False positive? Win32:PSWSpy-B

[mrk]

I have a tool called RockXP which allows you to manage your windows passwords etc and locate them if you lose them among other cool things.

The Update to AVAST dated 15/6/2006 adds a definition update for Win32:PSWSpy-B Malware virus and Detects this malware in rockxp.

I extracted the RockXP .exe to my desktop and scanned each of the 4 extracted files. RockXP is made up of these 4 files that work under the RockXP environment you see.

3 of the files were clean and according to AVAST the file keyms.exe contains the above malware. I understand that this may be false because keyms.exe gets the windows key etc and it's easy to understand why an AV may mistake this as malware or a key stealing virus.

Can anyone else who has AVAST do a scan or run one of the key viewing tools they have? IIRC they all use keyms.exe too or most of them do to get the windows key displayed in the tool for you to view as well.

Here is a screenshot of what AVAST tells me for keyms.exe

[DavidR]

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives and send the sample to avast.

[mrk]

Thanks for those links, looks like it is a false positive as some of the other scanners on those links state it as paranoid heuristics and not-a-virus etc.

Take a look!





 

[DavidR]

I think that the problem is that a tool like this could be used of malicious purposes as well as good so it is hard to determine its use, but there are enough hits to say if you didn't know you had installed this password tool that the detection wouldn't be false. So I think it would be unlikely that avast remove it from detection.

Nothing to stop you sending it to avast (as in the mini sticky thread) and reference this thread.

[polonus]

Hello mrk,

This is not a FP but it is riskware. And the only one to decide that riskware is possible malware is you. If you installed it on your machine yourself it could be doing a good job for you, if it was intalled without your knowledge in combination with malware, it is riskware you can do without, and means an added danger. Some scanners give you the possibility to exclude riskware from scanning (e.g. a-squared), Avast as yet does not, but flags it is a potentially dangerous program, which says enough. If you are computer savvy, you say OK calculated risk, lets go on, and ignore it or put it to the exclusion list.
What could be entitled riskware?
Programs detected in the Riskware category are not directly malicious, but are often used in conjunction with Malware. This is why the a-squared scanner detects them too.

Programs which are classified as Riskware can be:

    * IRC chat clients
    * SMTP clients
    * Commercial downloaders
    * Commercial monitoring tools
    * Proxy servers
    * Password recovery tools
    * Commercial remote control tools
    * FTP servers
    * Telnet servers
    * Webservers
    * Other tools which are built to kill processes, hide windows or read system internals automatically.

polonus

[mrk]

Thanks, I understand now how it all works!

I did download teh utlity myself to backup my product keys and since the detection was only in keyms.exe I see how it could be detected as a risk since as said above it can be used for good or bad but in this case I am using it to get the key so it's good.

[Lisandro]

It can be used for good or bad but in this case I am using it to get the key so it's good.

So, you can add it to the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

[mrk]

Cheers!