Jump to content
Chet

Possible fasle positive?

Recommended Posts

Hello group,

I'm relatively new here. Using Superantispyware free edition. After scanning, I got a window saying a trojan had been detected in a screensaver executable file, of all things. I have had this file on my computer for several years and it never gave a problem before, even after many scannings with Superantispyware. To be safe, I let Superantispyware isolate the file, since I can live without the screensaver. Could this be a false positive? Or could a trojan actually infect such a file?

Thank you,

Chet

Share this post


Link to post
Share on other sites

Well it is possible in all theories but as most *suspect* detctions then there are steps that can assist is deciding whether it is a f/p :wink:

First restore the file from quarantine feature of SAS.

Next up upload it to VirusTotal service for 36 second opinions 8)

http://www.virustotal.com/

If no one else is flagging the file then there is a much higher probability that it is a FalsePositive.

If F/p is suspected at this point then rescan with SAS and at the end when it flags the file....select *report FalsePositive* on that file.

HTH :)

Share this post


Link to post
Share on other sites

Thanks, fatdcuk. I got two "hits" in the VirusTotal service. Don't know if that's a significant number or not, but I went ahead and quarantined the file anyway. I'm curious, though: How could a file that's been on my computer for years, apparently clean all that time, suddenly become infected with a trojan? Is that unusual?

Thanks,

Chet

Share this post


Link to post
Share on other sites

ok what were the flags and by whom at VirusTotal ?

Back to your question it is possible that a new malware has a target string in common with an old file and hence why out of the blue it becomes flagged by a file sniffing software.Although another possibility is that the file has become infected/patched by malware process/code.

Eitherway it can be determined with little extra digging :)

Share this post


Link to post
Share on other sites

The flag by eSafe said it was a "suspicious trojan/worm." The flag by Prevx1 said "Heuristic -- suspicious file with persistence. Also given was this information, whatever it means:

MD5: cfb148ff1d6b6b9b1e8c6499b671fc2e

SHA1: b06dafa5e5433cfd6f8ee3c17fa87671b72100a9

SHA256: a51d323c9a07ef6da7c74aa9cc9abae8af1fb88d09aae058ac513f67f1b717f1

SHA512: c3e20b85181acd5adcfa851f64e9c87573818f96db2fc823992c7c3c7e9a10b594c4ecb3317008410917ed9319edadfe4d0125b683d01727722a832ed4cb172c

thanks,

Chet

Share this post


Link to post
Share on other sites

Ok Chet,

In the balance of things it probaly a F/p so if you could restore it and use in software report false Positive function then hopefully SAS HQ will load it into IDA(or whatever their using) and sort it out from there :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×