Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives in antivirus-programs


  • Please log in to reply
98 replies to this topic

#16 Tech Blogger

Tech Blogger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Palm Beach, FL, USA
  • Local time:12:19 AM

Posted 30 July 2010 - 09:37 AM

Anti-Adware Programs false detection of malicious websites:

I am using a freeware version of Ad-Aware. Some may not like it, some may use it. Generally, now most anti-virus programs also detect malware and adware when the software is running, however, I always liked the idea that Spybot would run a process that would reject changes to my registry if something tried to alter it without my knowledge. Ad-Aware does the same thing, but at the time did not.

I have Ad-Aware detecting sites it says are malicious. If I drop the page not allowing to access the page, I can come in the next day and when I shutdown my browser, I dump all cookies not retaining much but bookmarks and history. I'm currently running Firefox 3.6.8 which doesn't work with many addons despite the idea that it has been reviewed by Mozilla.

I don't generally like beta software. I've had it install and not be removable without a lot of pain in the butt work, including messing with registry keys which I don't like to mess with unless I know which key I'm looking for via instructions somewhere, then I have no problem connecting to the exact same webpage. I have even had an addon that would detect when I was being redirected, and I could choose whether or not to allow it, and NoScript which works to a degree but often prevents sites from working even when you allow "all" the scripts. This is easily explainable in that a site could try to access a planted cookie, run a redirect, or trigger some javascript program it can use the programming in the cookie to get info it needs. Awful extreme mess to go through, but some people have nothing better to do.

Despite all that, Ad-Aware will reject a site one day, and I only update the thing maybe once every 2 or 3 days, so on occasion, nothing has changed, but it doesn't identify the site as malicious. I see no redirect, nor any script blocked unless it's Google, Google Analytics, etc... where corporate busy bodies annoy me.

I've ended up dumping NoScript and the redirect detector, between the two I couldn't get most sites to work despite allowing this and allowing that, so now it could refer me to a site that is malicious and Ad-Aware could detect such a risk, but so far nothing. However, sites I distinctly go to twice even if it's before my cookies are dumped will hit once and not hit again (ie - in the same browsing session). AVG is supposed to reject access to malicious sites and often when I access forums to get simple info, such as this one, it does not say they are malicious but Ad-Aware does. I get so annoyed I shut down Ad-Aware Live. I like the idea that Ad-Aware can detect sites, deny changes to the registry, and after updates, scan the machine, but I'm not convinced that it can always decipher between a page that is malicious and one that is not. Usually these detections go off of a list which is loaded during an update, but there must be the ability to decipher via attempts to access the computer via what would normally be considered malicious that can be detected by Ad-Aware - javascript alterations for example, but I have yet to see anything try to install a virus or adware that would make an attempt at changing any registry keys. Often times too, Ad-Aware only blocks a section of a page, such as something coming from a site on its list, but the rest of the page works, however, most of the time it blocks entire access to the forum. On more than one occasion, links have been deceptive and you never quite know where you'll end up, generally redirected to an ad, and amazingly, Ad-Aware has no idea what happened nor detect anything. Perhaps much of what Ad-Aware is picking up would only mess with IE. I don't know, but I don't use IE; because, it leaves the whole computer open. It is deeply integrated with Windows.

Spybot used to always lock up the computer with it's registry change detector called tea something, but I could still get it to work most of the time, and it didn't break down enough to bother me. Since, henceforth, Ad-Aware surged ahead in popularity. Now most people no doubt consider the software unnecessary since anti-virus software normally will do the same thing. Ad-Aware is even sold in the same version as you can download for around $20 in Walmart without any extras. I wonder, is Spybot as good since it doesn't seem to be as popular, and does it continually annoy you by blocking simple forums without blocking their ads by referral? Ad-Aware (and Firefox and AVG) seem to allow any pop-up or pop-under to show up without triggering anything. I could find an addon to stop that I suppose. Are Spybot or Ad-Aware even necessary? Generally, if something is going to install where it shouldn't do so AVG stops it. Then I scan and make sure it couldn't. I believe that what I am seeing are exactly what this forum here suggests. False positives. I've already seen a couple of registry entries left behind that via my registry cleaner clearly identified that while they are not directing to any particular location they are generally always left there after you uninstall a program and don't hurt anything. Thusly, the registry cleaner at least admits it has identified something normal, but why identify it at all? It's normal, so why annoy me with it? Another false positive.

I get false positives from not just anti-virus software as you have claimed even McAfee does, but also anti-spyware/adware software, malicious viral (etc) sites, and even from registry cleaning software. Maybe this particular forum title should be: False Positives. Without specifying that you are only interested in anti-virus software. It would open up a whole new wing of discussion. A new forum topic might be in order, but in my opinion, this one will do just fine. Another new one could be: Windows Security Holes. Most of the time it's people like us that end up reporting them to Microsoft who doesn't do much until the next fix release. Might help to know how the attack is carried out in order to avoid it until they fix it.
Tech Blogger
This Is What Happens When You Spend Too Much Time On Your Computer =)

BC AdBot (Login to Remove)

 


m

#17 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 30 July 2010 - 09:53 AM

Have you reported this to mbam?

#18 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:19 AM

Posted 30 July 2010 - 10:15 AM

Woot! I was looking for this thread :thumbsup:

AVG 8.5 and AVG 9.0 had a false positive problem with the DB release this afternoon 30/07/2010 at 14h00 (Central European time). The update was taken offline after 15 minutes but some users did the update.

Condition: Having AVG 8.5 or AVG 9.0 with a non updated build (latest builds are: 8.5.441 and 9.0.851) and having done the virus DB update between 14h00 and 14h15 (GMT+1) this afternoon.

The symptom: all executables on the computer are detected as Virus Corrupted.

Solution: Update AVG to the latest build with the "Update now" button in AVG's user interface

If the user restarted the computer and windows doesn't start (the screen remains black), it's necessary to boot with AVG Rescue cd and recover Windows's system files using the Vault function.

#19 Tech Blogger

Tech Blogger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Palm Beach, FL, USA
  • Local time:12:19 AM

Posted 30 July 2010 - 11:15 AM

Grinler,

I must not be as competent as wish I was, but after some research (and it didn't take much), I found Malwarebytes Anti-Malware software, which found a registry key entry that was not noted by Ad-Aware, yet Ad-Aware has obviously annoyed me at least some. I could not, however, locate in a simplified manner a place to report any of my concerns unless perhaps you were responding to someone else. I can only guess and make conjecture. If you could, send me the email address, forum link, or link to the form, and I'll copy my post and stick in where they can read it; because, I'm generally a nice guy, even when I'm irritated by computers which is quite often even though I used to make my living writing Oracle programs including Admin, and I like to help people whenever a can despite my minimal knowledge which I don't mind confessing. I honestly don't know how the average user without understanding computers, such as senior citizens I used to teach at a center in Indiana, always seem to have no problem keeping their computers running while I am always having to fix something.

Judicandus,

I found your warning extremely helpful and truly appreciate it, however, when I run AVG, updates are done automatically, and I don't have to do anything. It updated about 8:30 this morning when I logged on; it tells me. I wonder why your software was not updating. I suppose you could have had a virus that prevented it from doing so, there is some way to disable auto-update that I've never bothered to look for nor care about, or you simply haven't been on the Internet for awhile. Whatever the case, there must have been some reason that it wasn't updating auto, that being the case, if you have moved something to the vault, see what it was. I do think AVG keeps logs of its scans, so you could look through those to find if there was an infection. I don't know where it keeps them, but I did look at the logs directory of the AVG program files folder and discovered it was empty. Then checked the Computer Scanner link on the left hand bar of the program and found a Scan History button at the bottom of the page, and it dawned on me. If you use CCleaner to clean your system once in awhile, it is automatically set to wipe out anything that AVG would like to remember, so either move the files out of logs and then copy them back in, or don't use CCleaner period.
Tech Blogger
This Is What Happens When You Spend Too Much Time On Your Computer =)

#20 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 30 July 2010 - 03:10 PM

Tech Blogger, if you register an account at their forums and post in this forum you should be all set. Its their false positive forum:

http://forums.malwarebytes.org/index.php?showforum=42

#21 Tech Blogger

Tech Blogger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Palm Beach, FL, USA
  • Local time:12:19 AM

Posted 01 August 2010 - 07:55 AM

Grinler (or do you prefer your first name which you put in your signature),

Here's the post on the MBAM forum. Thanks for showing me where it was. It probable doesn't take a whizbang to find it, but sometimes I get tired of looking if it takes more than a second or two, and I can't think of the right query. Some days I'm just not on the ball:

http://forums.malwarebytes.org/index.php?showtopic=59135

I hope it helps you, but I doubt it; because, it really doesn't have much to do specifically with the software the forum is all about, but if I can help, I'm more than happy to comply.

Take Care :thumbsup:
Tech Blogger
This Is What Happens When You Spend Too Much Time On Your Computer =)

#22 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 01 August 2010 - 07:15 PM

Tech Blogger, I apologize. Been running around like a mad man this week. When I asked if they reported it in the mbam forum, I meant it for chromebuster who reported the mbam false positive. I didnt realize it was different person responding to my question and I should have directed the question at chromebuster.

I didn't mean for you to post your post at MBAM.

Sorry about that.

#23 Tech Blogger

Tech Blogger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Palm Beach, FL, USA
  • Local time:12:19 AM

Posted 03 August 2010 - 10:26 AM

I kinda figured you might be talking to someone else, but I wasn't sure. Regardless, possibly MBAM can use the info for marketing or something. I would think it could be partially quoted or at least used to formulate a good marketing statement. Regardless, no harm done. It's a forum, so it is sometimes difficult to know who is talking to who. Thanks. Sorry if I put the post in the wrong place. If I did, could you move it where it is supposed to go and let me know where you would normally put it?

Thanks,

Tech Blogger (aka Mike)
Tech Blogger
This Is What Happens When You Spend Too Much Time On Your Computer =)

#24 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 PM

Posted 24 August 2010 - 10:16 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/22/2010 at 03:46 PM

Application Version : 4.41.1000

Core Rules Database Version : 5391
Trace Rules Database Version: 3203

This is a False Positve

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE#Debugger
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#25 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 25 August 2010 - 02:28 PM

May not be. The value of the debugger may be a malware and they are just not showing it properly.

#26 cosmic_sniper05

cosmic_sniper05

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:12:19 PM

Posted 19 May 2011 - 03:24 AM

I had an issue with regards to the detection of Avira on explorer.exe. I made some research on it and it seems that it's a FP. We'll actually, after taking Avira's recommended action for that, it caused instability on my system which led me to a re-installation of my OS.

Kindly give further clarification regarding this. Thanks!

:warrior: :ph34r: :warrior:


Edited by cosmic_sniper05, 19 May 2011 - 03:24 AM.

Let's have a mental fusion!
Let us do our part to make this world a truly symbiotic place.

For other computer problems, this blog might be helpful:
http://cosmicsniper.blogspot.com

#27 easyrider2

easyrider2

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:19 AM

Posted 24 June 2011 - 04:56 PM

Thank you for this post - it's always good to check false positives. I recently find them using Advanced System Protector

#28 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:12:19 AM

Posted 24 June 2011 - 06:05 PM

Of course you'll find them using that! I think that's a rogue!

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#29 Gramps33

Gramps33

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 03 August 2011 - 12:00 AM



False Positive MBAM Message IP-BLOCK 93.190.143.52 (Type: outgoing)

On July 27, 2011 I converted from Malwarebytes free version to its full trial period version. For almost a year I’ve been running AT&T’s Full Mcafee Security Suite with automatic updates, Panda Cloud’s free Antivirus program concurrently with Malwarebytes free antivirus program without any problems or conflicts.

Early Tuesday morning after Malware updated its database I began to continuously receive about 130 IP-BLOCK messages from MBAM according to its 8/02/11 protection log. Below is an excerpt from the log. As far as I can tell everything is working as usual except for these IP-BLOCK messages.

(Pop Message says - Successfully Blocked Access to a potentially malicious website: 93.190.143.52)

Who does IP 93.190.143.50 belong to, and what, if anything, can I do to stop these IP-BLOCK messages.

04:54:03 xxxxxx x xxxxxxx MESSAGE Scheduled update executed successfully
04:54:26 xxxxxx x xxxxxxx MESSAGE IP Protection stopped
05:02:59 xxxxxx x xxxxxxx MESSAGE Database updated successfully
05:03:28 xxxxxx x xxxxxxx MESSAGE IP Protection started successfully
06:50:44 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.50 (Type: outgoing)
. . . . . . . “ - - -
. . . . . . . “ - - -
. . . . . . . “ - - -
21:27:39 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.52 (Type: outgoing)
21:27:45 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.52 (Type: outgoing)
21:30:47 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.52 (Type: outgoing)
21:30:50 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.52 (Type: outgoing)
21:30:56 xxxxxx x xxxxxxx IP-BLOCK 93.190.143.52 (Type: outgoing)

Note as of this post I'm still getting these IP-BlOCK MBAM messages as of 11:55 PM. DST
Thanx for your assistance.

Gramps33 08/02/11

PS: Wednesday morning 08/03/11 8:56am DST. As far as I can tell no site that I'm attempting to access is being blocked. Does the message mean that MBAM is preventing info from my computer being sent to this UNKNOWN IP 93.190.143.52?

This morning I restarted my computer and as soon as I used IExplorer to access the internet the IP-BLOCK messages started up again. I'm currently running a full MBAM scan to see if there is some sort of virus or malware still lurking somewhere on my computer. I posted this note on the MBAM forum site last night, and so far I've not received any reply from them either. Is it possible that this is some sort of "gimmick" to get me to purchase the MBAM program after the trial period expires?

Edited by Gramps33, 03 August 2011 - 09:09 AM.


#30 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 PM

Posted 03 August 2011 - 02:34 PM

Gramps33 Has Paid version of MBAM an d it is being addressed here,as it should be,
http://forums.malwarebytes.org/index.php?showtopic=91456
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users