DonationCoder.com Software > fSekrit

Trojan with fSekrit filename -false positive

(1/1)

insertnamehere:
Hello, I stumbled across this forum from the donationcoder.com download page for fSekrit so this is my first post. I searched around for answers on my question but couldn't come up with much.

I've been using fSekrit 1.35 for a couple years now and have never had any issues other than one incident of corrupted files (hard drive crash unrelated to the software). It's been a great program to store information. Just today I updated my Spybot Search & Destroy definitions and ran a scan. I've done this many times in the past and come up with nothing but today I got a warning below about a trojan. I clicked to fix the problem and it did so but when I scanned again it picked up the same virus but the last 4 characters in the filename changed. AVG free didn't pick it up. After cleaning with Spybot, the file does not reappear until an instance of fSekrit is run.

Trojan with fSekrit filename -false positive

Any ides on this? I'm thinking that it's either a false positive (but I'd like to verify that that temp file is supposed to be created), an infection unrelated to fSekrit or something that has come in and is working off my current fSekrit files.

When I run the application under Sandboxie it shows that it creates that temp file. This leads me to think that it's a false positive but I want to make sure it's not a security issue.

Trojan with fSekrit filename -false positive

Thanks,
Mike

edit by jgpaiva: added '-false positive' to thread name

f0dder:
Thanks for the report! - when I saw the topic title, I was afraid that some 3rd party was up to no good, but location and filename matches the expected behavior of fSekrit - so this is probably a case of false positive / oversensitive HIPS. You can try copying the temp file and comparing it byte-by-byte to fSekrit.exe from the distribution zip file, they should be identical.

Also, could I get you to try out the latest beta? The save routines have been improved reliability wise, which also happened to kill off warnings from Threathfire :)

insertnamehere:
Great, thanks for the quick response f0dder! I hope the posts can help anyone else that may be in the same situation. I did a byte-by-byte comparison and it came out clean. The software I used ("Binary Comparison of Files 3.0" by AX Systems) is new to me and I'm not sure of it's reliability. I just searched around for something that would do a binary comparison and the 30 day trial version came up  :P .

I saw the beta and plan on trying it out. I'll let you know if I find any new bugs. I'm curious if Spybot will report the same behavior with the new version. Thanks again for the great software.  :Thmbsup:

Is it possible to add the text "-false positive" to the thread title?
   edit: thank you  ;D

Another edit -> This has since been corrected by the latest updates for Spybot.

Navigation

[0] Message Index