topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday December 12, 2024, 4:37 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Trojan with fSekrit filename -false positive  (Read 9765 times)

insertnamehere

  • Participant
  • Joined in 2009
  • *
  • default avatar
  • Posts: 5
    • View Profile
    • Donate to Member
Trojan with fSekrit filename -false positive
« on: October 28, 2009, 05:47 PM »
Hello, I stumbled across this forum from the donationcoder.com download page for fSekrit so this is my first post. I searched around for answers on my question but couldn't come up with much.

I've been using fSekrit 1.35 for a couple years now and have never had any issues other than one incident of corrupted files (hard drive crash unrelated to the software). It's been a great program to store information. Just today I updated my Spybot Search & Destroy definitions and ran a scan. I've done this many times in the past and come up with nothing but today I got a warning below about a trojan. I clicked to fix the problem and it did so but when I scanned again it picked up the same virus but the last 4 characters in the filename changed. AVG free didn't pick it up. After cleaning with Spybot, the file does not reappear until an instance of fSekrit is run.

http://img442.imageshack.us/img442/2779/fsekrit.jpg
Trojan with fSekrit filename -false positive


Any ides on this? I'm thinking that it's either a false positive (but I'd like to verify that that temp file is supposed to be created), an infection unrelated to fSekrit or something that has come in and is working off my current fSekrit files.

When I run the application under Sandboxie it shows that it creates that temp file. This leads me to think that it's a false positive but I want to make sure it's not a security issue.

http://img264.imageshack.us/img264/9145/sandboxiefsekrit.jpg
Trojan with fSekrit filename -false positive


Thanks,
Mike

edit by jgpaiva: added '-false positive' to thread name
« Last Edit: October 29, 2009, 12:09 PM by jgpaiva »

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Trojan with fSekrit filename
« Reply #1 on: October 29, 2009, 03:47 AM »
Thanks for the report! - when I saw the topic title, I was afraid that some 3rd party was up to no good, but location and filename matches the expected behavior of fSekrit - so this is probably a case of false positive / oversensitive HIPS. You can try copying the temp file and comparing it byte-by-byte to fSekrit.exe from the distribution zip file, they should be identical.

Also, could I get you to try out the latest beta? The save routines have been improved reliability wise, which also happened to kill off warnings from Threathfire :)

- carpe noctem

insertnamehere

  • Participant
  • Joined in 2009
  • *
  • default avatar
  • Posts: 5
    • View Profile
    • Donate to Member
Re: Trojan with fSekrit filename
« Reply #2 on: October 29, 2009, 12:06 PM »
Great, thanks for the quick response f0dder! I hope the posts can help anyone else that may be in the same situation. I did a byte-by-byte comparison and it came out clean. The software I used ("Binary Comparison of Files 3.0" by AX Systems) is new to me and I'm not sure of it's reliability. I just searched around for something that would do a binary comparison and the 30 day trial version came up  :P .

I saw the beta and plan on trying it out. I'll let you know if I find any new bugs. I'm curious if Spybot will report the same behavior with the new version. Thanks again for the great software.  :Thmbsup:

Is it possible to add the text "-false positive" to the thread title?
   edit: thank you  ;D

Another edit -> This has since been corrected by the latest updates for Spybot.
« Last Edit: November 04, 2009, 02:50 PM by insertnamehere »