Author Topic: Probable false positive on Sony PsTrayIcon.exe  (Read 4886 times)

0 Members and 1 Guest are viewing this topic.

BillRubin

  • Guest
Probable false positive on Sony PsTrayIcon.exe
« on: May 29, 2012, 03:42:09 PM »
In the last few days, Avast! antivirus has begun issuing an ominous warning about C:\Program Files\Sony Corporation\...\PsTrayIcon.exe when I log in to Windows. An alarming Avast! popup says, "The file prevalence/reputation is low.", and that I should "use extreme caution". It conceded, "We did not find enough evidence to identify the file as malware."

I love Avast!, and it has worked well for me for a number of years, so I was quite concerned to get this unusual and scary warning. Then I realized that the offending file is actually part of Sony's FIU-810 "Puppy" product, which I've been using on this system for 7 years (much longer than I've been using Avast!). See http://systemexplorer.net/db/pstrayicon.exe.html.  I'm skeptical that there's anything wrong with this file. It appears to me that Avast! has recently become over-exuberant in flagging this file.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #1 on: May 29, 2012, 04:16:28 PM »
And you have testet The file at www.virustotal.com ?

Alternative.   Jotti.org / metascan- online.com / virscan.org

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #2 on: May 29, 2012, 04:43:20 PM »
Is this the AutoSandbox alert, see image1 example attached ?

If so then I doubt VT or Jotti would find any infection as effectively avast hasn't either:
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

I would advice the user to change the AutoSandbox mode to Auto - that way they have more interactive control. Then the user can either accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.

Note, the difference in the Auto and Ask mode alert windows.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

BillRubin

  • Guest
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #3 on: May 29, 2012, 07:53:55 PM »
Reply to Pondus:  I've just tested PsTrayIcon.exe on the various sites you suggested, and found no problem. Details:

jotti.org: 0 out of 20 scaners reported malware.

http://metascan-online.com: Metascanned by 31 engines.  0 engines detected a threat.

virscan.org: (None of the few dozen scanners detected a threat.)

VirusTotal.com: Analysis failed! Something went wrong with your analysis. Please, try again. (I tried again, and same thing happened. VirusTotal is presumably broken.)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #4 on: May 29, 2012, 09:27:56 PM »
This non-detection at other sites leads me to believe this is the autosandbox, as suggested in my post. So I suggest you proceed as outlined in my post.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

BillRubin

  • Guest
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #5 on: May 30, 2012, 05:41:01 PM »
Reply to DavidR: My symptom was not as you described. In fact, Avast suggested I should execute this process in the sandbox, which I declined to do.

Well, the funny thing is that as of this writing, the pop-up about PsTrayIcon.exe no longer occurs. So it looks like the problem has gone away "by itself", after having manifested itself a number of times.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #6 on: May 30, 2012, 06:20:19 PM »
The suggestion to run it in the autosandbox is usually what happens when it is Auto, that is why I posted the two different images, Auto (blue border smaller pop-up) and Ask (Orange border and larger pop-up).

It may be that the remember option has taken.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

groze

  • Guest
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #7 on: June 03, 2012, 04:51:25 PM »
Sony DVD use to install a rootkit,  those that have old dvds may still have the software.  Sony does have software to remove.  They got a lot of complaints on this.  I just wonder if it is releated.   I do give Sony credit for providing the software to remove the rootkit.

BillRubin

  • Guest
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #8 on: June 07, 2012, 05:15:42 PM »
Well, I spoke too soon. I did reboot my XP system twice without getting the warning, but now I'm getting it back again. So apparently it's a matter of timing whether the warning occurs or not.

@DavidR: I've attached the Avast pop-up I just got, which is somewhat like your blue image, but not exactly.

@groze:  I'm pretty sure this problem has nothing to do with the infamous Sony rootkit. This software is much older than that.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #9 on: June 07, 2012, 05:29:45 PM »
and if you select open normal from the dropp down menu?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #10 on: June 07, 2012, 06:20:41 PM »
Well it isn't a false positive as such, it isn't being categorised as infected, as mentioned in my Reply #2 above.

In this case it is just its low prevalence which is low, this is a precaution as new malware would have a low prevalence

This is related to Sony Puppy Suite (http://systemexplorer.net/db/pstrayicon.exe.html) do you have that installed and did you install it ?

If you did install it then have it run normally, I would also suggest that you change the AutoSandbox mode to Ask not Auto, this will give you greater interactive control. If you are aware of the program having been installed by you and on your system for some time, then you can have it run normally and remember your answer for this program.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #11 on: June 07, 2012, 06:46:49 PM »
Confirmed here by the "unknown" status: http://systemexplorer.net/db/pstrayicon.exe.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #12 on: June 07, 2012, 08:06:49 PM »
Yes, there weren't very many hits when I searched for the file name other than the one I had already posted.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

BillRubin

  • Guest
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #13 on: June 07, 2012, 09:12:58 PM »
@DavidR: Thanks for your help. I think I've got things under control now. Yes, I had installed the Sony Puppy Suite a long time ago, as I'd mentioned in my original post. I've now switched AutoSandbox mode to Ask from Auto, as you suggest. I also added PsTrayIcon.exe to the (short) list of files that will be excluded from automatic sandboxing. After rebooting, I no longer get the Avast pop-up.

By the way, when you say "it isn't a false positive as such", I'm sure you're technically correct. All I know, as an unsophisticated Avast user,  is that I've had both PsTrayIcon.exe and Avast AV running on my system for years without Avast complaining about PsTrayIcon.exe. It was only in the last few weeks that Avast started displaying the unusual popup about PsTrayIcon.exe. I suppose maybe that's a recent "improvement" in Avast.

Well, I'm OK with this "improvement", now that I understand what to do about it.  Thanks again!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Probable false positive on Sony PsTrayIcon.exe
« Reply #14 on: June 07, 2012, 09:17:44 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security