Jump to content

Suspected false positive


Kob

Recommended Posts

The attached file is reported as a fairly benign by VirusTotal (clean bill of health by the major AV vendors), and clean by ThreatExperts. However it is reported as containing a Trojan.Agent.CK by MWB. I suspect a false positive.

Note: the Project1.exe reported in the log is also a false positive, but I will defer it to a future date.

Keygen_CleanBy_VT_TE_But_MWB_ReportsATrojan.rar

mbam_log_2010_04_30__22_38_03_.zip

Link to post
Share on other sites

  • Staff

Hi,

The attached file is reported as a fairly benign by VirusTotal
Yet loads of other scanners detect it as well. Cracks and Keygens are illegal and unwanted, are a major source of nowadays malware and that's why we detect them,

because 1) It's illegal and 2) 90% of the users who use cracks and keygens frequently get infected anyway since most of them are bundled with malware or are malware.

The fact that we detect them has already saved/protected A LOT of users from a major malware infection.

Don't use cracks & keygens as it is ALWAYS as risk. After all, there are so many free alternatives.

Link to post
Share on other sites

Hi,

Yet loads of other scanners detect it as well. Cracks and Keygens are illegal and unwanted, are a major source of nowadays malware and that's why we detect them

1. I am very technical, and my "false positive" claim is that you report "Trojan.Agent.CK' while it is NOT a trojan. If MWB wants to warn a user about a code that is benign to the system but belongs to a a class of software that is dangerous, then it should report it as a "Suspicious file" - as some other AV program do.

2. The major AV program declare the file as "clean". Some 2nd tier scanners report the file not as a trojan carrier but as "suspicious". None claim the file as carrying an active load of trojan code, and indeed the file, tested in a controlled environment, did not modify the registry, did not fork any extra process, did not set up a server, did not try to connect to the internet and did not inject itself to any system file, environment or process.

3. I occasionally serve as a computer "fixer" and "adviser" to family and friends, and try to analyze their system problems.

I get to analyze suspicious emails, documents and files they suspect. I am certainly aware about the illegal and dangerous load that can be carried by cracks and I do advise them about the risk involved, but as I would notify an airport scanner vendor that his machine reported a box loaded with crack (no pun intended) as explosives - and I would expect him to fix his analysis, I would do the same in our case.

4. If MWB's file analysis philosophy would stay as stated, meaning reporting false positives solely due to association with "bad company", then this will happen: if MWB scan reports "all clean" , then I am OK; if it reports "trojans found" , then the verdict would be "maybe - lets scan the files with another scanner".

Link to post
Share on other sites

  • Staff

Hi,

Detection won't be removed, but replaced with RiskWare.Tool.CK

Unfortunately, above keygen is in many cases bundled with the Bifrose Agent.... so I hope this will still prevent people from using cracks and keygens if it's called riskware, because in this case, they will think it's ok to launch it anyway as the name "suspicious" or "riskware" is not alerting enough for them.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.