[Gedrean]

Hi! I've been noticing a lot of false positive reports coming in where users are still using version 3.20 or even 3.0 of UBCD4Win.

When we made 3.50, we started a new strategy for eliminating false positives and avoiding "undesirable program detected" messages within UBCD4Win.
As a trial for 3.50, about 6 or 7 programs were enclosed in a special 7z wrapper to "cloak" them from antivirus programs.
Best part was, we discovered that these applications take up very little space in the RAMDrive, and can be easily removed afterwards, so this decreased over-all default install and build size as well!
Now, the reason we don't do this for the larger and more complex plugins is actually pretty simple: RAMDrive size. We can't assume the user has 200+ MB of extra RAM to shove into a RAMDrive so we can have the antivirus plugins extract out like this, but we'd like to put more and more of the small plugins into this format, as well as catch ANY and ALL false positives with this.

Now, of course, this means for official plugins we have to make sure they are truly virus-free and do what they say, but since this strategy will only be employed for official (read:included) plugins, we feel this is a decent approach to take.
But, this post isn't for me to self-aggrandize about how awesome this approach is

Now, on to the meat and potatoes:

WE NEED YOUR HELP!

What I'd like to request is that if you have a false positive WITH 3.50, NOT EARLIER VERSIONS, please post them to this thread!
That way, the thread can be noted indicating which false positives have or will be fixed in future versions, and we don't have to sift through a million posts about how 3.0 has a false positive with McAfee that we fixed a long time ago.

This is also a great thread you can check to see if the virus report you got was a false positive. If it exists in this list, it's a false positive!

Posts don't need to be big, or long, or convoluted.
All we need is which application did it (So if it says, for example, ipscan.exe, the program itself is IP Scan) or the path to the application, and which anti-malware program caught the false positive (McAfee, Avast, MalwareBytes, AdAware, Spybot, etc.)

We'll do the rest, and hopefully make version 3.6 have an even better default install, with more tools, less size, and NO FALSE POSITIVES! (we hope.)

Thank you for your assistance in this matter!

[pcuser]

pinned...

[teobromina]

I like the idea!

Now, I would have to update from 3.22 to 3.50, in order to make trials and inform.

Thank you.

*JT.

[teobromina]

I Just downloaded, installed and tried UBCD4Win version 3.50.
I have performed a scan with McAfee Antivirus to the UBCD4Win installation folder, including the /BartPE directory, and the result is sumarized in the image below (DSFix.exe is identified as a "potentially unwanted").

Regards.

*JT.

This post has been edited by teobromina: 09 July 2009 - 11:38 AM

[rdsok]

It seems McAfee may be a bit paranoid or just doesn't like competition...

McAfee is detecting PrcViewer.exe that is contained within the SDFix which is used to aid removal of trojans and worms. PrcViewer is being used in this case to close active process's so the malware can be removed.

Quoted from McAfee's website...

Quote

This is a generic detection that covers multiple variants of PRCViewer. PRCViewer is a small command line utility that can alter a processes characteristics (Affinity and Priority) and also View, Close, Kill, Suspend and Resume running processes, even when Task Manager access is disabled.

It is interesting how hypocritical or at the least prejudiced they are in what they choose to detect and what they do not chose to detect... examples of similar command line utils that they choose to not detect...

TASKKILL.EXE - Included in Windows itself
PSKILL.EXE - A SysInternals utility ( now owned by Microsoft )



Thanks for the report...

[phwarg]

AVIR AntiVir Personal reports that for Ver 3.50

SDFix.exe* = APPL/PrcView.E
NirCmd.exe = APPL/NirCmd.D.2
PluginRefresh.exe = TR/Dropper.Gen
ComboFix.exe = APPL/PsExec.E
MbrFix.exe = SPR/Tool.MBRFix.A

*2 locations

AVG didn't flag any thing in the UBD4Win a couple of days ago.

[Kester]

My Avira AntiVir Personal Free anti virus software has picked up the following file as potentially malicious during installation of UBCD4WIN v350. C:\UBCD4Win\plugin\Disk\Partition\Mbrfix\Mbrfix.exe. I reported this as a likely false positive to Avira but their check still reports the file as malicious. I downloaded the UBCD4WIN installation file from the http//download.softpedia.com mirror. I await an email from Avira which should give me a fuller report on their findings.

I also had a probable false positive from my Clam Antivirus Portable software which I used to cross check Avira. The details are as follows: C:\UBCD4Win\plugin\Cleanup Tools\ComboFix\ComboFix.exe: Pua.Hideexec FOUND. Clam did not find a problem with Mbrfix.exe however and Avira did not find a problem with ComboFix.exe.

The Avira web address is: www.Avira.com - they also give the following contacts:
------------------------------------------------------------------------------------------------
Contact Avira

Postal address
Avira GmbH
21, Lindauer Str.
D-88069 Tettnang
Germany

Communication
Fax: +49 (0) 7542-525 10
Email: [email protected] (No technical support)

Managing Director
Tjark Auerbach

Webmaster
Email: [email protected] (No technical support)

Commercial Register
Local court Ulm: HRB 630992

VAT-ID
DE 145 372 389

Viruses & suspicious files
Please send to [email protected]
--------------------------------------------------------------------------------------
Clam's web address is www.clamwin.com

Thanks.

[Kester]

Update re: my previous report.

I have since received the email report from Avira which is as follows:
----------------------------------------------------------------------------------------------------------------------
Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00350365.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
25387945 MbrFix.exe 116.5 KB MALWARE


Please find a detailed report concerning each individual sample below:
Filename Result
MbrFix.exe MALWARE

The file 'MbrFix.exe' has been determined to be 'MALWARE'. Our analysts named the threat SPR/Tool.MBRFix.A. The term "SPR/" ("Security or Privacy Risk") denotes a program that might possibly be able to affect the security of your system, might trigger activities you might not want or might violate your privacy.Detection is added to our virus definition file (VDF) starting with version 7.01.04.166.

Alternatively you can see the analysis result here:
http://analysis.avir...cidentid=350365

An overview of all your submissions can be found here:
http://analysis.avir...xt1qqA2bgFrDvSg

Please note: If you have specific questions please address them to [email protected]

Kind regards
Avira Virus Lab

---------------------------------------------
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Phone: +49 (0) 77542-500 0
Fax: +49 (0) 7542-525 10
Internet: http://www.avira.com

CEO: Tjark Auerbach
Headquarter: Tettnang
Commercial register: AG Ulm HRB 630992
---------------------------------------------
------------------------------------------------------------------------------------------------------

I hope this information is useful.

[rdsok]

Kester,

Thanks for your post and the information it has... The following "rant" is not directed at you for reporting what you found... that is exactly what this thread is for. It is however directed at Avira in this instance for how poorly they are handling this type of situation. The way they have worded their response and show this detection is deplorable. In essence they are fear mongering...


Riskware is not malware no matter what a company claims. Utility software, such as mbrfix in this case which can fix/repair/save/restore a MBR, should never be called malware especially by companies that should understand what they are really are for.

I am not against a company that flags a riskware... what I'm against is them also associating or even implying utils such as this as malware which is certainly is not. A knife for instance is potentially dangerous and should be used with caution but that doesn't mean that it is an imminent threat just by its presence.

By Avira's definition they are using on this util, the following Microsoft utils are dangerous...

DEL - or delete... can result in loss of data or critical system files.
FDISK - can alter partition table information, again risk of loss of data
FORMAT - can lead to complete loss of any and all data on a drive
FTP - can be used to transer private data

In otherwords, just about any and all utils in some manner bring with them the potential to be used incorrectly or as a means to cause damage to a system. We may as well also classify the USER themselves in this category... LOL

Let's now have some fun, let's use their classifications against their product... Avira Antivirus, a potentially dangerous utility that can lead to misdirction of its users which may result in the loss of important utilities due to their improperly labeling them as malware. In addition, has a tendancy ( as all antivirus/antspyware utils ) to also falsely detect known safe files as malicious.

[Kester]

Hi rdsok,

Thanks for your reply. What happens now? - Avira will keep flagging the file as potentially malicious unless I quarantine it until I am ready to create the ISO file and the bootable CD. Will Avira be persuaded that the file is not a real threat or will I have to put up with the nagging interruptions from the Avira software during the process? Of course i could disable my broadband connection and the Avira anti virus software until the job is done but why should that be necessary?

[rdsok]

I doubt that Avira will be persuaded to change their opinion...

Check if AntiVir has the option to create an exception or whitelist the item ( whatever they call it ). Ask their support if you are uncertain on how or even if that can be done since we don't provide support for their product in that sense.

On any detection you get, even if its just a riskware, double check the detection by using an online test such as those provided by http://www.virustotal.com or http://virusscan.jotti.org/ to see what all of the antivirus/antispyware utils say about the file...

ALWAYS play it safe and test, never let when someone tells you that it is ok ( including us ) to keep you from testing the file yourself. Malware authors are known to always claim their product is clean even when they know it isn't... And a file can also be infected by other malware as well so you also have to make sure it didn't get infected at some point.

In general, a true false positive will only be listed by one util but at times more can ( and have ) have a false depending on what is getting detected. Remember a false is one where a valid program is detected as malware because of its similiarity of its code... What is tested safe today could change tomorrow when a new malware detection is added.

Riskware on the otherhand will usually be detected by several utils all of the time. Using the example of the mbrfix... my test on VirusTotal showed that 9 out of 40 detected it as riskware.

When there is a false... report it to the company itself ( yes we'd like to know also but we can't do anything to change the detection )... I also recommend reporting riskware as false's in order to change that companies opinion but that only can happen if a lot of users report it. There is certain riskware that I agree should always be flagged.. take a password recovery utility as the example... but in this instance they are taking it to far in my opinion. LOL... of course they apparently didn't ask me damn it... LOL

[Gedrean]

rdsok, on 05 August 2009 - 03:59 PM, said:

When there is a false... report it to the company itself ( yes we'd like to know also but we can't do anything to change the detection )... I also recommend reporting riskware as false's in order to change that companies opinion but that only can happen if a lot of users report it. There is certain riskware that I agree should always be flagged.. take a password recovery utility as the example... but in this instance they are taking it to far in my opinion. LOL... of course they apparently didn't ask me damn it... LOL

We would like to know simply so we can repack it in our 7z trick to get around those detections.

I, in the meantime, would suggest that you, once you are ready to get started with building UBCD4Win, disable your antivirus for a short time, accessing and running no other programs, while letting the software extract. Afterwards once you are ready to go and have made your ISO to your satisfaction (only AFTER the ISO is built) then turn the AV back on.

It's a pooty option, but in the mean time that's what we have until a new plugin is released to make those troublesome tools no longer be detected...

God help us all if they figure out how to break 7z encryption.

[Kester]

Hi rdsok and Gedrean,

Thanks for your advice. I visited the virustotal and virus scan.Jotti sites and have created a PDF file of the virustotal results (which were identical to the Jotti results). I shall send this file to Avira. The results concur with what you have told me - most anti-virus software programs ignore the mbrfix.exe file, a number describe it as not a virus but as a risk tool and only a few imply that it could be malicious.

[Kester]

Hi rdsok and Gedrean,

Update: I have been in touch with Avira who state that although MbrFix.exe is not a virus, it is a type of file that is a risk which could compromise privacy etc. and they will continue to warn when such a file is detected. Their email reply to me contains the following:
-------------------------------------------------------------------------------------------------------------------------------------------
Thank you for your recent inquiry.

The file you have sent us is detected as 'SPR/Tool.MBRFix.A'. This is not a false positive.
Please note, that SecurityPrivacyRisk (SPR) labels possible malicious software. That means, that the file doesn't need to be a virus, but has the possibility to perform malicious actions.

The detection of SPR (SecurityPrivacyRisk) can be excluded from a virus scan.

Attachment(s) you sent:
- MbrFix.exe
--------------------------------------------------------------------------------------------------------------------------------------------
The Avira Support Forum proved more useful to me - after members' and moderator checks and advice, it was explained to me how I could create exceptions in Avira AntiVir by entering an experts' area of the program that I had not tried before. This has solved the immediate problem and MbrFix.exe is now not flagged when scanned. It does not explain, however, why Avira normally gives a warning about the file but reputable software such as that produced by AVG, Avast, Comodo and McAfee etc. do not.

I have now successfully created the ISO file and burnt it to a CD-RW (I do this first before committing it to CD-R so I can test the result before making a permanent CD) and all is fine.

[Gedrean]

Kester, on 06 August 2009 - 02:34 PM, said:

Hi rdsok and Gedrean,

Update: I have been in touch with Avira who state that although MbrFix.exe is not a virus, it is a type of file that is a risk which could compromise privacy etc. and they will continue to warn when such a file is detected. Their email reply to me contains the following:
-------------------------------------------------------------------------------------------------------------------------------------------
Thank you for your recent inquiry.

The file you have sent us is detected as 'SPR/Tool.MBRFix.A'. This is not a false positive.
Please note, that SecurityPrivacyRisk (SPR) labels possible malicious software. That means, that the file doesn't need to be a virus, but has the possibility to perform malicious actions.

The detection of SPR (SecurityPrivacyRisk) can be excluded from a virus scan.

Attachment(s) you sent:
- MbrFix.exe
--------------------------------------------------------------------------------------------------------------------------------------------
The Avira Support Forum proved more useful to me - after members' and moderator checks and advice, it was explained to me how I could create exceptions in Avira AntiVir by entering an experts' area of the program that I had not tried before. This has solved the immediate problem and MbrFix.exe is now not flagged when scanned. It does not explain, however, why Avira normally gives a warning about the file but reputable software such as that produced by AVG, Avast, Comodo and McAfee etc. do not.

I have now successfully created the ISO file and burnt it to a CD-RW (I do this first before committing it to CD-R so I can test the result before making a permanent CD) and all is fine.

That's good. As to why Avira detects it and others do not:

McAfee flags about a dozen of our tools, SOMETIMES, and other tools do not. It is simply a difference in the detection process, which heuristics (behaviors) are considered risky by one vendor and not another, etc.

Some vendors' heuristics models are held very secret by those vendors, and so they will flag apps nothing else will.

No major concern of it though. Glad you found how to turn it off.