Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Legitimate Software listed as Malware on Your forum


  • Please log in to reply
6 replies to this topic

#1 lbelkind

lbelkind

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 27 July 2014 - 05:21 AM

Dear All,

 

I am new to BleepingComputer.com, and the reason for me being here is the following:

I am a Software vendor. My software has been falsely identified as malware by one of the leading Anti-malware vendors, citing a mentioning on this forum as a reason.

 

The mentioning is: HERE

 

The software is signed by a valid digital software signature and is definitely a valid IT product, and not a malware.

 

While I proceed working with the Anti-malware vendor to whitelist the software, I would like to understand what is the correct procedure to rectify the record on your forum. Again, all proof of the software legitimacy can be provided.

 

Whom should I contact?

 

Regards,

Leonid


Edited by hamluis, 27 July 2014 - 07:33 AM.
Moved from Malware Removal Logs to Announcements, Comments - Hamluis.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:13 AM

Posted 27 July 2014 - 01:22 PM

What is the name of the software in question?  You don't identify it.  Please note that there are malware files with the same names as legitimate files.  The file paths, however, can vary.

 

Orange Blossom :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 PM

Posted 27 July 2014 - 05:25 PM

The record on our forum is not wrong but sohos has changed their links and therefore it doesn't lead to its goal anymore. It makes a reference to this trojan: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ghudl-C/detailed-analysis.aspx which creates cpds.exe under C:\windows and launches it with a runkey named cpds.
regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 lbelkind

lbelkind
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 28 July 2014 - 01:41 AM

The software name is Check Point Document Security (cpds), and it can be legitimately downloaded from http://documentsecurity.checkpoint.com

 

Indeed, the path of our software is not C:\Windows, but it still doesn't prevent some Anti-malware engines from flagging our executalbe (which is compeltely unrelated to the Trojan) as malware.



#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:13 AM

Posted 28 July 2014 - 02:06 AM

You'll need to contact the AV companies in question and state that they are falsely flagging your file.  Point out to them that the file path of the file listed here is different than the file path of your program.  Incidentally, I haven't seen that file path.  In addition, the file listed here is a startup file.  Thus far, I don't see an indication that the file in your software is a startup file.

 

You will need to submit to them the software file in question so they can analyze it for themselves.

 

Orange Blossom :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:13 AM

Posted 28 July 2014 - 03:06 AM

I just downloaded the file & here are the results. 

 

https://www.virustotal.com/en/file/828e765172cfb90099d4bb2bffce00eaa77e70547f222f97d6aa16a17b5f3863/analysis/

 

Though am on a Linux Mint computer at the moment, do run Emsisoft Anti Malware on three of my computers & they have a 100% detection rate, as shown on the AV-Comparatives site. 

 

You'll need to submit your software to these companies for further analysis. 

 

Sorry, I will not install software that cannot pass this test, nor do I recommend others to do so. 8 positives out of 54 different scans doesn't look promising. 

 

Here is a link to the Virus Total site for members to check out files, up to 64MB is size.

 

https://www.virustotal.com/en/

 

Thank you for your interest in getting this cleaned up.  :)

 

Cat


Edited by cat1092, 29 July 2014 - 09:49 PM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 PM

Posted 28 July 2014 - 04:07 AM

Hi,

it's not really 8/54. The first 5 AVs all use Bitdefenders database and therefore unsurprisingly all detect the same thing. Contacting Bitdefender to fix this would rectify the error also for Adaware and the others. So there's only 3 engines involved.

I don't believe the detection is due to our list though, to be honest. The info we have listed here is for a specific and admittedly old infection, but you're getting hit by a quite generic detection routine. In addition your file is in a different location and seems to create no startup point. Anyone familiar with the lists would know instantly that it is no match. In addition generic detections do not, normally, even look at file names as those can be changed easily. They look at the executable content and the behaviour of the file.
I would suspect that your program has some other functionality that triggers the detection and this is something you need to work out with them. Us removing the entry here would have no effect.

I have forwarded the FP to BitDefender and they will be taking a look at it again. So hopefully this will be resolved soon.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users