my installed software, even it is a false positive.

    If that was a fp what was he doing in my reg?? And I saw that in my case these keys weren't related to Opera... o_O
     
  3. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi, EsoxLucius,

    I suppose that you removed this key:

    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{56FFCC30-D398-11d0-B2AE-00A0C908FA49}

    The key that you removed is actually the key for the Microsoft Office Antivirus API.

    Microsoft Office Antivirus API allows antivirus softwares (such as Norton Antivirus) to scan Microsoft Office products.

    Try to open a Word document and see if you are having any trouble with your antivirus applications.

    G.
     
  4. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    UPDATE

    Ran ZAP 6.1 Antispyware on an old laptop, Windows 98, not connected to the Internet since 2002 and nothing new installed on it since 2001.

    Got the same results.

    Now I am convinced it is a false positive. WinAntiVirus didn't even exist back in 2001-2.

    G.
     
  5. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Just received this from Tech Support:

    Hello,

    Yes, we do believe that it is a false-positive. We are working on an
    update that will fix this issue as soon as possible.

    Regards,
    Zone Labs.
     
  6. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    It certainly is a fp because I've detected it on other computers to and it is the same, even on fresh installed machines.

    I tried to run a document and my Bitdefender sanned the file succesfully, I also tried an infected document that I keep on a CD and was detected upon run, so the documents anti-virus scanning still works... for me :D
     
Loading...
Thread Status:
Not open for further replies.