Pando false positive ?

[crococ]

Hello all,

During my recent upgrade to version Pando Free 2.0.3.1 operation, Avast detected
file ...\Temp\bar.0\P4SRCSP.EXE\ as being infected (Adw) : I put it in the chest.

Is this detection a known FP ?

TIA.

[Lisandro]

I though Pando is a legit, clean, application.
So can you please submit it to VirusTotal and let us know the result? If it is indeed a false positive, as you know, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

[crococ]

Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

A tried to submit the file to VirusTotal, but for some reason, I did not succedded
(0 bytes received by VT). So I sent it directly to Avast, along with a message.
Hope it worked and you received correctly.

[Lisandro]

A tried to submit the file to VirusTotal, but for some reason, I did not succedded
(0 bytes received by VT).

I've forgot to say that you'll have to disable avast before sending it.
avast is blocking the file because it thinks it is infected.

[DavidR]

A tried to submit the file to VirusTotal, but for some reason, I did not succedded
(0 bytes received by VT).

I've forgot to say that you'll have to disable avast before sending it.
avast is blocking the file because it thinks it is infected.

You also can't send it whilst it is in the chest, you need to export it not restore to the original location.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Also see, http://www.pando.com/phpbb/viewtopic.php?f=3&t=7898.

Hello,

Checked with our devs, and P4SRCSP.EXE is NOT part of the pando package.

Also a google search for the file name (where I got the above) returns very little information (5 hits) for a legit file if it is legit.

[crococ]

You also can't send it whilst it is in the chest, you need to export it not restore to the original location.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Also see, http://www.pando.com/phpbb/viewtopic.php?f=3&t=7898.

Hello,

Checked with our devs, and P4SRCSP.EXE is NOT part of the pando package.

Many thanks for the info. Finally, I succeded to submit the file to VT, which returned me some
positive detections : here follows an abtract (manually done) :

Antivir : ADSPY/Mywebsearch.86016
Avast : Win32:Adware-gen
F-Prot : W32/Mywebsearch.A.gen!Eldorado
Fortinet : Adware/MyWebSearch
GdData : Win32:Adware-gen
Ikarus : not-a-virus:AdTool.Win32.MyWebSearch.aw
Kaspery : not-a-virus:AdTool.Win32.MyWebSearch.aw
NOD*32v2 : a variant of Win32/Adinstaller
Panda : Suspicious file
Sunbelt : MyWebSearchToolbar
TheHacker : Aplication/MyWebSearch.aw
VBA32 : suspected of Trojan-Dropper.Delf.36 (paranoid heuristic)
Webmaster-Gateway : Ad-Spyware.Mywebsearch.86016

So at least, this file looks hightly suspicious to me ...
As during this Pando update, a new toolbar came up, perhaps it would be wise
not to use this bar ... What do you think about it ?

TIA.

[DavidR]

It may just be a coincidence that it came down the pipe at the same time as Pando, however, I have no knowledge of Pando and wat it may or may not have in it.

Some of the detections give the specific name MyWebSearch which many do consider adware, unfortunately some software comes bundled with this mywebsearch.

So I don't know if that is part of Pando (that is the toolbar) if so I assume you can uninstall it ?
However I certainly wouldn't use it, whilst it doesn't do anything harmful on  your system it does gather information which can be used to deliver adverts. I feel it is a valid detection.

[crococ]

So I don't know if that is part of Pando (that is the toolbar) if so I assume you can uninstall it ?
However I certainly wouldn't use it, whilst it doesn't do anything harmful on  your system it does gather information which can be used to deliver adverts. I feel it is a valid detection.

Just to tell, and close the topic ...
In fact, I could uninstall the Pando toolbar. In doing so, I did a complete re-installation
and removed the toolbar using the usual Windows remove programs tool.  In a 1st attempt,
I reloaded Pando, with the toolbar option unticked. Avast did not complain. In a 2nd attempt,
I did the re-installation with the toolbar option ticked. At this time, Avast sent the same
alert. My guess is that Pando provides some tools (particularly toolbar) that may produce
alerts from AV programs and that Avast produced a valid detection.

[DavidR]

Thanks for the feedback.

That is most certainly the case as many consider the mywebsearch toolbar as adware, though not serious as it is gathering information on what you search for that could be used for marketing or delivery of targeted adverts.

There are plenty of other tools/search engines that aren't considered adware.

[Lisandro]

My guess is that Pando provides some tools (particularly toolbar) that may produce
alerts from AV programs and that Avast produced a valid detection.

Do you mean that Pando is not a reliable application anymore? Does it become adware?

[DavidR]

No it is just like some other applications if you install the toolbar avast detects the toolbar as the issue. Without the toolbar no alert by avast.

[crococ]

My guess is that Pando provides some tools (particularly toolbar) that may produce
alerts from AV programs and that Avast produced a valid detection.

Do you mean that Pando is not a reliable application anymore? Does it become adware?

I don't think the Pando application by itself is an adware. But one must take care when
installing some new product : the suggested by default ticked options might lead somebody
to download some extra soft adds that he does not want, as perhaps the Pando toolbar.
After Pando installation, and after the Pando toolbar removal, I ran SAS : it detected
several adware entries, as :

Adware.HotBar/ShopperReports
Adware.Zango/SmartShopper

each with several several entries. Even if these are low risk rated, I do not like the way they
come along with Pando. The 1s time I installed Pando, Avast did not complain, and SAS, as far
I can remember, did not detect anything.

[Lisandro]

I do not like the way they come along with Pando.

Yeah... we do not need toolbars delivered by this way.
I used Pando in the past, on XP, but haven't installed into Vista and indeed I've 'used' it none... I think it will be a good tool to be there when I need, but I never needed it, so... no Pando now.