AVAST users, possible false positive?

mrk

mrk

mrk

Man of Honour
Joined
18 Oct 2002
Posts
105,032
Location
South Coast
I have a tool called RockXP which allows you to manage your windows passwords etc and locate them if you lose them among other cool things.

The Update to AVAST dated 15/6/2006 adds a definition update for Win32:PSWSpy-B Malware virus and Detects this malware in rockxp.

I extracted the RockXP .exe to my desktop and scanned each of the 4 extracted files. RockXP is made up of these 4 files that work under the RockXP environment you see.

3 of the files were clean and according to AVAST the file keyms.exe contains the above malware. I understand that this may be false because keyms.exe gets the windows key etc and it's easy to understand why an AV may mistake this as malware or a key stealing virus.

Can anyone else who has AVAST do a scan or run one of the key viewing tools they have? IIRC they all use keyms.exe too or most of them do to get the windows key displayed in the tool for you to view as well.

Here is a screenshot of what AVAST tells me for keyms.exe

Untitled.png
 
I can't answer for AVAST itself, but it's a statistical certainty that at some point some genuine piece of software is going to contain the same sequence of bytes as a piece of malware. Virus definitions are always a balance between maximising detection of genuine stuff and minimising detection of the rest. I guess this time they may have goofed. Assuming it really is a false positive, it's not the first time I've seen one (I've had Norton report them), and it'll not be the last.

If you can be absolutely sure the alert is false, then ignore it. Symantec always alerts on a piece of software called RAdmin.exe that can be used either genuinely or as malware. In my case, it's genuine, so it just stick it on the exclusions list.
 
I've had rockxp for ages though and it was downloaded form the makers homepage http://www.korben.tk/(rockxp @ top) and looking at AVAST homepage on the virus update changelog page the first mention of the above malware "detection" is on the 15th of this months update only and since I have not used rock xp for a few months this all leads me to believe this is a false positive!

Perhaps someone else could download rockXP thene xtract the contents and scan mskey.exe too with a dff AV to verify that it is in fact a falsey on AVASTs side?
 
Then, as I said above (although you may have missed it as I edited a few times), if you're happy it's genuine and you need it, click Continue and get on with life. :)

You'd better be sure it's genuine though. Read all you can about what has been detected and see if it matches the software as you know it. If it doesn't, it's a false positive. If it does, then you have to decide if it's an acceptable risk.
 
I've printed labels for my cd cases now aas double backup for my ms product keys so i wont be needing it anymore either i guess, just wanted to be sure!
 
Though your snanner thought it found a specific virus in RockXP, I can say at least that with a previous scanner (I think it was an online scan) my copy of RockXP was flagged as suspicious or "possibly unwanted" I think it called it. The heuristic engine I guess must have flagged it... considering what RockXP does I wasn't surprised by that.

Have you compared the checksum of RockXP to one's indicated on the website (if any)?
 
Yup, they are all *** same from each of the mirrors but tbh I guess it's a case of heuristics being a bit too accurate :p

I feel safer with AVAST :)
 
I've had a couple of false-positives with Avast! :p

If you're in any doubt about the file, just move it to the chest and scan it again when there's a new virus update :)
 
You could submit the file to avast, a lot of anti virus programs will let you do this. If not then there should be a link on the homepage to submit files for analysis. If not try one of the free online scans and see if they let you do this
 
You must log in or register to reply here.
Back
Top Bottom