Jump to content


Photo

Heur.Agent/Gen-Whitebox - Does anyone know what this is or was this a false positive?


  • Please log in to reply
9 replies to this topic

#1 david7

david7

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 26 January 2012 - 03:16 AM

I just ran a full SAS scan on my XP laptop and one file was infected - it was labled:
Heur.Agent/Gen-WhiteBox and it was in my download folder for my duplicate cleaner program.

I found this odd because I downloaded the duplicate cleaner program from Filehippo and have used it before with no problems and was wondering if it was a false positive. Or is this a serious virus that hid itself it that folder?

The reason I though it might be false positive is that I ran a full Malwarebytes scan and it found nothing. And my computer has been running fine as far as I can tell.

If anyone can help I'd appreciate it,

Thanks

david7

#2 Cyberchief

Cyberchief

    Advanced Member

  • Members
  • PipPipPip
  • 53 posts
  • LocationSan Antonio, Texas 78245-3119

Posted 26 January 2012 - 02:46 PM

I just ran a full SAS scan on my XP laptop and one file was infected - it was labled:
Heur.Agent/Gen-WhiteBox and it was in my download folder for my duplicate cleaner program.

I found this odd because I downloaded the duplicate cleaner program from Filehippo and have used it before with no problems and was wondering if it was a false positive. Or is this a serious virus that hid itself it that folder?

The reason I though it might be false positive is that I ran a full Malwarebytes scan and it found nothing. And my computer has been running fine as far as I can tell.

If anyone can help I'd appreciate it,

Thanks

david7


Had the same problem with a file that has been on my slave drive for a week and was scanned by the same update of definition and core trace. It had been scanned all the previous week with no infection found. I checked it with MSE 4.0 Beta and nothing found. I did an individual scan with SAS Pro and it detected the same threat as yours did. I went back to the Document Foundation and downloaded the Help File for the new release of LibreOffice Productivity Suite, and the same threat was detected again. Scanned with MSE 4.0 Beta, nothing found. SAS needs to get better with their updates and upgrades or this program will become a thing of the past. Just by chance I downloaded and installed Malwarebytes and scanned the same file after redownload, nothing found?? SAS said it was infected. A lot of things need to get better real fast or this program will be scrapped on my computer. I use Windows 7 Pro x64. The program has found safe files one day and with the next definition update they are infected????? :twisted:

#3 Cyberchief

Cyberchief

    Advanced Member

  • Members
  • PipPipPip
  • 53 posts
  • LocationSan Antonio, Texas 78245-3119

Posted 26 January 2012 - 06:34 PM

Had the same problem with a file that has been on my slave drive for a week and was scanned by the same update of definition and core trace. It had been scanned all the previous week with no infection found. I checked it with MSE 4.0 Beta and nothing found. I did an individual scan with SAS Pro and it detected the same threat as yours did. I went back to the Document Foundation and downloaded the Help File for the new release of LibreOffice Productivity Suite, and the same threat was detected again. Scanned with MSE 4.0 Beta, nothing found. SAS needs to get better with their updates and upgrades or this program will become a thing of the past. Just by chance I downloaded and installed Malwarebytes and scanned the same file after redownload, nothing found?? SAS said it was infected. A lot of things need to get better real fast or this program will be scrapped on my computer. I use Windows 7 Pro x64. The program has found safe files one day and with the next definition update they are infected????? :twisted:


Just scanned with the new definition update Core 8169 and Trace 5981 and 5.0.1142 now the same file is clean. You people at SAS really need to get your crap (this is the nice word and not the one of choice) together. This is really pityful. First very few updates and now ones that create a false positive and the next update fixes the problem this program has really gone to the dogs. I also purchased Malwarebytes Pro because your new team of malwarwe definition programmers or what ever they are called need to be fired. Haven't owned the company but a few month and now the program is full of flea's. You need to get better real fast or you will be out of the business real fast. :evil:

#4 wabenzer

wabenzer

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 January 2012 - 06:45 PM

Same problem Heur.Agent/Gen-WhiteBox.Process threw an alert even though BlackBerry Simulator_7.0.0.236_9900.exe has been on my Win7 box for at least six months and my system has been scanned religiously. I dl'd the BlackBerry Simulator install app from the BB Developer site because I need it to develope apps for the BB.

#5 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 862 posts
  • LocationThe Space Between Two Points

Posted 26 January 2012 - 09:33 PM

Do any of you use UTORRENT ?

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#6 SASJoe

SASJoe

    Member

  • Members
  • PipPip
  • 19 posts

Posted 26 January 2012 - 11:28 PM

Unfortunately, over the course of creating definitions for the over 25,000 new malware samples we recieve every day there are times when false positives happen. This is not unique to SUPERAntiSpyware, all security companies create false positives and many much more severe then the false positive being reported in this thread.

The Whitebox rule is a heuristic rule which means it is more likely to create a false positive than a traditional rule, but this also makes the heuristic rule able to catch a potentially much larger number of malware samples because it is based on heuristic factors.

For this reason the Whitebox rule is what we call a 'notify' rule, which means after a scan it does not automatically check the detected items of that rule for deletion -- instead it notifies the user and gives them that last choice and moment of discretion in order to determine whether or not it is likely the file is a threat or not.

Thanks to everyones efforts the small number of false positives caused by the latest renovation to the Whitebox rule were all fixed by the next update. This is not a sign of poor quality -- rather a sign of the high level of responsiveness and attention we pay to false positives.

False positives are just a part of creating detection rules for malicious programs, no matter what security software you use - you are going to have experiences with false positives. That being said, we try very hard at SUPERAntiSpyware to avoid false positives altogether -- but when they do happen we try to be very responsive and to correct the detection rule for any FP's that come out as soon as we can.

Have a good day everyone! Thanks for your help spotting these False Positives - they should be cleared up right now. We appreciate your ongoing support!
Malware Researcher
SUPERAntiSpyware

#7 david7

david7

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 27 January 2012 - 10:23 PM

Thanks SASJoe and others for clarifying the problem. I understand the dilema, in regards to false positives now and I still think SuperAntiSpyware does a great job and it has found and removed malware that other security software couldn't find or deal with.

Keep up the good work,

david7

#8 Cyberchief

Cyberchief

    Advanced Member

  • Members
  • PipPipPip
  • 53 posts
  • LocationSan Antonio, Texas 78245-3119

Posted 08 February 2012 - 01:05 PM

Unfortunately, over the course of creating definitions for the over 25,000 new malware samples we recieve every day there are times when false positives happen. This is not unique to SUPERAntiSpyware, all security companies create false positives and many much more severe then the false positive being reported in this thread.

The Whitebox rule is a heuristic rule which means it is more likely to create a false positive than a traditional rule, but this also makes the heuristic rule able to catch a potentially much larger number of malware samples because it is based on heuristic factors.

For this reason the Whitebox rule is what we call a 'notify' rule, which means after a scan it does not automatically check the detected items of that rule for deletion -- instead it notifies the user and gives them that last choice and moment of discretion in order to determine whether or not it is likely the file is a threat or not.

Thanks to everyones efforts the small number of false positives caused by the latest renovation to the Whitebox rule were all fixed by the next update. This is not a sign of poor quality -- rather a sign of the high level of responsiveness and attention we pay to false positives.

False positives are just a part of creating detection rules for malicious programs, no matter what security software you use - you are going to have experiences with false positives. That being said, we try very hard at SUPERAntiSpyware to avoid false positives altogether -- but when they do happen we try to be very responsive and to correct the detection rule for any FP's that come out as soon as we can.

Have a good day everyone! Thanks for your help spotting these False Positives - they should be cleared up right now. We appreciate your ongoing support!


This is getting old real fast. This is the second time that your progrm has said that a file that has been checkd over the past few weeks is safe and now it is infected with Heur.Agent/Gen-Whitebox with Core: 8214 Trace:6026. I thought that this was fixed with a earlier definition update? I submtted a False Positive Report after the scan finished. This program instead of getting better is really sucking big wind. I cannot trust the program with real time scanning anymore or scheduled scans. I just use it on demand. This needs to be fixed once and for all. I scanned the file with MalwareBytes 1.60 Pro and with MSE 4.0 Beta and the results were negative for a threat or infection. What's the excuse this time?

#9 mattisdada

mattisdada

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 09 February 2012 - 02:59 AM

This is getting old real fast. This is the second time that your progrm has said that a file that has been checkd over the past few weeks is safe and now it is infected with Heur.Agent/Gen-Whitebox with Core: 8214 Trace:6026. I thought that this was fixed with a earlier definition update? I submtted a False Positive Report after the scan finished. This program instead of getting better is really sucking big wind. I cannot trust the program with real time scanning anymore or scheduled scans. I just use it on demand. This needs to be fixed once and for all. I scanned the file with MalwareBytes 1.60 Pro and with MSE 4.0 Beta and the results were negative for a threat or infection. What's the excuse this time?


1. The developers are human (shock, gasp, i know right?)
2. Its Heuristic based. (https://secure.wikim...ristic_analysis)

What does that mean? It means the scanner picked up that as a possible malicious item as it contains certain aspects of a Heuristic that the scanner picks up. That doesn't mean it IS a virus. No security solution in the world, doesn't matter how much money they get. Heuristic's will always get false postives! 80% of the time it might be accurate, maybe even 95% of the time. But never 100%. And im sure your wondering, why not just disable Heuristics? Although it may be the cause of most false postives, its also one of the best defense against zero day / in the wild threats.

#10 Cyberchief

Cyberchief

    Advanced Member

  • Members
  • PipPipPip
  • 53 posts
  • LocationSan Antonio, Texas 78245-3119

Posted 09 February 2012 - 12:52 PM

I see that the Newbie and SASJoe are at about the same level of computer knowledge. My point being once it's detected and a definition is supplied to fix it and a week or so later the same problem appears. I thought the point of fixing would keep it from reappearing again and again? I understand the human factor but once it's so called fixed it should be that way from then on.and not reoccur. I understand Heuristic based detection and with other programs that use this it's fixed once and for all. It doesn't matter and it's not worth the aggrevation of beating a dead horse it still won't get up. I understand about developers being human, I can empathize with that maybe there should be some quality control to check for errors in definition signatures before they are released to ensure they adfdress current and future detection issues of a problem. Since the weekend seems to be a time when no definitions are released, maybe this time would or could be used as a brainstorming period to resolve issues of this nature? BTW I use other programs that use Heuristic detection and as of yet they have not had a problem with the file you program keeps detecting. I use Comodo on one computer and Cloud on another with the same file on each, no problem detected. Have a great day.....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users