Author Topic: false positive in "AdvancedRemoteInfo 0.6.5.3"  (Read 2384 times)

0 Members and 1 Guest are viewing this topic.

Offline zivilist

  • Full Member
  • ***
  • Posts: 126
false positive in "AdvancedRemoteInfo 0.6.5.3"
« on: November 21, 2006, 06:39:39 PM »
Hello,

when I use in "AdvancedRemoteInfo 0.6.5.3" (http://masterbootrecord.de/english/advancedremoteinfo.php) the "XP CD-Key" tool the notification pop-up appear:

----
C:\DOCUME~1\xxx\LOCALS~1\Temp\ta0D0.tmp.exe\[UPX]

Win32:PsExec [Tool]
----

There is a hint on this site (scroll down):

Attention - false Virus Alert!
Some scanners detected a trojan horse in the setup of AdvanedRemoteInfo. This are false alerts. All files of ARI are checked with two virus scanners before release. The false alert was caused by compression of the setup files with the executable packer "UPX". This is reverted in version 0.6.5.1.


thanks
« Last Edit: November 21, 2006, 06:59:46 PM by zivilist »
OS: Windows 7 Professional x64, OS X 10.8.3
Avast Free (for Mac and Windows)

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83508
  • No support PMs thanks
Re: false positive in "AdvancedRemoteInfo 0.6.5.3"
« Reply #1 on: November 21, 2006, 07:45:43 PM »
The key is the malware name's suffix [Tool] as they can be used for good or evil, since you downloaded it and I assume know its purpose if you decide it is for good and no risk then you can exclude it. In any case you should confirm the detection, see below.

Also to me something with a double file type/extension is suspicious and could be trying to trick you into thinking you have a harmless text file when it is an executable file. There are also no hits in a google search for that file name which in itself is suspicious.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline zivilist

  • Full Member
  • ***
  • Posts: 126
Re: false positive in "AdvancedRemoteInfo 0.6.5.3"
« Reply #2 on: November 21, 2006, 08:24:50 PM »
scanned with http://virusscan.jotti.org/ after renamed it with avast:

File:      [UPX].vir
Status:    INFECTED/MALWARE
MD5    18551cae5a306bb929445d3192059310
Packers detected:    UPX

Scanner results
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found Win32:PsExec
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found Program.PsExec.131
F-Prot Antivirus    Found nothing
F-Secure Anti-Virus    Found not-a-virus:RiskTool.Win32.PsExec.13 (6, 2, 611)
Fortinet    Found HackerTool/ProcLaunch
Kaspersky Anti-Virus    Found not-a-virus:RiskTool.Win32.PsExec.13
NOD32    Found nothing
Norman Virus Control    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing
OS: Windows 7 Professional x64, OS X 10.8.3
Avast Free (for Mac and Windows)

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83508
  • No support PMs thanks
Re: false positive in "AdvancedRemoteInfo 0.6.5.3"
« Reply #3 on: November 21, 2006, 09:21:27 PM »
Which basically confirms what I said it is a [tool] and there is a risk involved in its potential use.

I prefer the virustotal site as it uses the windows version of avast and it has as a last count 27 different engines. You can submit it to avast as outlined in the False Positive link above, but given the classification/name [tool] given I doubt anything would change. So if you are happy with the file and its use restore it from the chest and add it to the exclusions given above.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro