False Positive - Trend Micro's Sysclean

[DaveD]

From Event Viewer:

Sign of "VBS:Redlof" has been found in "D:\Backup Files\Programs\Trend Micro Sysclean\sysclean.exe" file.

----------------------------------------------------------------------------------------------------

Trend Micro Sysclean:
http://www.trendmicro.com/download/dcs.asp
sysclean.com

When you execute sysclean.com it extracts several files for scanning (temporarily) and sysclean.exe is one of the files that gets extracted and is tagged by avast! as a virus, when in fact it is just a false positve. This has nothing to do with Trend Micro's signatures either because at this point they have not yet been loaded.

Can this please be corrected?

----------------------------------------------------------------------------------------------------

From Jotti's:

 Scanner results
AntiVir                     Found nothing
ArcaVir                    Found nothing
Avast                            Found VBS:Redlof
AVG Antivirus                Found nothing
BitDefender                Found nothing
ClamAV                          Found nothing
Dr.Web                          Found nothing
F-Prot Antivirus            Found nothing
Fortinet                    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32                          Found nothing
Norman Virus Control   Found nothing
UNA                             Found nothing
VirusBuster                 Found nothing
VBA32                           Found nothing

[igor]

The tool uses unencrypted virus signatures... so no, the detection won't be changed, sorry.

[DaveD]

The tool uses unencrypted virus signatures... so no, the detection won't be changed, sorry.

You are incorrect. The tool does not use unencrypted signatures. The signatures are encrypted. I ran a scan with avast! on the signature file lpt$vpn.521 and it came up clean. I ran a scan with McAfee Command Line scanner on that same file with the /analyze /mime /unzip options and it came up clean.

It is the 84kb sysclean.exe file that avast! is claiming to be a virus. I run a scan with avast! on that file and it shows as a virus. That is the same file I uploaded to Jotti's.

If I am wrong, I apologize. But I am 99.9% sure that I am right on this one.

[igor]

The signatures are clearly visible in the executable (if you know what to look for) - so no, they are not encrypted.

The fact that McAfee, or other antiviruses, doesn't report anything means only that the signatures don't collide with theirs for this particular malware and it does collide with avast!'s.

[DaveD]

igor,

All signatures aside here, it is the executable file of 84kb that is being detected as a virus. This is prior to the loading of any signatures. This has absolutely nothing to do with Trend Micro's signatures in this case.

If I was to send you just this one simple executable file (84kb) without any of the Trend Micro signatures, you would then understand what I mean. It has nothing to do with the signatures.

I am only pursuing this for the benefit of avast! removing this false positive. I only intend on helping avast! get better and better.

May I send you this one file (84kb) so that you can see?

Thanks,
Dave

[DaveD]

I have attached a screenshot from VIRUSTOTAL showing only avast! detecting this. As I already said, this executable does not contain any signatures. Please view the attached image.

And you say this in not a false positive?
And you try to pass the blame onto Trend Micro?

I certainly hope you change your mind and admit that it is a false positive.

Cheers,
Dave

[Lisandro]

I have attached a screenshot from VIRUSTOTAL showing only avast! detecting this. As I already said, this executable does not contain any signatures. Please view the attached image.

And you say this in not a false positive?
And you try to pass the blame onto Trend Micro?

I certainly hope you change your mind and admit that it is a false positive.

Cheers,
Dave

No need to blame... 

Edited because Igor explained what happens 

[igor]

I have attached a screenshot from VIRUSTOTAL showing only avast! detecting this. As I already said, this executable does not contain any signatures. Please view the attached image.

And you say this in not a false positive?
And you try to pass the blame onto Trend Micro?

I certainly hope you change your mind and admit that it is a false positive.

Yes, that's exactly what I'm saying, and no, I won't change my mind.

Sorry, but I know what I'm talking about - the mentioned executable does contain pieces of VLS_Redlof worm. There's also the name for this worm there - which should be rather easy to find. Don't know why exactly this one is compiled directly into the executable (and the others are probably in some of the additional files), but that's how it is.

[DaveD]

Yes, that's exactly what I'm saying, and no, I won't change my mind.

Sorry, but I know what I'm talking about - the mentioned executable does contain pieces of VLS_Redlof worm. There's also the name for this worm there - which should be rather easy to find. Don't know why exactly this one is compiled directly into the executable (and the others are probably in some of the additional files), but that's how it is.

While I do admit that I find it odd, that avast! is the only anti-virus program in the world that detects this file as a virus.

However, I am certainly not an expert. I admit that I have no knowledge whatsoever at determining if a file is malicious or not.

I respect your explanation and I appreciate you taking your time with me on this. I apologize if it sound as though I was telling you that you didn't really know what you were talking about, or anything like that.

Thank you igor!

[Lisandro]

Thanks for your words Dave... I'm not an expert too