Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 07, 2016, 04:15:42 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: false positive mishegas  (Read 1500 times)

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 852
    • View Profile
    • Donate to Member
false positive mishegas
« on: April 04, 2009, 06:53:32 AM »
Hi Folks,

  In notice there is another recent thread about false positives, and it has really jumped to the forefront of difficulties.  I recently ran the A-squared free scanner and Malwarebytes, and had with A2 a rather interesting false positive situation.

(My Malwarebytes and Avira are pretty happy with my system, this was my first attempt with Malwarebytes and A2 - Malwarebytes lived up to promise, Wilder's folks generally speak quite highly of the scan, and MB's findings were neatly confirmed by Avira, which popped up when MB hit its files .. I barely knew I had memory-resident scanning on from Avira.)

  All the information (which you might find boring or interesting) can be found through this thread on EMSI, which links to my earlier thread on Gladiator, which is simply 3 posts of mine.

http://forum.emsisof...p;m=28183&#28183
Trace.File.SpyPc 8.0 - Trace.Registry.SpyPc 8.0 (look like false positives)

  There seems to be a type of institutional ossification so that these companies - even the better ones like Emsi - do not know how to get false positives out of their system on the less-publicized cases. They look at each file in an atomistic analysis level, not caring about where it came from, how it is used, the history etc.  Not thinking it through.

   Incidentally I had to develop my technique for finding the source of the file, which some here might find interesting.  Using file properties, you find when it was installed on your system, then searching (I searched folder creation dates in Total Commander) you can often find out when and where a file came on your system.  It might be nice to have a  program that helps with such issues more directly (if you use a snapshot installer it might be a start) but in the real-world my method probably will work in many cases.  I never did check if registry entries are similar date-stamped.

   Oh, I had to puzzle around a little bit on how to search, it seems like the search programs often do not work files based on placed-on-system date (whatever they call it, it is not the file creation date). That is why I switched to folder searching, then looked at individual files .. while I would have preferred a file search.

   Incidentally, all this does not mean that we are unaware about problems like .dll-injection - you can't always tell just by the name of a file, one reason the executable protector programs are an interesting realm of protection .. most of all,  know your own system reasonably well.

  Oh, another point of special interest.  After I traced down the file origin (totally legitimate) I found a McAfee (!) confirmation that this program installs this file.

http://www.siteadvis...m/downloads/8652414/
PC Inspector task manager 3.00.000 (pci_uk_taskmanager.exe)

  Which makes me want to look around at the McAfee logs of programs I am thinking of installing. In general, if they have done this for the program. Do others do similar logs ? Dunno.
 
Shalom,
Steven Avery
« Last Edit: April 04, 2009, 07:20:23 AM by Steven Avery »