Jump to content


Photo

False Positvie in Asquared free?


  • Please log in to reply
13 replies to this topic

#1 Mattchu

Mattchu

    Member

  • Members
  • PipPip
  • 30 posts

Posted 04 February 2010 - 02:47 PM

Just doing a scan of another computer with asquared free on USB and it picks up Trojan.Win32.SPY.110080.7!A2 in C:\Windows\$hf_mig$\KB956572\SP3QFE\services.exe

Now i`ve uploaded the file to Jotti and Virustotal and it comes back as clean and seen before so i`m pretty sure it`s a False Positive.
I just can`t seem to find where you sumbit fp`s.

File: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
Size: 110592 bytes
File Version: 5.1.2600.5755 (xpsp_sp3_qfe.090206-1316)
Modified: 06 February 2009, 11:06:24
MD5: 020CEAAEDC8EB655B6506B8C70D53BB6
SHA1: 6DA7935A38DBC2A02E85B012CE39215E34F4576F
CRC32: 2A1B5551

If anyone could be so fine as to confirm the above is correct, Windows XP SP3.
Many thanks,Mattchu


Apologies just found out how to sumbit as fp, just if anyone could confirm the same hash would be great...

#2 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 04 February 2010 - 03:21 PM

Hi Mattchu, welcome to the forum

Yes, I can confirm the same hash and file was submitted from here as well

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#3 Mattchu

Mattchu

    Member

  • Members
  • PipPip
  • 30 posts

Posted 04 February 2010 - 06:35 PM

Cheers S....Lynx ;)

Mattchu (_R)

#4 XIII

XIII

    Forum Regular

  • Tester
  • PipPipPipPip
  • 248 posts
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor Premium
  • Other:EMET, MBAM Pro, HitmanPro.Alert, HitmanPro, Zemana Antilogger Free

Posted 04 February 2010 - 07:34 PM

Here as well with A2 Anti-Malware 4.5 (non-free) (still scanning, will submit later)

Nasty False Positive?!

But for me in C:\WINDOWS\System32

I guess I better not delete that?!

#5 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 05 February 2010 - 01:24 AM

... But for me in C:\WINDOWS\System32 I guess I better not delete that?!

Better not.

Good morning, Guys.

There are 6 instances of the said file here (attached)
File in the \system32\ is not flagged
That's why it's always important to state OS in use, since there could be differences indeed related to that.

In addition to submitting from the detection list I submitted by e-mail. Probably you can do the same.

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#6 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 05 February 2010 - 06:11 AM

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#7 Mattchu

Mattchu

    Member

  • Members
  • PipPip
  • 30 posts

Posted 05 February 2010 - 12:38 PM

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!


Champion Lynx, glad it`s sorted :)

Was it just the one mentioned being reported on your system? (out of the 6)

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?

Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that :P

Cheers...

#8 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 05 February 2010 - 01:04 PM

Was it just the one mentioned being reported on your system? (out of the 6)

Hi Mattchu,

Sure only one mentioned was flagged - I highlighted that one and mentioned that on XP (here ) file in \system32\ wasn't flagged

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?

Ther is no way I don't have recent MS updates

Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that :P

it was triggered on a system I don't know about, since XIII haven't stated the system
If it was flagged by any security here ... no way that "I would want to" do that ... I would thinking very hard :P

Cheers!

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#9 XIII

XIII

    Forum Regular

  • Tester
  • PipPipPipPip
  • 248 posts
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor Premium
  • Other:EMET, MBAM Pro, HitmanPro.Alert, HitmanPro, Zemana Antilogger Free

Posted 05 February 2010 - 05:33 PM

it was triggered on a system I don't know about, since XIII haven't stated the system

Windows XP Professional 32-bits with SP3, completely up-to-date.

I might have less entries because somewhere in 2009 I have done a clean install using the OnePiece update pack on Ryan VM's site using nLite... (so less KB folder/files on my system).

But do I understand you correct: are you saying that my services.exe is not up-to-date?

That would be worth some additional investigation (by me)!

#10 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 05 February 2010 - 11:20 PM

Hi XIII,

Thanks for reply and clarifying

The version here in the \system32\ 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#11 davidecosta

davidecosta

    New Member

  • Members
  • Pip
  • 2 posts

Posted 26 February 2011 - 12:19 PM

It's possible fix the false positive of SARDU?

In SARDU_1 I have a collection of tools, Emsisoft see this file as
Exploit.Win32.IMG-WMF!IK This is a false positive:

Emsisoft 5.1.0.2 2011.02.25 Exploit.Win32.IMG-WMF!IK


You can fix this?
Thanks and king regards

#12 Ray

Ray

    Anti-Malware Geek

  • Tester
  • PipPipPipPip
  • 147 posts

Posted 26 February 2011 - 02:45 PM

Hi davidecosta,

Please read this post http://support.emsis...s-for-analysis/
Windows 7 Ultimate X86
Intel Core Duo T6570
NVDIA GeForce 9300 GS
2G DDR2
320G HDD

Sandboxie+Comodo pure firewall

#13 davidecosta

davidecosta

    New Member

  • Members
  • Pip
  • 2 posts

Posted 26 February 2011 - 08:57 PM

Hi davidecosta,

Please read this post http://support.emsis...s-for-analysis/



Thanks, I send an email, i found the false positive in virustotal.com

#14 Ray

Ray

    Anti-Malware Geek

  • Tester
  • PipPipPipPip
  • 147 posts

Posted 01 March 2011 - 08:29 AM

@davidecosta

I noticed the false positive have been fixed with latest signature update today.

Cheers!
Windows 7 Ultimate X86
Intel Core Duo T6570
NVDIA GeForce 9300 GS
2G DDR2
320G HDD

Sandboxie+Comodo pure firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users