Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives in antivirus-programs


  • Please log in to reply
98 replies to this topic

#46 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:11:16 PM

Posted 15 February 2013 - 06:23 AM

Only MBAM can tell you when the FP will be fixed. smile.png

 

Good morning Elise, that's what I meant. tongue.png 

 

That I would report that MWB has issued a fix...not that I created one. laugh.png

 

I think the only thing I'll be fixing this morning are some eggs and toast.

 

Always good to see you in the Forums. The funny thing was that once I got that FP, I checked here and then I checked your blog even before I went over to the MWB Forums!

 

I think I need some more coffee.

 

onward,

 

Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


BC AdBot (Login to Remove)

 


#47 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:11:16 PM

Posted 15 February 2013 - 07:47 AM

UPDATE
 
Received a couple of updates from MWB since my last post.
 
Restored the items that had been Quarantined, did a Full Scan and everything is back to being ok with no infections.
 
enjoy the day,
 
Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#48 tdo577

tdo577

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:16 AM

Posted 20 September 2013 - 02:48 PM

Hoping I'm posting this in the right area...but HitmanPro 3.7.7 has tweaking.com_registry_backup_setup.exe as Trojan and asked that it be quarantined.



#49 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:16 AM

Posted 20 September 2013 - 03:35 PM

The detection(s) could possibly be false positives so you should get second opinion. Go to one of the following online services that analyzes suspicious files:--In the "File to Scan" (Upload or Submit) box, browse to the location of the file(s) in question and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#50 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:06:16 AM

Posted 28 October 2013 - 09:11 AM

Hey everyone

 

Business Kaspersky TCPIP.exe false positive.

 

Post found here - http://www.bleepingcomputer.com/forums/t/512094/business-kaspersky-tcpipexe-false-positive/


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#51 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:06:16 AM

Posted 29 October 2013 - 07:52 AM

Hey everyone

 

Business Kaspersky TCPIP.exe false positive.

 

Post found here - http://www.bleepingcomputer.com/forums/t/512094/business-kaspersky-tcpipexe-false-positive/

 

Just to let you guise know the symptoms of this false positive are different on each machine I've treated.

 

So far we had one machine which had no access to any network shared drive, no E-mail and no internet connection. This also disrupted the connecting with the domain.

Another machine had full internet access but no E-mail and no network drives and it also had a disruption while trying to connect to the domain.

The last machine had everything working except it had no internet access.

 

Kaspersky offer this great advice on fixing the problem here - http://support.kaspersky.com/tcpip

 

However we noticed when following the steps we could no longer log into the domain on the PC so we had to log on to the local computers user disconnect from the domain, then create and connect to a work group. We then restarted the computers, disconnected from the work group and re-connected to the domain.

 

It was quite fiddly but it was successful and has worked great.

 

Darktune


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#52 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:16 AM

Posted 20 December 2013 - 09:36 PM

Using AdwClearner's Uninstall creates Quarantine.exe in a %temp% folder.

Norton anti-virus was detecting it. I asked an OP to submit the file to Symantec's lab and this was their reply.
 

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website...
Symantec Security Response

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#53 White_Zombie

White_Zombie

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Frozen Tundra
  • Local time:11:16 PM

Posted 07 March 2014 - 01:05 AM

Avira Antivirus detects the following as viruses but I'm pretty sure they are false positives

 

MBRInst.exe (recovery partition D: inside .cab file)

MBR.exe (C: drive and recovery partition D: inside .cab file)

MBR.dll (recovery partition D: inside .cab file)

 

Emachines 3616 - Vista Home Premium

 

Size, attributes, description and builder are exactly as listed on the link below:

http://binarydb.com/file/MBR.EXE-v511642.html



#54 StevenGerrard

StevenGerrard

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 07 March 2014 - 01:39 PM

False positives occur when a pattern of code in the file matches the same pattern contained in a virus signature. 



#55 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:10:16 PM

Posted 07 March 2014 - 02:01 PM

Thank you for the explanation StevenGerrard however this thread is for reporting False Positives. It is not for assisting how to explain them or why they happen. Just a repository for reported false positives.

As Grinler stated in post #1

This topic will be used to post false positives in Anti-virus/Anti-malware programs so that end-users know not to fix the particular entries that may be shown


The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#56 Drakonas

Drakonas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 13 April 2014 - 08:13 PM

There seems to be a false positive that is being found with ADWCleaner, everytime I run it on my computer.

 

The only file inside the folder found ("C:\ProgramData\boost_interprocess") is this:

"C:\ProgramData\boost_interprocess\20140413190314.125599\plex_frame_mutex"

 

 

Plex is a popular media streaming program that I use. This file has to be a cache file for the program.

 

 

You can find details from this Malwarebytes.org Forum post, showing that they added this false positive to their list.



#57 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:16 AM

Posted 13 April 2014 - 08:31 PM

Drakonas, I have posted a note for the developer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#58 Drakonas

Drakonas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 14 April 2014 - 02:51 AM

Drakonas, I have posted a note for the developer.

Not sure if this is a problem, but the "boost_interprocess" folder may also be (in some cases) a trojan, from what I've seen on the internet, but I am unsure. Not sure if this needs to be noted. I expect the developer might have notes about this somewhere.



#59 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:16 AM

Posted 14 April 2014 - 04:30 AM

Xplode will look into it and make a decision based on what he finds.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#60 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:16 AM

Posted 07 May 2014 - 11:46 PM

Just about every security software that I've ran has thrown out a few false positives. It's when it happens often that there's a problem & the software is buggy or may be misconfigured. For example, there's "Paranoid" option in Emsisoft Anti Malware settings (all in one AV/AM app) & "Aggressive" on Bitdefender Total Security 2014, there are warnings with both that more false positives should be expected if these modes are activated. So it's not the software all of the time. However never reduce settings to the minimum possible to avoid false positives, real threats may slide in.

 

Though I've ran ESET NOD32 for years & really like & recommend the choice of security, it always throws a false positive when the NoScript home page (Firefox security extension) opens after being updated. I've reported this issue several times, with no solutions, to the point that I've just learned to live with it. All it is, is a popup & a block on a portion of the page. None of my other security choices, nor MBAM Premium, which is excellent for this, blocks the page from opening. Of course I could white list the page, but I don't like to do that, as content on a page can change at anytime. And it's not like NoScript updates daily, maybe once a week or two.

 

There is a delicate balance in detecting real threats while at the same time keeping false positives to a minimum. To be honest, I can live with one every now & then. At least I know that the software is acting in real time. Also, there's many times when downloading otherwise honest software, that all of one's active protection will throw the red flag. CoreTemp being a great example. Only one site that I grabbed it from & I forget 100% which one, may have been Major Geeks, that finally allowed it. The reason it's flagged is the 3-4 options of bundled adware that comes along for the ride. That's not a false positive, the security is doing it's job, protecting against PUP's.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users