UBCD4Win Forums: Read First: False Positives List - UBCD4Win Forums

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

Read First: False Positives List False positives that still appear AFTER 3.5

#1 User is offline   Gedrean Icon

  • Advanced Member
  • PipPipPipPip
    • Group: BETA Tester
    • Posts: 274
    • Joined: 02-February 07
    • Gender:Male

    Posted 07 July 2009 - 12:42 PM

    Hi! I've been noticing a lot of false positive reports coming in where users are still using version 3.20 or even 3.0 of UBCD4Win.

    When we made 3.50, we started a new strategy for eliminating false positives and avoiding "undesirable program detected" messages within UBCD4Win.
    As a trial for 3.50, about 6 or 7 programs were enclosed in a special 7z wrapper to "cloak" them from antivirus programs.
    Best part was, we discovered that these applications take up very little space in the RAMDrive, and can be easily removed afterwards, so this decreased over-all default install and build size as well!
    Now, the reason we don't do this for the larger and more complex plugins is actually pretty simple: RAMDrive size. We can't assume the user has 200+ MB of extra RAM to shove into a RAMDrive so we can have the antivirus plugins extract out like this, but we'd like to put more and more of the small plugins into this format, as well as catch ANY and ALL false positives with this.

    Now, of course, this means for official plugins we have to make sure they are truly virus-free and do what they say, but since this strategy will only be employed for official (read:included) plugins, we feel this is a decent approach to take.
    But, this post isn't for me to self-aggrandize about how awesome this approach is

    Now, on to the meat and potatoes:

    WE NEED YOUR HELP!

    What I'd like to request is that if you have a false positive WITH 3.50, NOT EARLIER VERSIONS, please post them to this thread!
    That way, the thread can be noted indicating which false positives have or will be fixed in future versions, and we don't have to sift through a million posts about how 3.0 has a false positive with McAfee that we fixed a long time ago.

    This is also a great thread you can check to see if the virus report you got was a false positive. If it exists in this list, it's a false positive!

    Posts don't need to be big, or long, or convoluted.
    All we need is which application did it (So if it says, for example, ipscan.exe, the program itself is IP Scan) or the path to the application, and which anti-malware program caught the false positive (McAfee, Avast, MalwareBytes, AdAware, Spybot, etc.)

    We'll do the rest, and hopefully make version 3.6 have an even better default install, with more tools, less size, and NO FALSE POSITIVES! (we hope.)

    Thank you for your assistance in this matter!
    Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
    0

    #2 User is offline   pcuser Icon

    • Project Programmer
    • PipPipPipPipPipPipPip
      • Group: Moderator & Development
      • Posts: 3,822
      • Joined: 20-November 04
      • Gender:Male
      • Location:Kneebrasskee

      Posted 07 July 2009 - 01:25 PM

      pinned...
      If you're afraid of taking any chances then the chances are great that you will never learn anything

      Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
      0

      #3 User is offline   teobromina Icon

      • Member
      • PipPip
        • Group: Members
        • Posts: 56
        • Joined: 05-April 08
        • Location:Spain
        • Interests:Portable freeware

        Posted 08 July 2009 - 01:41 PM

        I like the idea!

        Now, I would have to update from 3.22 to 3.50, in order to make trials and inform.

        Thank you.

        *JT.
        What you do, do quikly (Jn 13:27)
        0

        #4 User is offline   teobromina Icon

        • Member
        • PipPip
          • Group: Members
          • Posts: 56
          • Joined: 05-April 08
          • Location:Spain
          • Interests:Portable freeware

          Posted 09 July 2009 - 11:35 AM

          I Just downloaded, installed and tried UBCD4Win version 3.50.
          I have performed a scan with McAfee Antivirus to the UBCD4Win installation folder, including the /BartPE directory, and the result is sumarized in the image below (DSFix.exe is identified as a "potentially unwanted").

          Regards.

          *JT.

          Posted Image

          This post has been edited by teobromina: 09 July 2009 - 11:38 AM

          What you do, do quikly (Jn 13:27)
          0

          #5 User is offline   rdsok Icon

          • rdsok
          • PipPipPipPipPipPipPipPip
            • Group: Admin
            • Posts: 6,013
            • Joined: 02-October 05
            • Gender:Male
            • Location:Norman, Ok. USA

            Posted 09 July 2009 - 12:10 PM

            It seems McAfee may be a bit paranoid or just doesn't like competition... :rolleyes:

            McAfee is detecting PrcViewer.exe that is contained within the SDFix which is used to aid removal of trojans and worms. PrcViewer is being used in this case to close active process's so the malware can be removed.

            Quoted from McAfee's website...

            Quote

            This is a generic detection that covers multiple variants of PRCViewer. PRCViewer is a small command line utility that can alter a processes characteristics (Affinity and Priority) and also View, Close, Kill, Suspend and Resume running processes, even when Task Manager access is disabled.


            It is interesting how hypocritical or at the least prejudiced they are in what they choose to detect and what they do not chose to detect... examples of similar command line utils that they choose to not detect...

            TASKKILL.EXE - Included in Windows itself
            PSKILL.EXE - A SysInternals utility ( now owned by Microsoft )



            Thanks for the report...
            Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
            0

            #6 User is offline   phwarg Icon

            • Newbie
            • Pip
              • Group: Members
              • Posts: 1
              • Joined: 18-July 09

              Posted 18 July 2009 - 12:44 PM

              AVIR AntiVir Personal reports that for Ver 3.50

              SDFix.exe* = APPL/PrcView.E
              NirCmd.exe = APPL/NirCmd.D.2
              PluginRefresh.exe = TR/Dropper.Gen
              ComboFix.exe = APPL/PsExec.E
              MbrFix.exe = SPR/Tool.MBRFix.A

              *2 locations

              AVG didn't flag any thing in the UBD4Win a couple of days ago.
              0

              #7 User is offline   Kester Icon

              • Newbie
              • Pip
                • Group: Members
                • Posts: 9
                • Joined: 05-August 09

                Posted 05 August 2009 - 04:05 AM

                My Avira AntiVir Personal Free anti virus software has picked up the following file as potentially malicious during installation of UBCD4WIN v350. C:\UBCD4Win\plugin\Disk\Partition\Mbrfix\Mbrfix.exe. I reported this as a likely false positive to Avira but their check still reports the file as malicious. I downloaded the UBCD4WIN installation file from the http//download.softpedia.com mirror. I await an email from Avira which should give me a fuller report on their findings.

                I also had a probable false positive from my Clam Antivirus Portable software which I used to cross check Avira. The details are as follows: C:\UBCD4Win\plugin\Cleanup Tools\ComboFix\ComboFix.exe: Pua.Hideexec FOUND. Clam did not find a problem with Mbrfix.exe however and Avira did not find a problem with ComboFix.exe.

                The Avira web address is: www.Avira.com - they also give the following contacts:
                ------------------------------------------------------------------------------------------------
                Contact Avira

                Postal address
                Avira GmbH
                21, Lindauer Str.
                D-88069 Tettnang
                Germany

                Communication
                Fax: +49 (0) 7542-525 10
                Email: [email protected] (No technical support)

                Managing Director
                Tjark Auerbach

                Webmaster
                Email: [email protected] (No technical support)

                Commercial Register
                Local court Ulm: HRB 630992

                VAT-ID
                DE 145 372 389

                Viruses & suspicious files
                Please send to [email protected]
                --------------------------------------------------------------------------------------
                Clam's web address is www.clamwin.com

                Thanks.
                0

                #8 User is offline   Kester Icon

                • Newbie
                • Pip
                  • Group: Members
                  • Posts: 9
                  • Joined: 05-August 09

                  Posted 05 August 2009 - 04:19 AM

                  Update re: my previous report.

                  I have since received the email report from Avira which is as follows:
                  ----------------------------------------------------------------------------------------------------------------------
                  Dear Sir or Madam,

                  Thank you for your email to Avira's virus lab.
                  Tracking number: INC00350365.

                  A listing of files alongside their results can be found below:
                  File ID Filename Size (Byte) Result
                  25387945 MbrFix.exe 116.5 KB MALWARE


                  Please find a detailed report concerning each individual sample below:
                  Filename Result
                  MbrFix.exe MALWARE

                  The file 'MbrFix.exe' has been determined to be 'MALWARE'. Our analysts named the threat SPR/Tool.MBRFix.A. The term "SPR/" ("Security or Privacy Risk") denotes a program that might possibly be able to affect the security of your system, might trigger activities you might not want or might violate your privacy.Detection is added to our virus definition file (VDF) starting with version 7.01.04.166.

                  Alternatively you can see the analysis result here:
                  http://analysis.avir...cidentid=350365

                  An overview of all your submissions can be found here:
                  http://analysis.avir...xt1qqA2bgFrDvSg

                  Please note: If you have specific questions please address them to [email protected]

                  Kind regards
                  Avira Virus Lab

                  ---------------------------------------------
                  Avira GmbH
                  Lindauer Str. 21, D-88069 Tettnang, Germany
                  Phone: +49 (0) 77542-500 0
                  Fax: +49 (0) 7542-525 10
                  Internet: http://www.avira.com

                  CEO: Tjark Auerbach
                  Headquarter: Tettnang
                  Commercial register: AG Ulm HRB 630992
                  ---------------------------------------------
                  ------------------------------------------------------------------------------------------------------

                  I hope this information is useful.
                  0

                  #9 User is offline   rdsok Icon

                  • rdsok
                  • PipPipPipPipPipPipPipPip
                    • Group: Admin
                    • Posts: 6,013
                    • Joined: 02-October 05
                    • Gender:Male
                    • Location:Norman, Ok. USA

                    Posted 05 August 2009 - 10:18 AM

                    Kester,

                    Thanks for your post and the information it has... The following "rant" is not directed at you for reporting what you found... that is exactly what this thread is for. It is however directed at Avira in this instance for how poorly they are handling this type of situation. The way they have worded their response and show this detection is deplorable. In essence they are fear mongering...


                    Riskware is not malware no matter what a company claims. Utility software, such as mbrfix in this case which can fix/repair/save/restore a MBR, should never be called malware especially by companies that should understand what they are really are for.

                    I am not against a company that flags a riskware... what I'm against is them also associating or even implying utils such as this as malware which is certainly is not. A knife for instance is potentially dangerous and should be used with caution but that doesn't mean that it is an imminent threat just by its presence.

                    By Avira's definition they are using on this util, the following Microsoft utils are dangerous...

                    DEL - or delete... can result in loss of data or critical system files.
                    FDISK - can alter partition table information, again risk of loss of data
                    FORMAT - can lead to complete loss of any and all data on a drive
                    FTP - can be used to transer private data

                    In otherwords, just about any and all utils in some manner bring with them the potential to be used incorrectly or as a means to cause damage to a system. We may as well also classify the USER themselves in this category... LOL

                    Let's now have some fun, let's use their classifications against their product... Avira Antivirus, a potentially dangerous utility that can lead to misdirction of its users which may result in the loss of important utilities due to their improperly labeling them as malware. In addition, has a tendancy ( as all antivirus/antspyware utils ) to also falsely detect known safe files as malicious.
                    Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                    0

                    #10 User is offline   Kester Icon

                    • Newbie
                    • Pip
                      • Group: Members
                      • Posts: 9
                      • Joined: 05-August 09

                      Posted 05 August 2009 - 01:51 PM

                      Hi rdsok,

                      Thanks for your reply. What happens now? - Avira will keep flagging the file as potentially malicious unless I quarantine it until I am ready to create the ISO file and the bootable CD. Will Avira be persuaded that the file is not a real threat or will I have to put up with the nagging interruptions from the Avira software during the process? Of course i could disable my broadband connection and the Avira anti virus software until the job is done but why should that be necessary?
                      0

                      #11 User is offline   rdsok Icon

                      • rdsok
                      • PipPipPipPipPipPipPipPip
                        • Group: Admin
                        • Posts: 6,013
                        • Joined: 02-October 05
                        • Gender:Male
                        • Location:Norman, Ok. USA

                        Posted 05 August 2009 - 03:59 PM

                        I doubt that Avira will be persuaded to change their opinion...

                        Check if AntiVir has the option to create an exception or whitelist the item ( whatever they call it ). Ask their support if you are uncertain on how or even if that can be done since we don't provide support for their product in that sense.

                        On any detection you get, even if its just a riskware, double check the detection by using an online test such as those provided by http://www.virustotal.com or http://virusscan.jotti.org/ to see what all of the antivirus/antispyware utils say about the file...

                        ALWAYS play it safe and test, never let when someone tells you that it is ok ( including us ) to keep you from testing the file yourself. Malware authors are known to always claim their product is clean even when they know it isn't... And a file can also be infected by other malware as well so you also have to make sure it didn't get infected at some point.

                        In general, a true false positive will only be listed by one util but at times more can ( and have ) have a false depending on what is getting detected. Remember a false is one where a valid program is detected as malware because of its similiarity of its code... What is tested safe today could change tomorrow when a new malware detection is added.

                        Riskware on the otherhand will usually be detected by several utils all of the time. Using the example of the mbrfix... my test on VirusTotal showed that 9 out of 40 detected it as riskware.

                        When there is a false... report it to the company itself ( yes we'd like to know also but we can't do anything to change the detection )... I also recommend reporting riskware as false's in order to change that companies opinion but that only can happen if a lot of users report it. There is certain riskware that I agree should always be flagged.. take a password recovery utility as the example... but in this instance they are taking it to far in my opinion. LOL... of course they apparently didn't ask me damn it... LOL
                        Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                        0

                        #12 User is offline   Gedrean Icon

                        • Advanced Member
                        • PipPipPipPip
                          • Group: BETA Tester
                          • Posts: 274
                          • Joined: 02-February 07
                          • Gender:Male

                          Posted 05 August 2009 - 08:41 PM

                          View Postrdsok, on 05 August 2009 - 03:59 PM, said:

                          When there is a false... report it to the company itself ( yes we'd like to know also but we can't do anything to change the detection )... I also recommend reporting riskware as false's in order to change that companies opinion but that only can happen if a lot of users report it. There is certain riskware that I agree should always be flagged.. take a password recovery utility as the example... but in this instance they are taking it to far in my opinion. LOL... of course they apparently didn't ask me damn it... LOL


                          We would like to know simply so we can repack it in our 7z trick to get around those detections.

                          I, in the meantime, would suggest that you, once you are ready to get started with building UBCD4Win, disable your antivirus for a short time, accessing and running no other programs, while letting the software extract. Afterwards once you are ready to go and have made your ISO to your satisfaction (only AFTER the ISO is built) then turn the AV back on.

                          It's a pooty option, but in the mean time that's what we have until a new plugin is released to make those troublesome tools no longer be detected...

                          God help us all if they figure out how to break 7z encryption. ;)
                          Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
                          0

                          #13 User is offline   Kester Icon

                          • Newbie
                          • Pip
                            • Group: Members
                            • Posts: 9
                            • Joined: 05-August 09

                            Posted 06 August 2009 - 04:19 AM

                            Hi rdsok and Gedrean,

                            Thanks for your advice. I visited the virustotal and virus scan.Jotti sites and have created a PDF file of the virustotal results (which were identical to the Jotti results). I shall send this file to Avira. The results concur with what you have told me - most anti-virus software programs ignore the mbrfix.exe file, a number describe it as not a virus but as a risk tool and only a few imply that it could be malicious.
                            0

                            #14 User is offline   Kester Icon

                            • Newbie
                            • Pip
                              • Group: Members
                              • Posts: 9
                              • Joined: 05-August 09

                              Posted 06 August 2009 - 02:34 PM

                              Hi rdsok and Gedrean,

                              Update: I have been in touch with Avira who state that although MbrFix.exe is not a virus, it is a type of file that is a risk which could compromise privacy etc. and they will continue to warn when such a file is detected. Their email reply to me contains the following:
                              -------------------------------------------------------------------------------------------------------------------------------------------
                              Thank you for your recent inquiry.

                              The file you have sent us is detected as 'SPR/Tool.MBRFix.A'. This is not a false positive.
                              Please note, that SecurityPrivacyRisk (SPR) labels possible malicious software. That means, that the file doesn't need to be a virus, but has the possibility to perform malicious actions.

                              The detection of SPR (SecurityPrivacyRisk) can be excluded from a virus scan.

                              Attachment(s) you sent:
                              - MbrFix.exe
                              --------------------------------------------------------------------------------------------------------------------------------------------
                              The Avira Support Forum proved more useful to me - after members' and moderator checks and advice, it was explained to me how I could create exceptions in Avira AntiVir by entering an experts' area of the program that I had not tried before. This has solved the immediate problem and MbrFix.exe is now not flagged when scanned. It does not explain, however, why Avira normally gives a warning about the file but reputable software such as that produced by AVG, Avast, Comodo and McAfee etc. do not.

                              I have now successfully created the ISO file and burnt it to a CD-RW (I do this first before committing it to CD-R so I can test the result before making a permanent CD) and all is fine.
                              0

                              #15 User is offline   Gedrean Icon

                              • Advanced Member
                              • PipPipPipPip
                                • Group: BETA Tester
                                • Posts: 274
                                • Joined: 02-February 07
                                • Gender:Male

                                Posted 06 August 2009 - 04:22 PM

                                View PostKester, on 06 August 2009 - 02:34 PM, said:

                                Hi rdsok and Gedrean,

                                Update: I have been in touch with Avira who state that although MbrFix.exe is not a virus, it is a type of file that is a risk which could compromise privacy etc. and they will continue to warn when such a file is detected. Their email reply to me contains the following:
                                -------------------------------------------------------------------------------------------------------------------------------------------
                                Thank you for your recent inquiry.

                                The file you have sent us is detected as 'SPR/Tool.MBRFix.A'. This is not a false positive.
                                Please note, that SecurityPrivacyRisk (SPR) labels possible malicious software. That means, that the file doesn't need to be a virus, but has the possibility to perform malicious actions.

                                The detection of SPR (SecurityPrivacyRisk) can be excluded from a virus scan.

                                Attachment(s) you sent:
                                - MbrFix.exe
                                --------------------------------------------------------------------------------------------------------------------------------------------
                                The Avira Support Forum proved more useful to me - after members' and moderator checks and advice, it was explained to me how I could create exceptions in Avira AntiVir by entering an experts' area of the program that I had not tried before. This has solved the immediate problem and MbrFix.exe is now not flagged when scanned. It does not explain, however, why Avira normally gives a warning about the file but reputable software such as that produced by AVG, Avast, Comodo and McAfee etc. do not.

                                I have now successfully created the ISO file and burnt it to a CD-RW (I do this first before committing it to CD-R so I can test the result before making a permanent CD) and all is fine.


                                That's good. As to why Avira detects it and others do not:

                                McAfee flags about a dozen of our tools, SOMETIMES, and other tools do not. It is simply a difference in the detection process, which heuristics (behaviors) are considered risky by one vendor and not another, etc.

                                Some vendors' heuristics models are held very secret by those vendors, and so they will flag apps nothing else will.

                                No major concern of it though. Glad you found how to turn it off. :)
                                Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
                                0

                                • (3 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users