[rdsok]

Actually... hueristics only comes into the picture on a real false positive... if they are classifying the file as riskware on purpose it isn't a false... we may not agree with their classification but it still detected on purpose at that point.

When it comes to riskware, spyware and adware there is no ISO ( or other standards organization ) standard/definition that states specifically what these are. So the detections are very subjective to say the least and each company decides what they will classify as a threat or not.

In a way, it is very much like the laws of different countries, what is legal in one is illegal in another. All of the countries may agree on a major law such as murder as being bad, but on minor issues each will have different opinions. Take alcohol and marijuana as a good analogy, alcohol is typically legal in most places where marijuana is not, yet both have similar effects on the body and mind. So it is as much a perception issue as a logic issue.

[Kester]

Hi,

Thanks for your patience, help and advice. This is my final post on this thread but it is to let you know everything worked out. I used the live CD today, there were no problems and I accessed the Forum and produced this post via the live CD.

You may be interested to know that my version of XP is an OEM version (on a Packard Bell Imedia MC 2469 PC) and despite one warning re: there may be problems with OEM operating systems, there were no errors and the process of creating the ISO file and then the live CD ran smoothly.

[Gedrean]

Kester, on 07 August 2009 - 12:49 AM, said:

<br />Hi,<br /><br />Thanks for your patience, help and advice.  This is my final post on this thread but it is to let you know everything worked out. I used the live CD today, there were no problems and I accessed the Forum and produced this post via the live CD.<br /><br />You may be interested to know that my version of XP is an OEM version (on a Packard Bell Imedia MC 2469 PC) and despite one warning re: there may be problems with OEM operating systems, there were no errors and the process of creating the ISO file and then the live CD ran smoothly.<br />

<br /><br /><br />

I am actually kind of surprised that PB still exists. I knew it had been withdrawn from the US markets, and that it had remained in the EU area, but I had assumed its massive losses for 4 years would have made it a fait accompli that the company would eventually quit and not try to cope with recovering from staggering quality deficiency claims.

I guess I was wrong. I owe somebody a coke.

[Kester]

Hi Gedrean,

I ran my regular Windows Defender full system scan today. I grabbed an image of the report which had given an alert for files within the download file of UBCD4Win v3.50 and in the installation folder on my C drive. Defender flagged the alert as 'RemoteAccess Win32/TightVNC' with a 'Medium' alert level. I scanned the image with my OCR software and have pasted the text in this post as follows:
------------------------------------------------------------------------------------------------------------------------------------------------------------
Category:
Remote Control Software
Description:
This program has potentially unwanted behavior.
Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
Resources:
file:
D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe->(inno# 006035)
file:
D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe->(inno# 006031)
file: Q\UBCD4Win\plugin\Network\CrossLoop\files\winvnc.exe
file: Q\UBCD4Win\plugin\Network\CrossLoop\files\VNCHooks.dll
containerfile:
D:\Documents and Settings\Chris Nother\lnternet Downloads\New Downloads\UBCD4WinV350.exe

View more information about this item online
-----------------------------------------------------------------------------------------------------------------------------------------------------------
My action taken was to 'always allow' for these files.

Although I have already successfully created a live CD, I am now exploring customization possibilities after browsing your 'how to' pages etc. on the website. This means, of course, that I need to keep the files that were flagged by Defender for the time being.

[Gedrean]

Kester, on 09 August 2009 - 08:46 AM, said:

Hi Gedrean,

I ran my regular Windows Defender full system scan today. I grabbed an image of the report which had given an alert for files within the download file of UBCD4Win v3.50 and in the installation folder on my C drive. Defender flagged the alert as 'RemoteAccess Win32/TightVNC' with a 'Medium' alert level. I scanned the image with my OCR software and have pasted the text in this post as follows:

VNC is ALWAYS targeted, unfortunately, but we'll see what we can do with that one as well.

Geez, here I jokingly said we should just compress everything and let god sort it out, and it looks like we're getting there.

[krroga54]

Hi,

Can you help? I built a UBCD4WIN v 3.50 iso on my laptop, burnt the iso; and all went well.

Then I booted my laptop off the UBCD4WIN boot disk and ran the Avira to checkout my laptop's c drive. Unfortunately, this AV gave some false positives and automatically moved and quarantined the following files from my c drive:-

c:\ubcd4win\bartpe\i386\system32\nircmd.exe
c:\ubcd4win\bartpe\programs\combofix\combofix.exe
c:\ubcd4win\bartpe\programs\sdfix\sdfix.exe
c:\ubcd4win\oem1\peutils\nircmd.exe
c:\ubcd4win\plugin\cleanup tools\combofix\combofix.exe
c:\ubcd4win\plugin\cleanup tools\sdfix\sdfix.exe

My question is: do I now have to reinstall these 3 exe files back into their various c:\ubcd4win locations on my laptop's c drive?

Will future UBCD4WIN builds require these files?

Any help would be appreciated; and by the way; UBCD4win is such a good idea; well done.

Keith

Gedrean, on 07 July 2009 - 05:42 PM, said:

Hi! I've been noticing a lot of false positive reports coming in where users are still using version 3.20 or even 3.0 of UBCD4Win.

When we made 3.50, we started a new strategy for eliminating false positives and avoiding "undesirable program detected" messages within UBCD4Win.
As a trial for 3.50, about 6 or 7 programs were enclosed in a special 7z wrapper to "cloak" them from antivirus programs.
Best part was, we discovered that these applications take up very little space in the RAMDrive, and can be easily removed afterwards, so this decreased over-all default install and build size as well!
Now, the reason we don't do this for the larger and more complex plugins is actually pretty simple: RAMDrive size. We can't assume the user has 200+ MB of extra RAM to shove into a RAMDrive so we can have the antivirus plugins extract out like this, but we'd like to put more and more of the small plugins into this format, as well as catch ANY and ALL false positives with this.

Now, of course, this means for official plugins we have to make sure they are truly virus-free and do what they say, but since this strategy will only be employed for official (read:included) plugins, we feel this is a decent approach to take.
But, this post isn't for me to self-aggrandize about how awesome this approach is

Now, on to the meat and potatoes:

WE NEED YOUR HELP!

What I'd like to request is that if you have a false positive WITH 3.50, NOT EARLIER VERSIONS, please post them to this thread!
That way, the thread can be noted indicating which false positives have or will be fixed in future versions, and we don't have to sift through a million posts about how 3.0 has a false positive with McAfee that we fixed a long time ago.

This is also a great thread you can check to see if the virus report you got was a false positive. If it exists in this list, it's a false positive!

Posts don't need to be big, or long, or convoluted.
All we need is which application did it (So if it says, for example, ipscan.exe, the program itself is IP Scan) or the path to the application, and which anti-malware program caught the false positive (McAfee, Avast, MalwareBytes, AdAware, Spybot, etc.)

We'll do the rest, and hopefully make version 3.6 have an even better default install, with more tools, less size, and NO FALSE POSITIVES! (we hope.)

Thank you for your assistance in this matter!

[rdsok]

The items listed are not malware... please follow the instructions already given in the FAQ and this thread as well as found in other areas of the forum.

[krroga54]

rdsok, on 20 September 2009 - 09:43 PM, said:

The items listed are not malware... please follow the instructions already given in the FAQ and this thread as well as found in other areas of the forum.

Hi,

As a new member, I guess I need some help. Can you possibly point me towards

'the instructions already given in the FAQ'

I put FAQ into the Search box and got no results.

Thanks,

Keith

[rdsok]

On the main website click the link to the FAQ in the navigation links on the left side

[krroga54]

rdsok, on 20 September 2009 - 11:59 PM, said:

On the main website click the link to the FAQ in the navigation links on the left side

Thanks for your patience and pointing me towards FAQ.

From that and other answers I'm starting to understand that nircmd.exe, combofix.exe and sdfix.exe are cleaning tools; and that they only work in a windows environment anyway.

Do I need to reinstall them back into their various c:\UBCD4WIN folders, after Avira removed them when I was in the UBCD4WIN PE environment?

Thanks again,
Keith

[rdsok]

combofix.exe and sdfix.exe are cleaning tools and you can disable those if you wish...

nircmd.exe is not a cleaning tool and is required by several different plugins

I'd replace all... and exclude the UBCD4Win folder from your protection software

[SteelTrepid]

I need to quit trying to think?
Seems the last few ideas I've implemented into our last few releases are causing more problems.......we've already had enough, not more!!

There are big plans for 3.6!!! Hopefully we can get our Alpha testing done soon.

[jr2]

Hi,

I informed an acquaintance of your site, and Windows Defender came up with the following:

Windows Defender for Windows 7 32-bit Release Candidate

RemoteAccess:Win32/TightVNC
alert level: Medium

"Category:
Remote Control Software

Description:
This program has potentially unwanted behavior

Advice:
Review the alert details to see why the sofware was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\UBCD4Win\BartPE\PROGRAMS\Crossloop\VNCHooks.dll

file:
C:\UBCD4WIN\BartPE\PROGRAMS\Crossloop\winvnc.exe"

Attached File(s)

•  Capture-1.jpg (84.26K)
  Number of downloads: 5
•  Capture-2.jpg (86.12K)
  Number of downloads: 5

[rdsok]

Thanks for the report...

The items mentioned are simply Remote control software just like Remote Desktop is that MS includes... either exclude them from detection or disable the plugins... THEY ARE NOT MALWARE

I am suprised that MS is choosing to detect these since they have the same type of software included with Windows itself... I do expect this behaviour from Symantec ( Norton ) and McAfee but not MS... perhaps they are getting jealous since VNC's are more popular than their MS counterparts

[MarktheC]

AVG false positive (I hope!) on LanguageID Finder.exe

http://www.virustota...555f-1256278137

AVG found 'LanguageID Finder.exe', with various names, in the BartPE folder, in the UBCD4WIN folder, and ALSO in the:
C:\System Volume Information\_restore{779A5...}\RP244\A0033096.exe
.. file and three other files in that same RP244 folder.
Why is it in the system restore I wonder?

AVG 8.5.0.423 2009.10.22 Generic15.JXH
CAT-QuickHeal 10.00 2009.10.23 Trojan.Agent.ATV
Rising 21.52.40.00 2009.10.23 Packer.Win32.Agent.bk