Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 12th, 2008, 12:12am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   possible fp?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: possible fp?  (Read 394 times)
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 67
possible fp?
« on: May 31st, 2008, 3:57am »		 Quote Quote  Modify Modify
Just ran my weekly scan TH5 latest definition file, flags the following (now in quarantine) as a trojan file: -  
Quarantined file C:\Documents and Settings\Administrator\downloads\symantec liveupdate\lusetup.exe
 
I think this may be a false positive.
 
G.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: possible fp?
« Reply #1 on: May 31st, 2008, 4:40am »		 Quote Quote  Modify Modify
Hmmm... I have lusetup.exe on both my Vista SP1 and XP-SP3 systems and TH is not flagging it.
 
Are you sure you have the latest TH rulesets?  
 
Quote:
+-- General ---------------------------------
Ruleset datestamp         : 2008-05-30
Scan kernel               : 5.0 (Aurelius)
Ruleset entries           : 174080
Trojan definitions        : 66668
Detection rules           : 174080

 
The lusetup.exe that I downloaded from the Symantec site just yesterday is for V3.4.1.234
 
The file <D:\ProgramUpdatesVista\NIS 2008\lusetup.exe> has the following Checksum(s)
 
MD5      - AF1EB9429A59C7907FFD92831F906128
 
I downloaded lusetup.exe from this link:
 
http://www.symantec.com/techsupp/home_homeoffice/products/lu/lu/files.ht ml
« Last Edit: May 31st, 2008, 5:12am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 67
Re: possible fp?
« Reply #2 on: May 31st, 2008, 5:20am »		 Quote Quote  Modify Modify
Hi siliconman01: Yes I'm running the latest definition file update same as you. The file in question is an old version of LU. I only have Norton Ghost 10 on my machine so LU is not used. TH is flagging it as Fake AV.100.
I uploaded a copy of it to VirusTotal and it came back with no detections: -  
Antivirus Version Last Update Result  
AhnLab-V3 2008.5.30.1 2008.05.30 -  
AntiVir 7.8.0.25 2008.05.30 -  
Authentium 5.1.0.4 2008.05.31 -  
Avast 4.8.1195.0 2008.05.31 -  
AVG 7.5.0.516 2008.05.30 -  
BitDefender 7.2 2008.05.31 -  
CAT-QuickHeal 9.50 2008.05.30 -  
ClamAV 0.92.1 2008.05.31 -  
DrWeb 4.44.0.09170 2008.05.31 -  
eSafe 7.0.15.0 2008.05.29 -  
eTrust-Vet 31.4.5837 2008.05.30 -  
Ewido 4.0 2008.05.31 -  
F-Prot 4.4.4.56 2008.05.31 -  
F-Secure 6.70.13260.0 2008.05.31 -  
Fortinet 3.14.0.0 2008.05.30 -  
GData 2.0.7306.1023 2008.05.31 -  
Ikarus T3.1.1.26.0 2008.05.31 -  
Kaspersky 7.0.0.125 2008.05.31 -  
McAfee 5307 2008.05.30 -  
Microsoft None 2008.05.31 -  
NOD32v2 3148 2008.05.30 -  
Norman 5.80.02 2008.05.30 -  
Panda 9.0.0.4 2008.05.31 -  
Prevx1 V2 2008.05.31 -  
Rising 20.46.50.00 2008.05.31 -  
Sophos 4.29.0 2008.05.31 -  
Sunbelt 3.0.1139.1 2008.05.29 -  
Symantec 10 2008.05.31 -  
VBA32 3.12.6.6 2008.05.31 -  
VirusBuster 4.3.26:9 2008.05.30 -  
Webwasher-Gateway 6.6.2 2008.05.30 -  
Additional information  
File size: 3448440 bytes  
MD5...: 19df6b0452ae1b20d3d3597d4431d44c  
SHA1..: 4b5b1b0b56c03d135f929c9a9a6c177e5be86852  
SHA256: b1f605e89357c4bb1c105076196b077764b8fa44980df2a0b255a1b05abd6fb6  
SHA512: 9a1e706b167c1beb4736ad1e63b2aced622afc2a8c6d2b8805bb5b902138c8aa
3e6b04bd57cd33ca8f7304f0949f4ff2abff757cecf6b98b97b0bef94e82396a  
What do you think?
Xp-Pro SP3 fully patched and updated.
Also ran scans with Avast, SS&D, SAS - all found nothing.
 
G.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: possible fp?
« Reply #3 on: May 31st, 2008, 6:41am »		 Quote Quote  Modify Modify
ahh...okay,
 
Would you please submit the quarantined file which is in folder  
C:\Program Files\TrojanHunter 5.0\Quarantine to submit@misec.net so that Gavin can analyze and correct the ruleset.
 
Please reference this forum link in your e-mail and put "False Positive" in the subject line of your e-mail.  I will e-mail Gavin too.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 67
Re: possible fp?
« Reply #4 on: May 31st, 2008, 7:50am »		 Quote Quote  Modify Modify
siliconman01 Unfortunately I can not. I downloaded a fresh copy of LU v3.4.1.234 installed and then deleted the file from quarantine. Ran a new scan and nothing flagged. So, presume it was because of the previous LU file v3.2 was old.
 
G.
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2043
Re: possible fp?
« Reply #5 on: May 31st, 2008, 8:55am »		 Quote Quote  Modify Modify
What trojan was detected ? is there a log in your ScanReports folder please Smiley
IP Logged
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 67
Re: possible fp?
« Reply #6 on: May 31st, 2008, 9:46am »		 Quote Quote  Modify Modify
Gavin: My apologies for deleting the file from quarantine. The trojan that was flagged: Fake AV.100.
 
TrojanHunter Scan Report - Saved 2008-05-31 09:45
 
Found trojan file: C:\Documents and Settings\Administrator\downloads\symantec liveupdate\lusetup.exe (FakeAV.100)
 
Quarantined file C:\Documents and Settings\Administrator\downloads\symantec liveupdate\lusetup.exe
 
G.
IP Logged
Hawkeyelom
Full Member
***





   


Gender: male
 Posts: 190
Re: possible fp?
« Reply #7 on: May 31st, 2008, 1:14pm »		 Quote Quote  Modify Modify
In my scan l.ast night TH also flaged an old symantec live update file with a similar name with fakeAV.100.  
 
I believe it is a false positive as it has benn on my system since 2007 and never flagged before. TH could not qurantine it as it is a ziped file
« Last Edit: May 31st, 2008, 1:18pm by Hawkeyelom » IP Logged
Hawkeyelom
Full Member
***





   


Gender: male
 Posts: 190
Still not fixed with June 3 definitions
« Reply #8 on: Jun 4th, 2008, 3:54am »		 Quote Quote  Modify Modify
I downloaded the latest ruleset from June 3 and ran a TH scan and still get a Trojan on the same file as before.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: possible fp?
« Reply #9 on: Jun 4th, 2008, 4:02am »		 Quote Quote  Modify Modify
Hawkeyelom,
 
Would you please ZIP the file lusetup.exe and submit it.  The link below describes how to submit.  
 
http://www.misec.net/forum/board/FAQ/1139308293
« Last Edit: Jun 4th, 2008, 4:02am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Hawkeyelom
Full Member
***





   


Gender: male
 Posts: 190
It was only one old file so ...
« Reply #10 on: Jun 4th, 2008, 1:23pm »		 Quote Quote  Modify Modify
I just deleted it.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: possible fp?
« Reply #11 on: Jun 4th, 2008, 3:32pm »		 Quote Quote  Modify Modify
oh..okay... Cheesy
 
Guess we'll have to wait for the next user who has an old version of LuSetup.exe and try to get a copy of it for Gavin.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register