Recommended Posts

I recently ran a complete scan with A-squared free. It came up with over a hundred problems. Nearly all were in the downloads that were in my DL folder, and I know there is no malware in the download file.

There must be something in the exe type applications and the part of the download that does the downloading that A-Squared sees as a risk or trojan downloader.

It also does not like Weatherbug.

FWIW I have run complete scans with MBAM, SAS, Avira, F-Secure, and KIS 2010 without those warnings. It is obvious to me that they are FP, and I am not sure if a-squared is worth the trouble compared to the other applications mentioned.

Thanks.

Regards,

Jerry

Share this post


Link to post
Share on other sites

Hi Jerry,

You did not provide any information.

That was just a statement and unfortunately nothing can be done and advised based on that.

If you are suspecting FPs, then submit items from the detection list to EMSI developers for analysis.

Otherwise please provide information about your System Environment as it was suggested in you previous request

You can attach the report so developers can see the items flagged or you can visit "Malware Removal help" section. The procedure was given in the referred thread as well

My regards

Share this post


Link to post
Share on other sites

That's the reason I had to abort using A-Squared, it's just way too paranoid.

I finally decided that it was enough when I visited www.unibet.com and popup alert comes with warning that site is known for malware distribution or something (and that site is for sport bets, nothing even remotely close) I mean, how can I trust this software when there is alert for something that I don't know if it's true or not like in this case, then I started to think when I received those alerts that it's probably FP and then idea came to my mind...why then do I need this software ??

I tried to avoid some of the problems by using exceptions but that is not possible either (by file path not malware name)

And I just can't understand why Ikarus engine is used, option to disable it would be great too.

Share this post


Link to post
Share on other sites

WOT information about unibet.com:

http: // www.mywot.com /en/ scorecard/ www.unibet.com

A2 surf protection is based on hphosts list so this is why unibet.com is blocked. Hphosts list blocks many harmless websites just because they contains links to potentially or really dangerous files (torrent search engines) or sites. But you can disable SP completely if you think it´s useless.

There should be option to disable Ikarus.

Share this post


Link to post
Share on other sites

That was just one of examples. It would take long time to give every example.

I started with disabling SP and ended up with disabling pretty much everything.

That's the problem.

But ok, I don't want to give this program a hard time, that is not my intention, I wish it could be better and it can, just need some basic options for start, like exclusions and disabling Ikarus.

Share this post


Link to post
Share on other sites

Listen, when threat is found option to exclude that file from future scaning is not possible, ok ?

So, scaner finds something and all I want is to say "OK, I know this file is good, leave me alone with that one in the future" , I don't want to exclude it via malware-name.

Share this post


Link to post
Share on other sites

You´re right it´s not possible to add filename to whitelist from scan report directly. But you can manage whitelist before another scan - choose directory with file you want to exclude and then finish item by typing filename (or exclude the whole directory). This is the way how a single file can be add to whitelist. It´s not very comfortable way.

Share this post


Link to post
Share on other sites

Hi Guys,

pabrate,

The initial poster was talking about possible Fps as a result of the scan

You posted in this thread speaking about Surf Protection (SP) feature.

It would be better to create new request and / or search for the answers first.

There are requests and explanations about SP and unblocking in our old and this new forum.

honore de prozac pointed to the hpHosts file management as a part of the Software.

It is possible to to disable SP as he suggested but that is not necessary.

You can just change the rules.

... when threat is found option to exclude that file from future scaning is not possible...

That is not clear what do you mean by that especially in the context with Surf Protection request

It is absolutely possible to whitelist the item either from the detection list or any other folder any other time independently from the scan.

As for disabling Ikarus engine, that question was asked on the early stages of its introduction.

The developers stated that it was not in the initial design and they have no plans to change that.

My regards

P.S. {added}While I was typing honore de prozac actually answered about whitlisting procedure

In addition you know about that and the changes that are coming with the new version as it was pointed by Fabian Wosar here

Share this post


Link to post
Share on other sites

I know he was talking about scan FP's.

I only mentioned SP as a moment for final decision to stop using this software until improved version comes out.

Too bad about Ikarus as that engine is responsible for lots of FP's.

Yes I know that thread but honore said that exclusion is easy and it's not.

That's all.

Thank You all and I wish you best of luck.

Share this post


Link to post
Share on other sites
...Yes I know that thread but honore said that exclusion is easy and it's not...

Thanks for reply.

Well he's right in terms of – it is easy and serves the purpose currently.

You are right in terms of - the whitelisting procedure should be improved and be more comprehensible for the user.

I am right too :P since I do support the above thought and I pointed that long ago: at least two things should be enhanced:

- the ability to add a single file or the list of files. Problem is - that is not always necessary to include the whole folder. In many cases there is no need for that. More over the file belonging to the Software in question may not even be in that folder.

The hypothetical example: you need to whitelist lame_enc.dll (presume it was flagged). The file itself is coming with many Software(s) . In most of the cases the file (its current version) is residing in the program base directory. Sometimes the said file will be substituted in the ...\system32\ directory. Basically, one may keep only one (current and the latest version) instance in \system32\ and mainly all Software involved will use that one. Should I whitelist whole \system32\?

The answer will be – scan \system32\ and whitelist from the detection list. That is still inconvenient

- another area for improvement is the editing part when in the whitelist... That is a bit weirdly implemented and may cause more than confusion.

See attached – What that suppose to mean?

Well I am sure there will be changes and many improvements and new features will be introduced

Cheers!

P.S. Oh boy! I forgot the most important thing: Happy New Year! to all of ya, Guys.

Currently every reply should be ended like this :D

Share this post


Link to post
Share on other sites

Here are entries from the scan log. I have already sent them to Support. Not sure there is enough info to help here.

Regards,

Jerry

Riskware.PSWTool.Win32.Messen.bh!IK

C:\Documents and Settings\XXXXX\Desktop\DL PROGRAMS\passrec.zip/mailpv.exe detected: Riskware.PSWTool.Win32.Messen!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/netpass.exe detected: Riskware.Hacktool.NetPass!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/astlog.exe detected: Riskware.PSWTool.Win32.Asterisk!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/pspv.exe detected: Riskware.PSWTool.PassView!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/rdpv.exe detected: Riskware.PSWTool.RDPassView!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/iepv.exe detected: Riskware.PSWTool.Win32.NetPass!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/PstPassword.exe detected: Riskware.PSWTool.Win32.WinPassViewer!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/PasswordFox.exe detected: Riskware.PSWTool.Win32.NetPass!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/ChromePass.exe detected: Riskware.PSWTool.Win32.NetPass!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/WirelessKeyView.exe detected: Riskware.PSWTool.Win32.Messen!IK

C:\Documents and Settings\XXXX\Desktop\DL PROGRAMS\passrec.zip/VNCPassView.exe detected: Riskware.PSWTool.Win32.NetPass!IK

C:\Program Files\Bible\Rapi.dll detected: Riskware.PSWTool.Win32.OpenPass.h!A2

C:\Program Files\Unlocker\eBay_shortcuts_1016.exe detected: Adware.Win32.ADON!A2

Share this post


Link to post
Share on other sites

Hi Jerry,

1st I hope that you submitted the files but not only the report.

Then, if all of those are belonging to Password Manager Software or alike as you can see it is flagged as a Riskware.

Password - / registration - key readers and so on considered by many (most) of security as a risk or even bluntly malware since the same code they contain can be uses either for malicious reasons or legitimately.

Usually the detections like this will stay and will not be “fixed” and users need to whitelist them if he/she considering those safe and trusted depending on the purpose of using the programs.

I have many programs from NirSoft, for example. They are flagged not only by a-squared. They all are whitlisted.

Definitely you will rescan after several updates after submitting, but if you have done that already and files are flagged after many updates that's actually the confirmation.

You can use submission by e-mail method if you want.

If that is indeed the Software as pointed above – such detection cannot be called False Positives “in the negative sense and meaning” of the term. Moreover they even should not be called "FP"s strictly speaking.

My regards

P.S. 1) Search the entries you posted (file names) and request the particular Software you are using You will find flagging as “Password Stealer»; "potentially unsafe to use" ; "Hacktool [symantec]" ; or as simple as “Malicious Software”

2) Please next time attach the report or the excerpt if it contains more than 4-5 lines as per "Forum Posing Rules"

Share this post


Link to post
Share on other sites

Thanks for reply, Jerry

I edited your last post... "a bit" (the "Posting Rules" were mentioned) ;)

Cheers! and Happy New Year!

Share this post


Link to post
Share on other sites

Thanks, Lynx.. I did not read the Posting Rules until I had made the post. Then I could not see how to edit and remove the quote.

I'm in the slow group. Maybe the very slow group. :)

Have a Happy New Year, and thanks again for the help.

Regards,

Jerry

Share this post


Link to post
Share on other sites
... I could not see how to edit and remove the quote...

Jerry,

There is a big <<Add Reply>> button as the image in the Rules is showing.

Just scroll further down

What you are using is the <<Reply>> button as a part of controls belonging to the Input Box. But anyway even if you used that one you can either delete whole quote that is placed automatically into the Input Box

or

you can Edit the existing quote in case you want to reply to a certain part of it.

You can divide (cut it to pieces :) ), just don't forget heading and ending quote Tags

[quote name='Name']

and

[/quote]

respectively

Cheers!

Share this post


Link to post
Share on other sites

@Lynx,

Thanks for your reply.

OK, I'm gonna give it another chance and I hope new version is coming soon :)

I just installed it and this time Action Center is not picking up A-Squared for virus and spyware protection (last time it was OK) . I'm using Windows 7 Ultimate 32bit

What are my options here ? Reinstall ?

tnx

Share this post


Link to post
Share on other sites

I can't edit previous post so ... I solved that Action Center problem.

Had to reinstall few times, everything was fine and options were default, every guard turned on.

But the problem was there were no alerts and then I got confused :blink:

It seems that if there are leftovers in installation directory (Quarantine dir and two more files in root, can't remember names, one was dll, I think a2mor.dll ) then this above happens.

Or maybe not, I'm not sure, anyhow when I deleted whole A-Squared directory and then install it again , everything is fine now.

Or not...now I have no alerts , None !

And everything is turned ON.

I don't understand, this is weird :unsure:

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.