UBCD4Win Forums: Read First: False Positives List - UBCD4Win Forums

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

Read First: False Positives List False positives that still appear AFTER 3.5

#16 User is offline   rdsok Icon

  • rdsok
  • PipPipPipPipPipPipPipPip
    • Group: Admin
    • Posts: 6,013
    • Joined: 02-October 05
    • Gender:Male
    • Location:Norman, Ok. USA

    Posted 06 August 2009 - 06:10 PM

    Actually... hueristics only comes into the picture on a real false positive... if they are classifying the file as riskware on purpose it isn't a false... we may not agree with their classification but it still detected on purpose at that point.

    When it comes to riskware, spyware and adware there is no ISO ( or other standards organization ) standard/definition that states specifically what these are. So the detections are very subjective to say the least and each company decides what they will classify as a threat or not.

    In a way, it is very much like the laws of different countries, what is legal in one is illegal in another. All of the countries may agree on a major law such as murder as being bad, but on minor issues each will have different opinions. Take alcohol and marijuana as a good analogy, alcohol is typically legal in most places where marijuana is not, yet both have similar effects on the body and mind. So it is as much a perception issue as a logic issue.
    Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
    0

    #17 User is offline   Kester Icon

    • Newbie
    • Pip
      • Group: Members
      • Posts: 9
      • Joined: 05-August 09

      Posted 07 August 2009 - 12:49 AM

      Hi,

      Thanks for your patience, help and advice. This is my final post on this thread but it is to let you know everything worked out. I used the live CD today, there were no problems and I accessed the Forum and produced this post via the live CD.

      You may be interested to know that my version of XP is an OEM version (on a Packard Bell Imedia MC 2469 PC) and despite one warning re: there may be problems with OEM operating systems, there were no errors and the process of creating the ISO file and then the live CD ran smoothly.
      0

      #18 User is offline   Gedrean Icon

      • Advanced Member
      • PipPipPipPip
        • Group: BETA Tester
        • Posts: 274
        • Joined: 02-February 07
        • Gender:Male

        Posted 07 August 2009 - 01:06 PM

        View PostKester, on 07 August 2009 - 12:49 AM, said:

        <br />Hi,<br /><br />Thanks for your patience, help and advice.  This is my final post on this thread but it is to let you know everything worked out. I used the live CD today, there were no problems and I accessed the Forum and produced this post via the live CD.<br /><br />You may be interested to know that my version of XP is an OEM version (on a Packard Bell Imedia MC 2469 PC) and despite one warning re: there may be problems with OEM operating systems, there were no errors and the process of creating the ISO file and then the live CD ran smoothly.<br />
        <br /><br /><br />

        I am actually kind of surprised that PB still exists. I knew it had been withdrawn from the US markets, and that it had remained in the EU area, but I had assumed its massive losses for 4 years would have made it a fait accompli that the company would eventually quit and not try to cope with recovering from staggering quality deficiency claims.

        I guess I was wrong. I owe somebody a coke.
        Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
        0

        #19 User is offline   Kester Icon

        • Newbie
        • Pip
          • Group: Members
          • Posts: 9
          • Joined: 05-August 09

          Posted 09 August 2009 - 08:46 AM

          Hi Gedrean,

          I ran my regular Windows Defender full system scan today. I grabbed an image of the report which had given an alert for files within the download file of UBCD4Win v3.50 and in the installation folder on my C drive. Defender flagged the alert as 'RemoteAccess Win32/TightVNC' with a 'Medium' alert level. I scanned the image with my OCR software and have pasted the text in this post as follows:
          ------------------------------------------------------------------------------------------------------------------------------------------------------------
          Category:
          Remote Control Software
          Description:
          This program has potentially unwanted behavior.
          Advice:
          Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
          Resources:
          file:
          D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe->(inno# 006035)
          file:
          D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe->(inno# 006031)
          file: Q\UBCD4Win\plugin\Network\CrossLoop\files\winvnc.exe
          file: Q\UBCD4Win\plugin\Network\CrossLoop\files\VNCHooks.dll
          containerfile:
          D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe

          View more information about this item online
          -----------------------------------------------------------------------------------------------------------------------------------------------------------
          My action taken was to 'always allow' for these files.

          Although I have already successfully created a live CD, I am now exploring customization possibilities after browsing your 'how to' pages etc. on the website. This means, of course, that I need to keep the files that were flagged by Defender for the time being.
          0

          #20 User is offline   Gedrean Icon

          • Advanced Member
          • PipPipPipPip
            • Group: BETA Tester
            • Posts: 274
            • Joined: 02-February 07
            • Gender:Male

            Posted 09 August 2009 - 11:18 AM

            View PostKester, on 09 August 2009 - 08:46 AM, said:

            Hi Gedrean,

            I ran my regular Windows Defender full system scan today. I grabbed an image of the report which had given an alert for files within the download file of UBCD4Win v3.50 and in the installation folder on my C drive. Defender flagged the alert as 'RemoteAccess Win32/TightVNC' with a 'Medium' alert level. I scanned the image with my OCR software and have pasted the text in this post as follows:


            VNC is ALWAYS targeted, unfortunately, but we'll see what we can do with that one as well.

            Geez, here I jokingly said we should just compress everything and let god sort it out, and it looks like we're getting there.
            Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
            0

            #21 User is offline   krroga54 Icon

            • Newbie
            • Pip
              • Group: Members
              • Posts: 8
              • Joined: 20-September 09

              Posted 20 September 2009 - 04:02 PM

              Hi,

              Can you help? I built a UBCD4WIN v 3.50 iso on my laptop, burnt the iso; and all went well.

              Then I booted my laptop off the UBCD4WIN boot disk and ran the Avira to checkout my laptop's c drive. Unfortunately, this AV gave some false positives and automatically moved and quarantined the following files from my c drive:-

              c:\ubcd4win\bartpe\i386\system32\nircmd.exe
              c:\ubcd4win\bartpe\programs\combofix\combofix.exe
              c:\ubcd4win\bartpe\programs\sdfix\sdfix.exe
              c:\ubcd4win\oem1\peutils\nircmd.exe
              c:\ubcd4win\plugin\cleanup tools\combofix\combofix.exe
              c:\ubcd4win\plugin\cleanup tools\sdfix\sdfix.exe

              My question is: do I now have to reinstall these 3 exe files back into their various c:\ubcd4win locations on my laptop's c drive?

              Will future UBCD4WIN builds require these files?

              Any help would be appreciated; and by the way; UBCD4win is such a good idea; well done.

              Keith

              View PostGedrean, on 07 July 2009 - 05:42 PM, said:

              Hi! I've been noticing a lot of false positive reports coming in where users are still using version 3.20 or even 3.0 of UBCD4Win.

              When we made 3.50, we started a new strategy for eliminating false positives and avoiding "undesirable program detected" messages within UBCD4Win.
              As a trial for 3.50, about 6 or 7 programs were enclosed in a special 7z wrapper to "cloak" them from antivirus programs.
              Best part was, we discovered that these applications take up very little space in the RAMDrive, and can be easily removed afterwards, so this decreased over-all default install and build size as well!
              Now, the reason we don't do this for the larger and more complex plugins is actually pretty simple: RAMDrive size. We can't assume the user has 200+ MB of extra RAM to shove into a RAMDrive so we can have the antivirus plugins extract out like this, but we'd like to put more and more of the small plugins into this format, as well as catch ANY and ALL false positives with this.

              Now, of course, this means for official plugins we have to make sure they are truly virus-free and do what they say, but since this strategy will only be employed for official (read:included) plugins, we feel this is a decent approach to take.
              But, this post isn't for me to self-aggrandize about how awesome this approach is

              Now, on to the meat and potatoes:

              WE NEED YOUR HELP!

              What I'd like to request is that if you have a false positive WITH 3.50, NOT EARLIER VERSIONS, please post them to this thread!
              That way, the thread can be noted indicating which false positives have or will be fixed in future versions, and we don't have to sift through a million posts about how 3.0 has a false positive with McAfee that we fixed a long time ago.

              This is also a great thread you can check to see if the virus report you got was a false positive. If it exists in this list, it's a false positive!

              Posts don't need to be big, or long, or convoluted.
              All we need is which application did it (So if it says, for example, ipscan.exe, the program itself is IP Scan) or the path to the application, and which anti-malware program caught the false positive (McAfee, Avast, MalwareBytes, AdAware, Spybot, etc.)

              We'll do the rest, and hopefully make version 3.6 have an even better default install, with more tools, less size, and NO FALSE POSITIVES! (we hope.)

              Thank you for your assistance in this matter!

              0

              #22 User is offline   rdsok Icon

              • rdsok
              • PipPipPipPipPipPipPipPip
                • Group: Admin
                • Posts: 6,013
                • Joined: 02-October 05
                • Gender:Male
                • Location:Norman, Ok. USA

                Posted 20 September 2009 - 04:43 PM

                The items listed are not malware... please follow the instructions already given in the FAQ and this thread as well as found in other areas of the forum.
                Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                0

                #23 User is offline   krroga54 Icon

                • Newbie
                • Pip
                  • Group: Members
                  • Posts: 8
                  • Joined: 20-September 09

                  Posted 20 September 2009 - 05:13 PM

                  View Postrdsok, on 20 September 2009 - 09:43 PM, said:

                  The items listed are not malware... please follow the instructions already given in the FAQ and this thread as well as found in other areas of the forum.

                  Hi,

                  As a new member, I guess I need some help. Can you possibly point me towards

                  'the instructions already given in the FAQ'

                  I put FAQ into the Search box and got no results.

                  Thanks,

                  Keith
                  0

                  #24 User is offline   rdsok Icon

                  • rdsok
                  • PipPipPipPipPipPipPipPip
                    • Group: Admin
                    • Posts: 6,013
                    • Joined: 02-October 05
                    • Gender:Male
                    • Location:Norman, Ok. USA

                    Posted 20 September 2009 - 06:59 PM

                    On the main website click the link to the FAQ in the navigation links on the left side
                    Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                    0

                    #25 User is offline   krroga54 Icon

                    • Newbie
                    • Pip
                      • Group: Members
                      • Posts: 8
                      • Joined: 20-September 09

                      Posted 21 September 2009 - 05:49 AM

                      View Postrdsok, on 20 September 2009 - 11:59 PM, said:

                      On the main website click the link to the FAQ in the navigation links on the left side


                      Thanks for your patience and pointing me towards FAQ.

                      From that and other answers I'm starting to understand that nircmd.exe, combofix.exe and sdfix.exe are cleaning tools; and that they only work in a windows environment anyway.

                      Do I need to reinstall them back into their various c:\UBCD4WIN folders, after Avira removed them when I was in the UBCD4WIN PE environment?

                      Thanks again,
                      Keith
                      0

                      #26 User is offline   rdsok Icon

                      • rdsok
                      • PipPipPipPipPipPipPipPip
                        • Group: Admin
                        • Posts: 6,013
                        • Joined: 02-October 05
                        • Gender:Male
                        • Location:Norman, Ok. USA

                        Posted 21 September 2009 - 10:03 AM

                        combofix.exe and sdfix.exe are cleaning tools and you can disable those if you wish...

                        nircmd.exe is not a cleaning tool and is required by several different plugins

                        I'd replace all... and exclude the UBCD4Win folder from your protection software
                        Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                        0

                        #27 User is offline   SteelTrepid Icon

                        • Administrator
                        • PipPipPipPipPipPipPipPip
                          • Group: Admin
                          • Posts: 6,181
                          • Joined: 27-April 04
                          • Gender:Male
                          • Location:Ohio

                          Posted 21 September 2009 - 10:29 PM

                          I need to quit trying to think?
                          Seems the last few ideas I've implemented into our last few releases are causing more problems.......we've already had enough, not more!!

                          There are big plans for 3.6!!! Hopefully we can get our Alpha testing done soon. :)
                          "I play Russian roulette everyday, a man's sport, with a bullet called life"
                          0

                          #28 User is offline   jr2 Icon

                          • Newbie
                          • Pip
                            • Group: Members
                            • Posts: 5
                            • Joined: 15-August 07

                            Posted 10 October 2009 - 12:30 PM

                            Hi,

                            I informed an acquaintance of your site, and Windows Defender came up with the following:

                            Windows Defender for Windows 7 32-bit Release Candidate

                            RemoteAccess:Win32/TightVNC
                            alert level: Medium

                            "Category:
                            Remote Control Software

                            Description:
                            This program has potentially unwanted behavior

                            Advice:
                            Review the alert details to see why the sofware was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

                            Resources:
                            file:
                            C:\UBCD4Win\BartPE\PROGRAMS\Crossloop\VNCHooks.dll

                            file:
                            C:\UBCD4WIN\BartPE\PROGRAMS\Crossloop\winvnc.exe"

                            Attached File(s)


                            Signature: view here on Hard Light Productions Forums. FS2 lives on!
                            0

                            #29 User is offline   rdsok Icon

                            • rdsok
                            • PipPipPipPipPipPipPipPip
                              • Group: Admin
                              • Posts: 6,013
                              • Joined: 02-October 05
                              • Gender:Male
                              • Location:Norman, Ok. USA

                              Posted 10 October 2009 - 12:45 PM

                              Thanks for the report...

                              The items mentioned are simply Remote control software just like Remote Desktop is that MS includes... either exclude them from detection or disable the plugins... THEY ARE NOT MALWARE

                              I am suprised that MS is choosing to detect these since they have the same type of software included with Windows itself... I do expect this behaviour from Symantec ( Norton ) and McAfee but not MS... perhaps they are getting jealous since VNC's are more popular than their MS counterparts :lol:
                              Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                              0

                              #30 User is offline   MarktheC Icon

                              • Newbie
                              • Pip
                                • Group: Members
                                • Posts: 2
                                • Joined: 23-October 09

                                Posted 23 October 2009 - 11:32 PM

                                AVG false positive (I hope!) on LanguageID Finder.exe

                                http://www.virustota...555f-1256278137

                                AVG found 'LanguageID Finder.exe', with various names, in the BartPE folder, in the UBCD4WIN folder, and ALSO in the:
                                C:\System Volume Information\_restore{779A5...}\RP244\A0033096.exe
                                .. file and three other files in that same RP244 folder.
                                Why is it in the system restore I wonder?

                                AVG 8.5.0.423 2009.10.22 Generic15.JXH
                                CAT-QuickHeal 10.00 2009.10.23 Trojan.Agent.ATV
                                Rising 21.52.40.00 2009.10.23 Packer.Win32.Agent.bk
                                0

                                • (3 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users