Author Topic: False positive with win32 lineage 518 and Counterspy?  (Read 5449 times)

0 Members and 1 Guest are viewing this topic.

Offline avast-fan

  • Newbie
  • *
  • Posts: 1
False positive with win32 lineage 518 and Counterspy?
« on: April 23, 2007, 12:55:44 AM »
I just installed avast on a friends PC.  He had previosuly had Counterspy on his machine as well.  The initial deep scan showed 2 cases of win32 lineage 518.  I wrote down the exact location of the files, but don't have  that on me right now.  I do remember that it showed up under some counterspy folder.

Any previous cases reported of a false positive with this?  I seriously doubt that he had a keystroke logger. 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #1 on: April 23, 2007, 01:14:26 AM »
What is the infected/suspect file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

The file name and location might give an indication of why it might have been detected, in the past some virus signature files have been detected, but without information we won't be able to say one way or another.

If he no longer has counterspy, the uninstall routine should have removed the folders (?) at least I would have thought so.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline sergofun

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Hello, world>_
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #2 on: April 23, 2007, 10:47:00 PM »
Quote from: avast-fan
The initial deep scan showed 2 cases of win32 lineage 518
Cool.. May be..
After updayting Outpost avast! see in the spy6_inc.sdb (Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb) Win32:Lineage-518[Trj] too!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #3 on: April 23, 2007, 11:12:09 PM »
That is avast detecting the Outpost anti-spyware plug-ins unencrypted signature file. I long ago disabled the anti-spyware plug-in, it is very active at boot and as a result avast also scan the files it is trying to open extending the boot duration. Not to mention I have enough anti-spyware protection not to warrant it, yes it means no resident AS protection but I don't feel the need.

You can add the file to the exclusions.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #4 on: April 23, 2007, 11:13:29 PM »
Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb
Isn't Outpost encrypting its signatures either? Shame... like Panda's ones.
Sergofun, you can add that files to the two avast Exclusion lists (on-access and on-demand).
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #5 on: April 23, 2007, 11:18:44 PM »
It certainly doesn't look like it.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #6 on: April 23, 2007, 11:26:12 PM »
It certainly doesn't look like it.
Doesn't? What is happening then?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #7 on: April 24, 2007, 01:13:03 AM »
I will expand.
Quote from: Tech
Isn't Outpost encrypting its signatures either?
it doesn't look like they are encrypted.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #8 on: April 24, 2007, 01:17:09 AM »
I will expand.
Quote from: Tech
Isn't Outpost encrypting its signatures either?
it doesn't look like they are encrypted.
Thanks David for helping my English... 8)
The best things in life are free.

Offline sergofun

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Hello, world>_
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #9 on: April 24, 2007, 11:06:21 PM »
DavidR, Tech, thank you for your answers :)
You are right. Agnitum technical support says that the Outpost stores the anti-spyware plug-ins signature file unencrypted (as you have said). Some AV may find in this file a malware signature, but it is the false positive. In it's letter Agnitum advises to contact with ALWILL and optimise Outpost: Optimising Outpost Firewall Pro to work concurrently with antivirus software.
Adding this file to the exclusions or swithing off the Outpost anti-spyware plug-in are great ideas!!! Thanks! :)

avast-fan, may be it's really false positive in your case too?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #10 on: April 24, 2007, 11:35:59 PM »
In it's letter Agnitum advises to contact with ALWIL
Silly... they make wrong things and throw the problem over Alwil...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #11 on: April 24, 2007, 11:58:45 PM »
DavidR, Tech, thank you for your answers :)
You are right. Agnitum technical support says that the Outpost stores the anti-spyware plug-ins signature file unencrypted (as you have said). Some AV may find in this file a malware signature, but it is the false positive. In it's letter Agnitum advises to contact with ALWILL and optimise
<snip>

Their solution is far from optimising but leaving a gaping hole in system security.
Quote
Avast!:

   1. Right-click the Avast! icon in the system tray.
   2. On the shortcut menu select Program Settings.
   3. On the Exclusions tab click Browse.
   4. Browse to the Outpost installation folder (C:\Program Files\Agnitum\Outpost Firewall by default) and click OK.

You wouldn't see them be so cavalier about either allowing or blocking all UDP connections but would be more detailed in blocking UDP for a particular application or use. Whilst this example is ridiculous it give the same broad brush technique to allow everything in the outpost folders and sub folders an easy ride.

As Tech said why should others make exceptions/changes to make up for their short comings, signatures should be encrypted period.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline sergofun

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Hello, world>_
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #12 on: April 25, 2007, 11:15:27 PM »
I'm agree with your bouth. DavidR, you've said very reasonable. Why users must add whole Outpost folder with subfolders into avast! exlusions? Why not only C:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\spy6_inc.sdb?
Quote from: DavidR
signatures should be encrypted
I think that unencryption takes more time and to make scan faster they store the anti-spyware plug-ins signature file unencrypted.
« Last Edit: April 25, 2007, 11:20:20 PM by sergofun »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83920
  • No support PMs thanks
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #13 on: April 25, 2007, 11:33:04 PM »
The problem with your first point, they would then have to be more specific as some might have to also exclude wl_hook.dll or any other possible conflicts. The same is true for other AVs in that optimising outpost link you gave, they would have to be more specific for all the different AVs, so they just say to exclude the outpost folder.

If you ask me that is just as slap-dash (or lazy) as not bothering encrypting their signatures. If performance is an issue then they should address that as other security software application (like avast) does. Part of the problem I believe is the fact that they aren't the authors of the anti-spyware plug-in, it is I believe Lavasoft the adaware providers.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.564/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive with win32 lineage 518 and Counterspy?
« Reply #14 on: April 26, 2007, 12:46:01 AM »
I think that unencryption takes more time and to make scan faster they store the anti-spyware plug-ins signature file unencrypted.
Bad work, bad excuses... They should be better, they must do it better.
Even in memory (RAM) while running they should be encrypted... or the antivirus will detect them.
The best things in life are free.