Sign in to follow this  
Normandie

False Positives?

Recommended Posts

I have just updated to the last defs file Adaware DEFs of SE1R129 26.10.2006 and got some things that were found. I scanned with other products and they all found nothing. Are these false positives? I am sure the one for PowerArchiver is a false positive since PowerArchiver has been on this computer for a long time and has never been found as a problem. The registry key I don't know. Here is the log. Could you please let me know what to do?

 

Thank you,

Normandie

 

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

ErrorSafe Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Misc

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-21-3111597347-2737576788-3210619613-1007\software\microsoft\windows\currentversion\ext\stats\{6bf52a52-394a-11d3-b153-00c04f79faa6}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 1

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

AntispywareSoldier Object Recognized!

Type : File

Data : LIBBZ2.DLL

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Program Files\PowerArchiver\

Share this post


Link to post
Share on other sites

I also got the ErrorSafe Object on two machines: here's one (personal laptop):

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

ErrorSafe Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Misc

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-21-1305444632-1339119547-2015688112-1005\software\microsoft\windows\currentversion\ext\stats\{6bf52a52-394a-11d3-b153-00c04f79faa6}

 

here's the other (work desktop):

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

ErrorSafe Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Misc

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-21-1671070149-3917440862-2804098082-500\software\microsoft\windows\currentversion\ext\stats\{6bf52a52-394a-11d3-b153-00c04f79faa6}

Edited by ky331

Share this post


Link to post
Share on other sites

I looked that classid up on google (I also got it in todays scan), it is for windows media player >= 7... I would suggest not quarentining until we hear back from the LavaSoft team.

 

Also, as ErrorSafe is a whole suite, with many registry changes, files, etc. I think the probability of a false positive is high here.

 

Good luck...

Wermie

Edited by wermie

Share this post


Link to post
Share on other sites

I am having the same experience.

 

Revert to previous defs (18.10.2006) and rescan. The ErrorSafe entries are NOT found.

 

On the other hand, the latest updates were accompanied by an explanation that ErrorSafe was being updated in this set of defs (+16 !!), so I guess we need to find out there was an error created in the course of updating the TAC rating or in the detection.

 

Lavasoft?

Share this post


Link to post
Share on other sites

Thanks for reporting these. They are likely False detections. Please put those items on ignore for now until our Research Team has a chance to look at this topic. :)

Share this post


Link to post
Share on other sites

Name:ErrorSafe

Category:Misc

Object Type:Regkey

Size:0 Bytes

Location:...\ext\stats\{6bf52a52-394a-11d3-b153-00c04f79faa6}\

Last Activity:10-26-2006

Relevance:Low

TAC index:10

Comment:

Description:Errorsafe, similar in nature to Winfixer and Winantispyware, claims to be a genuine error fixing program. It is similar in appearance and function to Winfixer and furthermore, comes from the same IP address; this software has been reported to be force installed and/or use aggressive and misleading advertising to persuade the user into installing it.

 

The class ID is from Windows Media Player 7 or later.

The contents of the registry folder only include an iexplore item with type, time, and count so it is not an executable nor does it invoke an executable. It must be a false positive.

Share this post


Link to post
Share on other sites
Thanks for reporting these. They are likely False detections. Please put those items on ignore for now until our Research Team has a chance to look at this topic. :)

 

Thanks, CalamityJane. I am hoping you will take no offense when I ask if you can give us some sort of time frame for the determination. I ask because:

1) The embedding of MediaPlayer (that is, the loss of the embedding of it!) would be a pretty serious matter for a lot of folks

2) In my case, I have recommended Ad-Aware to a WHOLE LOT OF FOLKS. I have sent out an email about this, but you know that someone will run a scan and delete all the critical objects. (That's what Lavasoft gets for being so reliable in the past!)

3) It seems to me that the response time from the support team there has been increasing lately. That is not a very "comforting" feeling for me to have. It's not just the research team, either -- it is "all over the place" there at Lavasoft / Ad-Aware. Website problems don't get fixed, emailed requests for support (because the website isn't functioning properly so email is the only method to send certain requests) are answered ELEVEN DAYS after they are submitted (which is hardly acceptable), etc.

 

At any rate, can you give us some idea about when a determination will be made and when we can expect a new set of defs?

Share this post


Link to post
Share on other sites

A new definition file now available for download.

 

SE1R129 26.10.2006

 

This fixes the false positive in Errorsafe

 

MD5 checksum is 213555c0ab7f6166be064ac037f5d80a

 

Please accept our sincerest apologies.

Share this post


Link to post
Share on other sites
A new definition file now available for download.

 

SE1R129 26.10.2006

 

This fixes the false positive in Errorsafe

 

MD5 checksum is 213555c0ab7f6166be064ac037f5d80a

 

Please accept our sincerest apologies.

 

 

Thank you for this fix, but it only fixed 1 of the 2 for me. Here is the other one that is listed in my 1st Post:

 

AntispywareSoldier Object Recognized!

Type : File

Data : LIBBZ2.DLL

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Program Files\PowerArchiver\

I have scanned this file with 3 other programs and none find what adaware has found. This file and program have been on my computer for at least a year and never found with a problem until this update of adaware. Could you please advise.

 

Thank you,

Normandie

Share this post


Link to post
Share on other sites
Thanks, CalamityJane. I am hoping you will take no offense when I ask if you can give us some sort of time frame for the determination. I ask because:

1) The embedding of MediaPlayer (that is, the loss of the embedding of it!) would be a pretty serious matter for a lot of folks

2) In my case, I have recommended Ad-Aware to a WHOLE LOT OF FOLKS. I have sent out an email about this, but you know that someone will run a scan and delete all the critical objects. (That's what Lavasoft gets for being so reliable in the past!)

3) It seems to me that the response time from the support team there has been increasing lately. That is not a very "comforting" feeling for me to have. It's not just the research team, either -- it is "all over the place" there at Lavasoft / Ad-Aware. Website problems don't get fixed, emailed requests for support (because the website isn't functioning properly so email is the only method to send certain requests) are answered ELEVEN DAYS after they are submitted (which is hardly acceptable), etc.

 

VicMax

 

No offence taken

 

I have forwarded your questions to the appropriate people here at Lavasoft.

 

I hope you will accept our sincere apologies for the inconvenience you and others have experienced.

 

We look forward to serving you more efficiently in the future.

Again, our sincere apologies.

Share this post


Link to post
Share on other sites
Normandie

 

Please update to the latest definition file.

 

Thanks

 

 

Thanks, this last of the updates finally got the other alse postive.

 

Have a good day,

Normandie

Share this post


Link to post
Share on other sites
A new definition file now available for download.

 

SE1R129 26.10.2006

 

This fixes the false positive in Errorsafe

 

MD5 checksum is 213555c0ab7f6166be064ac037f5d80a

 

Please accept our sincerest apologies.

 

Which MD5 checksum is correct for the most current update?

 

12c759ff0a981f30822bce0e6e4a1e7e

213555c0ab7f6166be064ac037f5d80a

 

There is a difference between your post and http://www.lavasoftsupport.com/index.php?showtopic=4351

Share this post


Link to post
Share on other sites

Normandie -

 

Thanks for your continued coordination as we've been working through the definition file update items. I just wanted to provide you with some feedback as to why this happened to you today.

 

Our Lavasoft Security Center (previously known as Lavasoft Research Center) is upgrading functionality and hardware in order to create a well-defined and highly functional global network of computer users, like yourself, that are interested in creating a secure environment for people the world over. More logic and efficiency is required for the ideas that the Security Center is preparing to implement. Their strategy includes the creation of a Security Center that directly engages the user network - anyone that is interested in being directly involved with testing definition file betas as well as new tool applications will have access to improved functions and the ability to truly engage in the process. Those functions that existed in the past served us well at that time. But now we are pressing forward. We are committed to improving processes because we believe that it is our duty to each and every one of our software users.

 

Lavasoft is taking new steps forward as we prepare for the new Ad-Aware updated version release. Changes are taking place now in order to best facilitate the needs and services that will be required in the near future. Sometimes those changes result in short-term inconveniences - and that is what you have experienced today.

 

Next week we plan to have a new system in place that will allow our dedicated beta testers to once again participate in definition file updates before their final release - just one way that we will avoid false positives in the future.

 

Yes, we admit that there are some short-term growing pains. But, rest assured that in the near future you can choose to be a part of that global network of engaged and dedicated security watchdogs and you will be served through a highly sophisticated and functional program at the Lavasoft Security Center.

 

Your continued loyalty is appreciated. And we will most definitely continue our loyalty to you!

Regards,

LS Michael

Share this post


Link to post
Share on other sites

Lavasoft staff:

 

Thanks for the quick updates! It is really, REALLY great to see that you guys come through when it counts .

 

And sorry for the delay in getting this note out to you! It took a while to finish (the first round of) contacting those I support, but at least I was able to offer them good news thanks to yu guys!

Share this post


Link to post
Share on other sites
but you know that someone will run a scan and delete all the critical objects.

Yes, I do :( I support a great many users myself, as well. Just a reminder that anything "fixed" by Adaware, by default, is sent to Quarantine. Should anyone have removed something they wish to restore have them look in the quarantine items. And I always recommend not to clear out quarantined items for at least 2 or 3 weeks until they are sure that removal of items has not caused any problems.

Share this post


Link to post
Share on other sites
Normandie -

 

Thanks for your continued coordination as we've been working through the definition file update items. I just wanted to provide you with some feedback as to why this happened to you today.

 

Our Lavasoft Security Center (previously known as Lavasoft Research Center) is upgrading functionality and hardware in order to create a well-defined and highly functional global network of computer users, like yourself, that are interested in creating a secure environment for people the world over. More logic and efficiency is required for the ideas that the Security Center is preparing to implement. Their strategy includes the creation of a Security Center that directly engages the user network - anyone that is interested in being directly involved with testing definition file betas as well as new tool applications will have access to improved functions and the ability to truly engage in the process. Those functions that existed in the past served us well at that time. But now we are pressing forward. We are committed to improving processes because we believe that it is our duty to each and every one of our software users.

 

Lavasoft is taking new steps forward as we prepare for the new Ad-Aware updated version release. Changes are taking place now in order to best facilitate the needs and services that will be required in the near future. Sometimes those changes result in short-term inconveniences - and that is what you have experienced today.

 

Next week we plan to have a new system in place that will allow our dedicated beta testers to once again participate in definition file updates before their final release - just one way that we will avoid false positives in the future.

 

Yes, we admit that there are some short-term growing pains. But, rest assured that in the near future you can choose to be a part of that global network of engaged and dedicated security watchdogs and you will be served through a highly sophisticated and functional program at the Lavasoft Security Center.

 

Your continued loyalty is appreciated. And we will most definitely continue our loyalty to you!

Regards,

LS Michael

 

Thank you, LS Michael.

 

However, I am sorry to say that this is nothing new. More rhetoric; merely a repeat of what's happened over & over with extra flowery words thrown in. The beta testing was working but stopped. Too bad. Beta testing is beta testing. Saying that a new system of beta testing will be in place merely means that it was a mistake to stop it in the first place. Maybe more people wouldn't have uninstalled the software in the interim. More importantly, maybe more innocent, trusting people's computers wouldn't have been hurt removing false positives. Just because some people know to question, there are many times more who would not think twice about removing something found by a supposedly reputable company. (Yes, a quarantine file can be restored IF the user has the proper settings rather than the default "Delete quarantined objects after restoring" but how many users know that?)

 

Research is working on the new version instead of Development? Interesting. Oh, and loyalty is one thing but trust is something else entirely.

 

Yes, I have SeenItAllBefore.

Share this post


Link to post
Share on other sites
Normandie -

 

Thanks for your continued coordination as we've been working through the definition file update items. I just wanted to provide you with some feedback as to why this happened to you today.

 

Our Lavasoft Security Center (previously known as Lavasoft Research Center) is upgrading functionality and hardware in order to create a well-defined and highly functional global network of computer users, like yourself, that are interested in creating a secure environment for people the world over. More logic and efficiency is required for the ideas that the Security Center is preparing to implement. Their strategy includes the creation of a Security Center that directly engages the user network - anyone that is interested in being directly involved with testing definition file betas as well as new tool applications will have access to improved functions and the ability to truly engage in the process. Those functions that existed in the past served us well at that time. But now we are pressing forward. We are committed to improving processes because we believe that it is our duty to each and every one of our software users.

 

Lavasoft is taking new steps forward as we prepare for the new Ad-Aware updated version release. Changes are taking place now in order to best facilitate the needs and services that will be required in the near future. Sometimes those changes result in short-term inconveniences - and that is what you have experienced today.

 

Next week we plan to have a new system in place that will allow our dedicated beta testers to once again participate in definition file updates before their final release - just one way that we will avoid false positives in the future.

 

Yes, we admit that there are some short-term growing pains. But, rest assured that in the near future you can choose to be a part of that global network of engaged and dedicated security watchdogs and you will be served through a highly sophisticated and functional program at the Lavasoft Security Center.

 

Your continued loyalty is appreciated. And we will most definitely continue our loyalty to you!

Regards,

LS Michael

 

LS Michael,

 

Thank you for your encouraging words, but my problem is a trust problem. Like the little boy that cried wolf, with so many false postives, when will we know whether it is real or false positive. If we leave it we can do damage to our computer and if we delete it then we risk problems because it was a FP, just like there are always the people who trust programs "totally" and delete the finds, empty the quarantine and then are stuck. There is an example in this thread a few posts up. Until the last several months this has not been my experience with Adaware, now I am beginning to be a little gun shy.

 

Hope you understand,

Normandie

Edited by Normandie

Share this post


Link to post
Share on other sites
Hello Winchester73

 

That would be 12c759ff0a981f30822bce0e6e4a1e7e

 

Thanks mate. I see now that you have updated the definitions announcement post ...

 

Cheers.

Edited by winchester73

Share this post


Link to post
Share on other sites

I see someone has already beaten me to this possible FP: http://www.lavasoftsupport.com/index.php?s...ic=4353&hl=

 

To the ^^ two posters ... as a good mate of mine is fond of saying:

 

Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

 

Perhaps useful advice to always keep in mind?

Edited by winchester73

Share this post


Link to post
Share on other sites
Sign in to follow this