False positive with win32 lineage 518 and Counterspy?

[avast-fan]

I just installed avast on a friends PC.  He had previosuly had Counterspy on his machine as well.  The initial deep scan showed 2 cases of win32 lineage 518.  I wrote down the exact location of the files, but don't have  that on me right now.  I do remember that it showed up under some counterspy folder.

Any previous cases reported of a false positive with this?  I seriously doubt that he had a keystroke logger. 

[DavidR]

What is the infected/suspect file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

The file name and location might give an indication of why it might have been detected, in the past some virus signature files have been detected, but without information we won't be able to say one way or another.

If he no longer has counterspy, the uninstall routine should have removed the folders (?) at least I would have thought so.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[sergofun]

The initial deep scan showed 2 cases of win32 lineage 518

Cool.. May be..
After updayting Outpost avast! see in the spy6_inc.sdb (Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb) Win32:Lineage-518[Trj] too!

[DavidR]

That is avast detecting the Outpost anti-spyware plug-ins unencrypted signature file. I long ago disabled the anti-spyware plug-in, it is very active at boot and as a result avast also scan the files it is trying to open extending the boot duration. Not to mention I have enough anti-spyware protection not to warrant it, yes it means no resident AS protection but I don't feel the need.

You can add the file to the exclusions.

[Lisandro]

Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb

Isn't Outpost encrypting its signatures either? Shame... like Panda's ones.
Sergofun, you can add that files to the two avast Exclusion lists (on-access and on-demand).

[DavidR]

It certainly doesn't look like it.

[Lisandro]

It certainly doesn't look like it.

Doesn't? What is happening then?

[DavidR]

I will expand.

Isn't Outpost encrypting its signatures either?

it doesn't look like they are encrypted.

[Lisandro]

I will expand.

Isn't Outpost encrypting its signatures either?

it doesn't look like they are encrypted.

Thanks David for helping my English...

[sergofun]

DavidR, Tech, thank you for your answers
You are right. Agnitum technical support says that the Outpost stores the anti-spyware plug-ins signature file unencrypted (as you have said). Some AV may find in this file a malware signature, but it is the false positive. In it's letter Agnitum advises to contact with ALWILL and optimise Outpost: Optimising Outpost Firewall Pro to work concurrently with antivirus software.
Adding this file to the exclusions or swithing off the Outpost anti-spyware plug-in are great ideas!!! Thanks!

avast-fan, may be it's really false positive in your case too?

[Lisandro]

In it's letter Agnitum advises to contact with ALWIL

Silly... they make wrong things and throw the problem over Alwil...

[DavidR]

DavidR, Tech, thank you for your answers
You are right. Agnitum technical support says that the Outpost stores the anti-spyware plug-ins signature file unencrypted (as you have said). Some AV may find in this file a malware signature, but it is the false positive. In it's letter Agnitum advises to contact with ALWILL and optimise
<snip>

Their solution is far from optimising but leaving a gaping hole in system security.

Avast!:

   1. Right-click the Avast! icon in the system tray.
   2. On the shortcut menu select Program Settings.
   3. On the Exclusions tab click Browse.
   4. Browse to the Outpost installation folder (C:\Program Files\Agnitum\Outpost Firewall by default) and click OK.

You wouldn't see them be so cavalier about either allowing or blocking all UDP connections but would be more detailed in blocking UDP for a particular application or use. Whilst this example is ridiculous it give the same broad brush technique to allow everything in the outpost folders and sub folders an easy ride.

As Tech said why should others make exceptions/changes to make up for their short comings, signatures should be encrypted period.

[sergofun]

I'm agree with your bouth. DavidR, you've said very reasonable. Why users must add whole Outpost folder with subfolders into avast! exlusions? Why not only C:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb?

signatures should be encrypted

I think that unencryption takes more time and to make scan faster they store the anti-spyware plug-ins signature file unencrypted.

[DavidR]

The problem with your first point, they would then have to be more specific as some might have to also exclude wl_hook.dll or any other possible conflicts. The same is true for other AVs in that optimising outpost link you gave, they would have to be more specific for all the different AVs, so they just say to exclude the outpost folder.

If you ask me that is just as slap-dash (or lazy) as not bothering encrypting their signatures. If performance is an issue then they should address that as other security software application (like avast) does. Part of the problem I believe is the fact that they aren't the authors of the anti-spyware plug-in, it is I believe Lavasoft the adaware providers.

[Lisandro]

I think that unencryption takes more time and to make scan faster they store the anti-spyware plug-ins signature file unencrypted.

Bad work, bad excuses... They should be better, they must do it better.
Even in memory (RAM) while running they should be encrypted... or the antivirus will detect them.