Jump to content

BitDefender Uninstall and WinZIP FPs


chaslang

Recommended Posts

Noticed the below false positives today:

Malwarebytes' Anti-Malware 1.37

Database version: 2259

Windows 5.1.2600 Service Pack 2

6/10/2009 7:56:51 PM

mbam-log-2009-06-10 (19-56-39).txt

Scan type: Quick Scan

Objects scanned: 124712

Time elapsed: 1 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777

084615447421115113232]

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777

084615447421115113232]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\downloaded program files\uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777

084615447421115113232]

c:\winzip120.exe (Trojan.Agent) -> No action taken. [3857535134303627618874791115708970]

The uninst.bat file and associated registry keys are just for BitDefender V8 Online Scanner. The batch file contains

echo off

regsvr32 /u /s bitdefender.ocx

del fxfileop.dll

del bitdefender.ocx

del bitdefender.inf

del uninst.bat

The winzip120.exe file is a corporate installer version of WinZip and even has a Digital Signature stating it is WinZip Computing

Link to post
Share on other sites

Being stored in root is why we hit that installer , MBAM wont let you get away with a lot in that location . If you want to use root for storage please use our ignore function .

The other detection will be fixed in the the update .

Link to post
Share on other sites

Being stored in root is why we hit that installer , MBAM wont let you get away with a lot in that location . If you want to use root for storage please use our ignore function
I normally would not have a problem with this answer since I don't like seeing things stored in the root folder either. However there are quite a few other EXE, RAR, and ZIP files also stored right now in the root folder of this system that Malwarebytes is not complaining about. And in fact one of them is explorer-BAD.exe which is infected with Virut. What is the basis for exception?

If you wish to question files in the root folder, then point them out as a potential issue so as to call it to the user's attention to investigate further. Do not point them out as being infected unless they are actually infected.

Link to post
Share on other sites

No anti malware program will detect everything.
Yes I know. I'm an expert in malware removal and run the Malware Removal Forums at Major Geeks! What I'm saying is you cannot declare one thing to be infected when it is not, and then ignore all the others. What is your ignore list based on?
Have you really experience a Virut infection?
No I do not have an infection. It was a file I collected from a user while removing malware where I had determine some of there Windows OS files sizes were wrong. This PC is a PC using for experimenting/debugging.
Link to post
Share on other sites

There is no one to one ratio of detection in root , only a substantially higher rate of detection . There are so many ways that this detection can happen there is just no reliable way to mention a "% chance this is a FP because you chose a poor storage location" factor .

The uninst.bat FP has been fixed .

Link to post
Share on other sites

Again yes I understand what you are saying but you are ignoring the fact that you are not declaring other files (EXE, ZIP, RAR) to be problems just because they are located in the root folder. Your logic or the logic of your coding is inconsistent. There is no reason to call winzip120.exe infected because it is in the root folder. If I put a copy of winzip120.exe into the root of C:\Program Files, it is not detected and I also believe that like the C:\ root folder, anything saved in the root of C:\Program File should also be questioned.

If I put a valid copy of explore.exe in the root folder you will call it worm.autorun since explorer.exe is not expected in the root folder which is fine. But if I simply rename the valid explorer.exe file to exp1orer.exe and leave it in the root folder. You do not detect it at all and this file name is well known to be a trojan and should be consider a problem no matter what folder it is in. Why detect winzip120.exe which is not a system file and has no fixed place that it must be saved that it must be downloaded to? It is a valid WinZIP installer filename.

I don't wish to continue debating this as I understand you have your reasons. I just don't agree with all of the logic and perhaps you should consider additional test methodologies.

Thank you for fixing the other false positive so quickly.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.