Jump to content

Who should I believe? MBAM says file is safe

whatmeworry?
 Share

Recommended Posts

whatmeworry?

whatmeworry?

Posted
Posted

Recently, I put AVAST on my old IBM Thinkpad T-40 laptop running WinXP Pro. In AVAST's first scan, it claimed that it had found a trojan--Win32:Trojan-gen {Other}--in a file I have had on my computer for a long time. It's the setup file for an old version of my favorite screen-capture program, HyperSnap, a program I have used in various versions for many years. No anti-virus or anti-malware scan (including MBAM) had ever flagged this file as problematic. I have subsequently scanned the file with MBAM, SpyBot, SuperAntiSpyware, and (on a different computer) McAfee, all with the most current definitions. None of them found the file problematic. I then uploaded the file to VirusTotal. The first time, it produced only four results, mostly "suspicious file." I asked it to analyze it again, and this time 20 of 41 AV programs flagged it, mostly as a trojan.

I'm now quite confused. In the past, I have tended to find MBAM more reliable than any other program. It never flagged this file, neither in scans of the individual file nor in quick or full scans. Today, I made sure AVAST still found the file a trojan; I then ran both another MBAM individual scan of the file and an MBAM full scan, again with the most current defs, and MBAM did not flag the file. I don't know whom to believe. If it were just AVAST vs. MBAM, my money would be on MBAM as the more trustworthy, but the Virus Total results make me wonder. What should my next step be?

Thanks in advance for your help.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

Some software authors use an anti reverse engineering technology called runtime unpacking . More or less this prevents anyone from simply opening the file and seeing its inner workings as the unpacked code only exists in memory . There are very aggressive forms of this technology and some forms that almost exclusively used by malware authors to obscure their code . This is where the vast majority of AV FPs come from , reading runtime packing as malicious .

I think that might be what is going on here but I need the file itself to know for sure . If it fits , please zip and attach it here and I will have a look at it . If not I will PM you my personal email so you can send it directly to me .

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
  • Author
Posted
I think that might be what is going on here but I need the file itself to know for sure . If it fits , please zip and attach it here and I will have a look at it . If not I will PM you my personal email so you can send it directly to me .

Thanks VERY much, nosirrah, for your quick and helpful response. I tried to attach a zipped copy of the file with this message, but it was too large (3.15 MB). If you PM me your email address, I'll send it that way.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
  • Author
Posted
This looks like a FP . I believe it is being detected by AV because it is packed with armadillo (runtime unpacker) and possibly also used by some malware to steal screen shots .

Thanks so much, Bruce, for responding so quickly. I'm very pleased with what you've said. I've used various versions of HyperSnap for many years, and I found it hard to believe that one of its set-up files would carry a trojan. I found it even harder to believe because the file in question has been on my computer for quite a while, and no scan by any anti-virus or anti-malware program ever flagged it until the AVAST scan. I would blame AVAST, but I'd then also have to blame all the other AV programs that similarly flagged the file when I uploaded it to VirusTotal. These include a-squared, AntiVir, AVG, BitDefender, eSafe, Fortinet, GData, Ikarus, K7AntiVirus, 2 of the 3 versions of McAfee (but apparently not the one I use on my desktop), NOD32, Panda, Prevx, Sophos, Symantec, VBA32, ViRobot, and VirusBuster. In short, 20 of the 41 programs, including many highly regarded ones.

It does make one wonder about AV programs :) .

I've tried reporting this as a FP to AVAST, but subsequent definitions continue to regard the file as a trojan. I'm not sure there's anything I can do except shrug it off and find something else to worry about ;) . I realize that all of the other AV programs I was going to switch to if I didn't like AVAST were just as mistaken on this call.

Again, many many thanks!!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.