Sign in to follow this  
JanusB

False Positive On Transfz 1.06

Recommended Posts

Got the following report from a user of my program, re-ran a scan with the newest edition of AdAware SE and got same result - I am convinced that my system is clean and was clean at the time I compiled the 1.06 edition (can be downloaded at http://www.transfz.com/download.php) so it must be a false positive. This is also compounded by the fact that the EXE files produced by the programming language I used to develop Transfz, AutoIT, is unfortunately often wrongly recognized to contain 'bad' code (see: http://www.autoitscript.com/forum/index.php?showtopic=34658).

Hope this can be resolved quickly.

 

Janus

 

> #:24 [transfz.exe]

> FilePath : D:\Program Files\Transfz\

> ProcessID : 1108

> ThreadCreationTime : 30-4-2007 8:12:48

> BasePriority : Normal

> FileVersion : 1.6.0.0

> FileDescription : Transfz - Systemwide Search Utility

> LegalCopyright : Janus Olsen

> Comments : http://www.transfz.com/

>

> Win32.TrojanDropper Object Recognized!

> Type : Process

> Data : transfz.exe

> TAC Rating : 10

> Category : Malware

> Comment : Windows_Update.exe.dmp

> Object : D:\Program Files\Transfz\

> FileVersion : 1.6.0.0

> FileDescription : Transfz - Systemwide Search Utility

> LegalCopyright : Janus Olsen

> Comments : http://www.transfz.com/

>

> Warning! Win32.TrojanDropper Object found in memory(D:\Program

> Files\Transfz\transfz.exe)

Share this post


Link to post
Share on other sites

Hi JanusB!

 

Thanks for the report. I will investigate further and if found to be a false positive, transfz.exe will be removed from detection as of the next release.

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi Andy,

 

Sounds good - I'll be watching this posting & hope that your investigation goes smoothly.

 

Best,

Janus

 

Hi JanusB!

 

Thanks for the report. I will investigate further and if found to be a false positive, transfz.exe will be removed from detection as of the next release.

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Small but important update: I tested a number of executables that have been compiled using AutoIt v3.2.2.0 and AdAware reports them ALL to contain a "Win32.TrojanDropper Object", this is, as far as I can reckon, obviously not the case. Problem is most likely that the exe signature of all AutoIt generated exe's are all rather alike and thus if someone makes vira/worm/malware or the like with AutoIt and this gets picked up by, say AdAware, it'll wrongly detect all AutoIt exe's as if they contain that particular piece of evil code. Hmm. Anyways, I hope to see the problem alleviated soon.

 

Janus

Share this post


Link to post
Share on other sites

Hi JanusB,

 

Thanks for the extra information - would it be possible for you to upload a log file of one of the scans from your test? Thanks in advance!

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi JanusB,

 

We have carried out analysis of the transfz.exe process detection : it will not be detected as of today's update.

 

Thanks for taking the time to report this, and again, thanks for the detailed report and links. This makes for much more accurate analysis of false positive reports!

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi Andy,

 

Great news - thanks for fast response, glad I could help the process along.

 

Regards,

Janus

 

Hi JanusB,

 

We have carried out analysis of the transfz.exe process detection : it will not be detected as of today's update.

 

Thanks for taking the time to report this, and again, thanks for the detailed report and links. This makes for much more accurate analysis of false positive reports!

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Since all seems to be ok now, I'll go ahead and archive this topic in the "Resolved" section (read only) to keep others with similar problems from posting in it.

 

If you should have any further issues, please feel free to start a new topic

Share this post


Link to post
Share on other sites
Sign in to follow this