Warning FP in mbam downloader

dvk01 · March 14, 2008

Heads up warning

There has been a FP in the regnow downloader for MBAM & most probably all regnow sold products via affiliate links

I have been in touch with the AV companies to get it fixed & expect a speedy resolution, but watch out for a few complaints for the next couple of hours

It isn't the actual MBAM file but in the system that regnow use where they download a download manager first and it is the download manager that is the problem

---[ www.virustotal.com ]---------------------------

File Download_mbam-setup.exe received on 03.14.2008 09:15:31 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.3.14.0 2008.03.14 no virus found

AntiVir 7.6.0.73 2008.03.13 no virus found

Authentium 4.93.8 2008.03.13 no virus found

Avast 4.7.1098.0 2008.03.13 no virus found

AVG 7.5.0.516 2008.03.13 no virus found

BitDefender 7.2 2008.03.14 no virus found

CAT-QuickHeal 9.50 2008.03.13 Downloader.Keylogger.a (Not a Virus)

ClamAV 0.92.1 2008.03.14 no virus found

DrWeb 4.44.0.09170 2008.03.14 no virus found

eSafe 7.0.15.0 2008.03.09 no virus found

eTrust-Vet 31.3.5614 2008.03.14 no virus found

Ewido 4.0 2008.03.13 no virus found

FileAdvisor 1 2008.03.14 no virus found

Fortinet 3.14.0.0 2008.03.14 Download/Keylogger

F-Prot 4.4.2.54 2008.03.13 no virus found

F-Secure 6.70.13260.0 2008.03.14 no virus found

Ikarus T3.1.1.20 2008.03.14 no virus found

Kaspersky 7.0.0.125 2008.03.14 not-a-virus:Downloader.Win32.Keylogger.a

McAfee 5251 2008.03.13 no virus found

Microsoft 1.3301 2008.03.13 no virus found

NOD32v2 2946 2008.03.14 no virus found

Norman 5.80.02 2008.03.13 no virus found

Panda 9.0.0.4 2008.03.13 no virus found

Prevx1 V2 2008.03.14 no virus found

Rising 20.35.40.00 2008.03.14 no virus found

Sophos 4.27.0 2008.03.14 no virus found

Sunbelt 3.0.963.0 2008.03.14 no virus found

Symantec 10 2008.03.14 no virus found

TheHacker 6.2.92.245 2008.03.14 no virus found

VBA32 3.12.6.2 2008.03.13 Downloader.Win32.Keylogger.a

VirusBuster 4.3.26:9 2008.03.13 no virus found

Webwasher-Gateway 6.6.2 2008.03.13 no virus found

Additional information

File size: 128368 bytes

MD5: 4971a5730dc3fb83d66935578f0cd388

SHA1: 69c1143c716a2261dbb6fe5411d6f1b03ae61fee

PEiD: Armadillo v1.71

RubbeR DuckY · March 14, 2008

Derek, I will have to either contact each of these vendors, or RegNow to stop using silly packers.

dvk01 · March 14, 2008

I have just heard back from KAV and after a bit of a s=discussion with one analyst I have bypassed & gone to a higher level who is getting it fixed

RubbeR DuckY · March 14, 2008

Good to hear .. unfortunately I believe it is unacceptable that RegNow is using these types of packers. I will have a talk with them tonight.

dvk01 · March 14, 2008

it isn't the packer they are detecting or worried about this time but th actual downloader

Regnow don't put an actual download on the site BUT when you follow an affiliate link you get a small downloader which acts as a download manager and the downloader downloads the actual file

I can see why they do it as it makes it easier for them to track and for the developer to upload new versions more easily

The downloader contains the affiliate code which on contacting the main file injects the affiliate code into the actual program that is downloaded

I can see why the antivirus companies consider it a risk as it would not be difficult to alter the downloader to inject malicious code

RubbeR DuckY · March 14, 2008

Any ideas to get the file whitelisted?

dvk01 · March 14, 2008

fixed in Kaspersky now

I haven't heard from the others who did detect it but as they all seem to follow or use KAV detections in some way they should hopefully soon fix it

RubbeR DuckY · March 14, 2008

Thanks .

lordpake · April 5, 2008

fixed in Kaspersky now
I haven't heard from the others who did detect it but as they all seem to follow or use KAV detections in some way they should hopefully soon fix it

Well someone fixed something alright ^^

This time it's NOT a keylogger detection from Kaspersky, but a Winfixer

http://www.virustotal.com/analisis/1a94c96...3a72756fe3fb6c1

I'm sure you can appreciate my surprise when, while doing some maintenance on my brother's laptop, I decided to check it with MBAM. Lo and behold, KAV jumps into action when I downloaded via MajorGeeks - 'Authors site' link.

RubbeR DuckY · April 5, 2008

Grr .. anybody have any ideas on how to whitelist this?

dvk01 · April 10, 2008

I have emailed Kaspersky again today as it is still detecting it

detected: riskware not-a-virus:Downloader.Win32.WinFixer.fs File: C:\Documents and Settings\Derek Knight\Desktop\mbam\Download_mbam-setup.exe

If no response I will speak direct to someone high up who has the power to deal with

the problem seems to be with regnow using a stupid download system & not downloading the file itself but the detection is for the regnow downloader for the download

RubbeR DuckY · April 10, 2008

I am in talks with Regnow as of yesterday to help solve this issue.

Scotty · April 13, 2008

I had one yesterday where Zone Alarm id'd MBAM as Winfixer too.

lordpake · April 15, 2008

I had one yesterday where Zone Alarm id'd MBAM as Winfixer too.

If you have the AV version from ZoneLabs then this is the same Kaspersky detection. I recall they licensed the AV from Kaspersky.

RubbeR DuckY · April 16, 2008

This is becoming RIDICULOUS. I am personally contacting each of these companies right now. Let's see who is worthy enough to call themselves an Anti-Virus.

CAT-QuickHeal 9.50 2008.04.16 Downloader.Keylogger.a (Not a Virus)

DrWeb 4.44.0.09170 2008.04.16 Adware.Winfixer

Kaspersky 7.0.0.125 2008.04.16 not-a-virus:Downloader.Win32.WinFixer.fs

Norman 5.80.02 2008.04.16 W32/DLoader.GBVM

TheHacker 6.2.92.280 2008.04.16 Aplicacion/Keylogger.a

VirusBuster 4.3.26:9 2008.04.16 Adware.WinFixer.AH

Wish me luck.

RubbeR DuckY · April 16, 2008

All companies have been contacted. The e-mail to Kaspersky bounced back as undeliverable, great! . Now I contact RegNow and yell at them.

dvk01 · April 16, 2008

I will sort Kaspersky tomorrow morning UK time

leofelix · April 17, 2008

All companies have been contacted. The e-mail to Kaspersky bounced back as undeliverable, great! . Now I contact RegNow and yell at them.

Hi Marcin,

I tried to send e-mail to Kaspersky Techincal Support with no response , Ithink the only way to get in touch with them consists in subscribing to their forum.

lordpake · April 18, 2008

Ithink the only way to get in touch with them consists in subscribing to their forum.

And from the little information I've managed to gather while lurking in their forums, I'd say you are wrong. Approaching support via email is the right path to take, it's just that they may be swamped under work load, and they probably, not surprisingly, prioritize their customers. The few times I've been in contact with them, I have no complaints.

dvk01 · April 18, 2008

I am speaking to Kaspersky about it but my contact is away at the moment but he will deal when he comes back

he fixed it last time but another submission must have been done & a more junior one must have not seen it properly

I will see if he can do a permanent whitelisting for it

RubbeR DuckY · April 18, 2008

Well, Dr. Web apparently reads their e-mails.

Your request has been analyzed. New virus record has been added.

Virus: Adware.Winfixer.

Thank you for the cooperation.

Sad thing is, they don't actually read the contents! They added the information, not removed it!

dvk01 · April 18, 2008

I have spoken to my kaspersky contact and he is working on it

he is travelling at the moment & giving talks & lecture but has promised to pass it on & keep an eye on it top make sure it will get done

for dr web I have also asked one of my contacts there to see if he can sort it out

leofelix · April 19, 2008

And from the little information I've managed to gather while lurking in their forums, I'd say you are wrong. Approaching support via email is the right path to take, it's just that they may be swamped under work load, and they probably, not surprisingly, prioritize their customers. The few times I've been in contact with them, I have no complaints.

Yes, you're right, even though this is the very funny thing.. I'm a Kaspersky Antivirus customer since 2 years.

They answered me back only two times by e-mail and many weeks later.

So when I need Help or ask them for questions I know there is their forum: they are very kind, patient and quick in answering :angry:

My best regards

Jacee · April 20, 2008

Reported FP to Dr Web, as it is detecting MBam as a "Possible Trojan"

Edit to add snapshot

RubbeR DuckY · April 20, 2008

Here is an udate.

CAT-QuickHeal 9.50 2008.04.16 Downloader.Keylogger.a (Not a Virus)

DrWeb 4.44.0.09170 2008.04.20 Adware.Winfixer

Kaspersky 7.0.0.125 2008.04.20 not-a-virus:Downloader.Win32.WinFixer.fs

Norman 5.80.02 2008.04.16 W32/DLoader.GBVM

TheHacker 6.2.92.285 2008.04.19 Aplicacion/Keylogger.a

VirusBuster 4.3.26:9 2008.04.20 Adware.WinFixer.AH

VirusBuster informed me they would delist us if Kaspersky did, which makes no sense at all! I can't even find an e-mail address to TheHacker. DrWeb does not understand English apparently or they do not read their e-mails?

Warning FP in mbam downloader

Recommended Posts

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Link to post

Recently Browsing 0 members

Important Information