Chet Report post Posted September 3, 2008 Hello group, I'm relatively new here. Using Superantispyware free edition. After scanning, I got a window saying a trojan had been detected in a screensaver executable file, of all things. I have had this file on my computer for several years and it never gave a problem before, even after many scannings with Superantispyware. To be safe, I let Superantispyware isolate the file, since I can live without the screensaver. Could this be a false positive? Or could a trojan actually infect such a file? Thank you, Chet Share this post Link to post Share on other sites
fatdcuk Report post Posted September 3, 2008 Well it is possible in all theories but as most *suspect* detctions then there are steps that can assist is deciding whether it is a f/p First restore the file from quarantine feature of SAS. Next up upload it to VirusTotal service for 36 second opinions http://www.virustotal.com/ If no one else is flagging the file then there is a much higher probability that it is a FalsePositive. If F/p is suspected at this point then rescan with SAS and at the end when it flags the file....select *report FalsePositive* on that file. HTH Share this post Link to post Share on other sites
Chet Report post Posted September 4, 2008 Thanks, fatdcuk. I got two "hits" in the VirusTotal service. Don't know if that's a significant number or not, but I went ahead and quarantined the file anyway. I'm curious, though: How could a file that's been on my computer for years, apparently clean all that time, suddenly become infected with a trojan? Is that unusual? Thanks, Chet Share this post Link to post Share on other sites
fatdcuk Report post Posted September 4, 2008 ok what were the flags and by whom at VirusTotal ? Back to your question it is possible that a new malware has a target string in common with an old file and hence why out of the blue it becomes flagged by a file sniffing software.Although another possibility is that the file has become infected/patched by malware process/code. Eitherway it can be determined with little extra digging Share this post Link to post Share on other sites
Chet Report post Posted September 4, 2008 The flag by eSafe said it was a "suspicious trojan/worm." The flag by Prevx1 said "Heuristic -- suspicious file with persistence. Also given was this information, whatever it means: MD5: cfb148ff1d6b6b9b1e8c6499b671fc2e SHA1: b06dafa5e5433cfd6f8ee3c17fa87671b72100a9 SHA256: a51d323c9a07ef6da7c74aa9cc9abae8af1fb88d09aae058ac513f67f1b717f1 SHA512: c3e20b85181acd5adcfa851f64e9c87573818f96db2fc823992c7c3c7e9a10b594c4ecb3317008410917ed9319edadfe4d0125b683d01727722a832ed4cb172c thanks, Chet Share this post Link to post Share on other sites
fatdcuk Report post Posted September 4, 2008 Ok Chet, In the balance of things it probaly a F/p so if you could restore it and use in software report false Positive function then hopefully SAS HQ will load it into IDA(or whatever their using) and sort it out from there Share this post Link to post Share on other sites
Chet Report post Posted September 4, 2008 Done. I'll post back if I get a reply. Thanks for your help. Chet Share this post Link to post Share on other sites
