avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday July 1, 2022, 12:22 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - BillR [ switch to compact view ]

Pages: [1]
First, a quick thanks to BGM, Mouser, and many other authors who have created useful, or at least interesting, tools for us.

Systemus is a handy dandy system admin tool that BGM created for N.A.N.Y. 2020.  Systemus had problems with false positives from antivirus products.  Just out of curiosity, I ran Systemus through three meta-scanners, Jotti, VirusTotal, and MetaDefender, two days ago just to see what had changed.  The results did improve (fewer presumably FPs), but are far from perfect.

At the end of 2020, I submitted Systemus to a half-dozen-ish vendors, plus a few more later on.  Over the intervening couple of weeks, VirusTotal varied from 23 FPs initially, to 15 minimum, to 17.  BGM reported 23/69 for VT in his response.  I'm not sure why we had different totals, but I can imagine several possibilities (e.g., maybe BGM ran his PE Studio analysis a couple of weeks before his reply in the thread; or maybe he used .exe and I noted .zip, primarily); etc.).  FPs also decreased on Jotti (no details) and MetaDefender (8 to 5) during those few weeks.  Some other person also may have submitted FP requests during that few weeks or the intervening months.  (See end of https://www.donation....msg442731#msg442731 for my comment and BGM's response.)

As several developers noted in that Systemus thread (and many other threads), this can be frustrating: each antivirus false positive is going to discourage users from experimenting with the software, but getting each AV vendor to evaluate each iteration (or even periodic stable releases) is like playing whack-a-mole at the bottom of the deep end of the pool using your nondominant foot with one eye closed and with some moles stuck in the up position. (I'm look at you, Webroot, who didn't actually evaluate/act on Systemus even after I submitted it twice; and you, McAfee in several guises, who has lots of fiddly restrictions; and a few others who make submitting arduous -- only webform with odd fields, only via forum, only via installed AV(!), only by author (not a user), etc. -- or even impossible as far as I can tell).  A couple of reputation-based products aren't (or weren't a couple of years ago) willing to whitelist little known software even after their lab had reversed a FP in the main AV.  Some authors recommend other authors just ignore FPs as too much trouble.

For comparison, these are April 2022 results for Systemus using the same files from my download folder.  The dates here identify the last update to the engine/signatures.

.zip (1/14):
Fortinet Apr 8, 2022 W32/PossibleThreat

.zip (6/59 -- 59 excludes incompatible or nonreporting AVs):
AhnLab-V3    Malware/Win32.Generic.C3986407
Fortinet         W32/PossibleThreat
MaxSecure     Trojan.Malware.300983.susgen
McAfee          Artemis!A5AC6681733F
McAfee-GW-Edition  Artemis!Trojan
Panda           Trj/CI.A
.exe (run today -- 8/68 -- excludes 4 incompatible and 1 nonreporting engine)
Same FPs as above except:
(different) McAfee-GW-Edition  BehavesLike.Win32.Dropper.dh
(added) Palo Alto Networks
(added) Webroot  W32.Malware.Gen

.zip (0/35 but infected components flagged -- 35 includes 2 incompatible file type and 1 no result)
.exe (2/35 -- includes 1 no result)
Malware/Win32.Generic   AhnLab   Apr 9, 2022
Malware   Webroot SMD   Apr 8, 202
.dll (1/35 -- includes 1 no result)
Malware   Webroot SMD   Apr 8, 2022

I have no idea how much of the difference from two years ago may be due to FPs being fixed (either proactively or because someone submitted a request), or due to improved engines, or due to pruning because the miniscule installed base is no longer considered relevant (perhaps partially due to user whitelisting).

Note that due to different settings or other differences, "AhnLab" and "McAfee" reported "No Threat Detected" on MetaDefender while alerting on VT.  This is not the first time I've noted a few differences between results for the same engine between these (and other) meta-scanning platforms. VT has a statement somewhere that mentions various reasons VT results may vary from the same vendor's installed product and/or web scanner.  Some of these reasons (plus others) also apply between meta-AV platforms.

My personal impression is that, for the same vendor, VT tends to have more hits (almost always FPs for me) than MetaDefender and Jotti, but I have seen the reverse.

A couple of tools I used to automatically submit likely FPs to selected multiple sites via email were discontinued many years ago.  I saw a few attempts to create something similar, but those weren't maintained (but I haven't looked recently).  TechSupportAlert had a great list but it is not as useful anymore -- especially for FPs.  MetaDefender's knowledge base has an updated list for its vendors (usually email, sometimes web or other) but doesn't explain the restrictions (i.e., address but not content or formatting restrictions).  If jotti or VT has a similar list, I've missed it.  VT really needs a list as some of their vendors/engines are obscure to this English speaker who only dabbles in security occasionally.

N.A.N.Y. 2020 / Re: Systemus
« on: December 14, 2020, 05:53 AM »
I submitted Systemus to roughly a half dozen vendors for evaluation (e.g., Microsoft, F-Secure, and G DATA) over two weeks ago.  Approximately -9 +1, then +2 (23 to 15 to 17) on VirusTotal.  -3 (8 to 5) on MetaDefender (BitDefender, Emsisoft, and Avira -- but not on VT despite a "clean" email response; perhaps because VT explicitly uses the no cloud Avira version versus unspecified versions elsewhere).  On MetaDefender only one AV flags the .zip itself however the automaticallys extracted .exe is also still flagged by four more.  Jotti's count decreased as well, although I don't remember the exact original count. 

Webroot never responded with an analysis (and still objects) despite two email responses. 
Microsoft's email says Systemus is clean but installed Windows Defender still objects (despite clearing the cache as requested; so maybe after a reboot), however the VT Defender now passes Systemus.

Announce Your Software/Service/Product / Re: SunsetScreen v1.0
« on: September 08, 2016, 12:28 PM »
Summary - v1.25 tested via 3 online meta-AV scanners.  Avira CHANGED from positive to negative, :Thmbsup:  a very positive sign
ClamAV  was split 1 positive, 2 not.  4 other AVs positive.  50+ others null/negative.

A quick update on presumed false positives on SunsetScreen v1.25 released in August 2016, an ever better SunsetScreen.
VirusScan by Jotti
1/19 positive (as of Tues., Sept 8 )
ClamAV     Sep 6, 2016      PUA.Win.Packer.SetupExeSection-1   [true of many utility downloads]
VirusTotal by Google
2/57 positive (as of Tues., Sept 8 )
Invincea          virus.win32.parite.c                20160830
Rising             Malware.Heuristic!ET (rdm+)   20160906
but note:
ClamAV             [null/negative]                     20160906
Avira (no cloud) [null/negative]                     20160906
Metadefender [formerly Metascan-Online] by OPSWAT
3/42 positive (but 5 updating/not available so really 3/37)
(as of Friday, Sept. 2 )
Avira           2219 ms      Sep 02 2016 (4 days ago)         ADWARE/InstallRex.Gen 
Filseclab      8282 ms      Sep 02 2016 (4 days ago)         W32.InstalleRex.L.crhx 
TotalDefense   16 ms      Sep 01 2016 (5 days ago)         Win32/Tnega.JOBKNaC 
but note:
ClamAV       2391 ms      Sep 02 2016 (4 days ago)         [null/negative]
2/42 (all engines reporting)
(as of Thursday, Sept. 8 )
Filseclab and TotalDefense remain positive but
Avira is now null/negative, as are the missing 5 engines from last week.
Slight differences in results for the same vendor between different online scanners and especially with installed AV products is to be expected (as all three sites say). 
My personal observation is that ClamAV packer warnings are almost pointless while Filseclab and TotalDefense are prone to false positives.  Rising was based on heuristic analysis.

UPDATE - Fixed "Sept. 8)" versus "Sept. 8 )"

Sorry I did not make that clear.  The only problem is with scrolling but I have not tested extensively.  @Ath, something along the lines of your guess sounds logical to me, but at a more subtle level as a few other simple snapshots have worked.

Anyone else with conflict between HitmanPro.Alert and Screenshot Captor Scrolling Window?
Suggestion for resolution?  Perhaps exclude a different/additional process in HMPA?

I posted the following excerpt yesterday.  (Issue 2 regards LastPass and HMPA encryption conflict.)


Has anyone else encountered conflicts between:
Screenshot Captor and HitmanPro.Alert?

Issue 1: Screenshot Captor (just snipping via scrolling window feature) by DonationCoder and HitmanPro.Alert conflict. I have to stop Screenshot Captor in order to cancel the .Alert warning (canceling many more times might work eventually). Excluding the main process via Exploit Mitigation was not sufficient. (Win7, multiple browsers, .Alert all features except encryption)

To reproduce, install SC trial and show Quick Capture Bar; with browser open to a page that scrolls, click on scrolling window button; loop the error message a few times; cancel snipping request via the tray icon.

Announce Your Software/Service/Product / Re: SunsetScreen v1.0
« on: November 30, 2015, 07:21 PM »
Mouser's ScreenshotCaptor just ran afoul of hitmanPro.Alert (paid version).
Just lost the long post with details. :'(

hitmanPro.Alert encryption also breaks LastPass intermittently. 
I think I tested current install version from your site.

If memory serves:
old v100 - old vt (7 months ago) yes
old v100 - today vt more (but completely different than above??)
old v100 - today jotti ClamAV
old v100 - today MO yes  (note, always check top and bottom of list at MO)
old v100 - today herdProtect 1 Reason Heuristic, but I suspect I will see 5 or 6 next time I run it.  hP has to upload new files and then analyze them.

Don't know if you are familiar with each one of these but VirusTotal, jotti, and Metascan-Online each has an easy to use web interface that supports drag-n-drop or select file name. 

For herdProtect, see the Reason Core Security site and go to Reason Labs menu item to check most recent results via hash to see the Reason Labs analysis (but not others??).  I don't know of a way to submit an individual file for analysis.  herdProtect is the predecessor to Reason Core Security.

Update -- Clarify wording; no substantive changes.
Update -- I would have lost the bet: hP results for v100 remain at 1: Reason Heuristic.

Announce Your Software/Service/Product / Re: SunsetScreen v1.0
« on: November 30, 2015, 07:40 AM »
:huh: Metascan-online: 
Filseclab Nov 25 2015  W32.InstalleRex.L.crhx  
TotalDefense Nov 29 2015 Win32/Tnega.JOBKNaC  
Zillya! Nov 29 2015 Backdoor.Poison.Win32.72429   

:-\ VirusTotal (a growing list): 
Panda  PUP/TSULoader  20151129 
Rising  PE:PUF.InstallRex!1.9E4C [F]  20151129 
TotalDefense  Win32/Tnega.JOBKNaC  20151130 
Zillya  Backdoor.Poison.Win32.72429  20151130 

;) Jotti: 
ClamAV PUA.Win32.Packer.SetupExeSection  [but then what isn't]

:o herdProtect [suspicious/Artemis/Tnega/...]: 
McAfee Web Gateway
Reason Heuristics
Total Defense
Trend Micro House Call
Reason Heuristics (2nd)
I may have missed a few as several engines weren't available.
  Presumed FP? (although anything "screensaver-ish" may be classified a PUP/PUA by definition -- albeit a sloppy one).

Two best lists I've found:
Those of you who actually author software and trip over this frequently may be able to suggest better resources.

So a quick summary:
  • WebSense corrected its rating. 
  • rgdot documented FP process:
    suggest that Websense researchers reevaluate a categorization by e-mailing [email protected]
  • N.A.N.Y. Challenge 2014 idea suggested: website oriented VT auto-submission tool.  (I originally wrote "2104".  I hope for a much better solution by then but don't expect to see it personally.)  Or maybe this already exists?
  • This challenge to Mouser's equanimity has passed.  :D

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

I've found reporting any reputation/blacklist false positives quite painful.   :(  In some cases I can't request a review unless I'm registered but registration requires a non-hotmail/gmail/... and non-mailinator/... account and a business phone and review/approval by the marketing(?) dept. OR purchasing the software.  In another, I had to resort to private correspondence with the contractor supporting the blacklist site (found his email from a different project years ago) because my email address was improperly treated as blacklisted on the registration page (a configuration/programming error triggered a review) and of course I couldn't use the website contact admin form to report a problem because I was under review.

Mouser and other authors, if you don't already, you might try submitting any published program version to the three AV meta-scan sites VirusTotal,, and Metascan-Online just to see if there is a problem and to get the (slow?!) review process started.  Between them they cover at least 25 *nix and MS Windows-based antimalware engines plus another three dozen Windows-based engines (although many primarily use signatures from one of the same few sources like BitDefender).  Most of these are primarily/just signature oriented.  Won't guarantee AV-conflict-free installations with actual installed antimalware products but I assume it should help.  

Mouser or others may disabuse me of the efficacy of this idea, of course. For example the new freeware-ish version of XYplorer (a great file manager) is still listed as malware by four engines a couple of weeks later.

The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):


towards the top of the page -- under "Classification" there's a link "suggest different classification".
Yes, tried that.  Don't expect it to work since I think the real problem is the evaluation of the file.  Of Jotti (~25 engines), VirusTotal (48), and Metascan-Online (40) only Antiy flags FARR. (Antiy FP review already requested.)

BTW, URLvoid also passes DC site as a whole.

Random Idea - Maybe a simple way to submit every(?) page of a site to VirusTotal for evaluation?  Several tools will list all links and build a tree and VT has a simple API so I guess this would be primarily a script (with a 16 second delay between submits) and some parsing of the results to build a simple report.
I've also noticed that and will return different results in VT even when one redirects to the other.

Websense (Directly and via VirusTotal) - DonationCoder is Malicious   :o




Requested reclassification as productivity software because:

FARR - Program launcher for MS Windows.
Other software is also available on, much of it productivity related such as ScreenshotCaptor (enhanced print/capture screen) and JottiQ (MS Windows Explorer context menu extension to submit files to -- security productivity).

File detected:   FindAndRunRobotSetup.exe
File threat classification:   Malicious
The Websense ThreatSeeker Intelligence Cloud is now reclassifying this URL due to the malicious file it drops. If you suspect someone from your organization went to this URL, inspect their machines for possible malware infection. The assessment overview below does not include the results of this file analysis.
Scroll to the bottom to see FARR.exe analysis

Screenshot Captor / Re: Bug - Wrong Description
« on: November 17, 2013, 02:41 PM »
"I'm not sure I'm following exactly."  
Sorry, I wrote the comment in a hurry.  The problem is that the description sometimes includes (as best I can tell) inaccurate information.  Citrix may be significant but for the purposes of illustration just consider it "Site 1" and Ixquick "Site 2" and DuckDuckGo "Site 3".  Sometimes the description combines Window A / Site 1 with Window B / Site 2.

In the last example the captured window has one tab only.  The last line is accurate (logged out of Citrix) but the line above appears to refer to a different window (and IIRC probably a different session) with a tab that is displaying Ixquick.

Similarly, in the first example, that window has exactly two tabs (Ixquick displayed, DDG not) but the screen capture description references Citrix (the only tab in a different window).

In both cases I used the active window button from the Quick Capture Bar.  Setup is Vista and IE9.

Is it possible that I pressed a different button and that affected the description?
Yes, this absolutely might be 100% user error!
 I'm quite sure for one of the problem cases that I used the active window button: I consciously thought about the need to capture only the active window and that I wanted the window with one tab; I slowed down and double checked, even hovering over the (correct) button to read the tip.  I'm not nearly as sure about the other case.

Thanks for investigating this.  I will try to create a clean test case (but not until midweek) where I am very careful about which button I use, whether a new session or window, documenting order of actions, etc.  Now that I know how to capture SC itself (main window, anyway), I'll partially document it that way.

Screenshot Captor - New Screenshot

Button Labels:
Save image and sh...
Save image but hid...

Field Labels:
...Overide filename:

Screenshot Captor / Re: How to Capture Screenshot Capture Itself?
« on: November 15, 2013, 03:15 PM »
Thanks for quick response!  Found it under Capture menu in main window.  Should have known you would include it somewhere.  Not easy to search for in the forum, though.

QUESTION: How to use it to capture the new screenshot pop-up?  I can capture main window but not the one to illustrate the bug.  I'll poke around some more in a few minutes.  I'm documenting a bug in another program (hence installed SC again earlier).

Screenshot Captor / How to Capture Screenshot Capture Itself?
« on: November 15, 2013, 02:04 PM »
How does one use Screenshot Capture to capture screenshots of itself (e.g., those in documentation)?  Or does one just use a different tool?

Apologies if this has been answered before and my clumsy self-referential search in the SC forum failed to find it.

Screenshot Captor / Bug - Wrong Description
« on: November 15, 2013, 01:53 PM »
This is the description for the IE9 window and tab ("Start new topic ..."; other tab is "Screenshot Captor - Software - Donation Coder") that I am writing in now resulting from Grab Active Window:

11/15/2013 , 2:26:53 PM
https://citrixeast.a...auth/loggedout.aspx?           <=====  ?????
Start new topic - - Windows Internet Explorer

But the only citrix tab open refers to a different window (different session?) which is minimized to the taskbar.

I don't have this problem if I open a new session (from "Start new topic ...") with two tabs ( and
11/15/2013 , 2:40:43 PM
Ixquick Search Engine - Windows Internet Explorer

or new window (from ("Start ...") with two tabs:
11/15/2013 , 2:41:27 PM
Ixquick Search Engine - Windows Internet Explorer

or new window from the citix window:
11/15/2013 , 2:43:33 PM
Google - Windows Internet Explorer

But the citrix window/tab itself (only tab!):
11/15/2013 , 2:46:59 PM                                                      <===== ?????
Citrix XenApp - Logged Off - Windows Internet Explorer

For this laptop I set default DPI scaling to large in Vista.  I think this causes the text on the buttons to overflow.   Re-sizing the pop-up with some application implementations/settings sometimes allows more text to display but not here.

One possible quick solution might be to enable hover display.   

I only use SC a few times a year so I don't have the icons/button-positions memorized.

Pages: [1]