[SongCloud]

Sorry, I did not know where else to post this.

I tried to download the newest copy of OTL today to use at work in scanning some client machines and found that I was unable to do so as our Symantec Enterprise was detecting it as malware. The false positive is showing up as Backdoor.Graybird. I downloaded it on my home machine remotely and did an online scan with VirusTotal. 6 of 42 scanners picked it up as some sort of malware. The manufacturers who are detecting it as a false positive are ClamAV (PUA.Packed.PECompact-1), Dr. Web (Trojan.Siggen3.61192), eSafe (Suspicious File), PCTools (Backdoor.Graybird!rem), Symantec (Backdoor.Graybird), and VirusBlaster (Packed/PECompact). The MD5 of the file I got is fdf885ff476835b873d728abfe987d92 and it was downloaded directly from the main dist. source of http://oldtimer.geekstogo.com/OTL.exe.

Scan results can be seen here: https://www.virustot...sis/1336080118/

I will be alerting the anti-malware manufacturers as well so that the false positive detection can be removed.

Just wanted to make sure someone out there was alerted.

[RKinner]

I talked to Old Timer about it. He says it happens, often after an update to his program but sometimes when they update theirs. His suggestion is to get a better anti-virus.

Ron

[sari]

Unfortunately, it does happen. If you need any additional support in notifying the AV companies, please let us know. We've contacted themm before about this, we can do it again.

[admin]

Thanks for the report. I'll start contacting them about the false positives.

[admin]

FYI...

Quote

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at

http://securityrespo....download.html.

[SongCloud]

Once again Symantec and others are detecting OTL. I've submitted a false positive report again. Just FYI for all involved.

[Dakeyras]

SongCloud, on 16 July 2012 - 10:43 AM, said:

Once again Symantec and others are detecting OTL. I've submitted a false positive report again. Just FYI for all involved.

OK and thank you.

Unfortunately this does occur from time to time with various security vendors and likely in this instance it is merely a heuristic detection rather than a specific file executable detection.

Such may occur again with some of the security vendors a few months down the line, regardless if their respective detection databases are updated accordingly within the next week or so for example.

--------------

For all other's who may read this particular post/topic, anything hosted here in Geeks to Go is in turn safe to download...

[SongCloud]

Quote

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at

http://securityrespo....download.html.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

Sincerely,

Symantec Security Response

http://securityresponse.symantec.com

Response from Symantec. Looks like they have once again removed it from the detection signatures. I've not yet recieved replied from the others that were detecting it, but my guess is that they will follow suit.

[Dakeyras]

SongCloud...On behalf of Geeks to Go, thank you!

[admin]

Thanks Songcloud. I received the same reply, but interestingly they are still detecting it (WS.Reputation.1). So, I actually went a step further and started the process to get it white-listed with Symantec.

Dr. Web sent an auto-reply to acknowledge the submission, but no follow up. eSafe didn't even acknowledge the submission.

Quote

Detection ratio: 3 / 42

[SongCloud]

I saw the whitelist link as well, but I was not sure if it would help since OTL is updated on such a regular basis. Still, I guess it could not hurt to try.

IMHO, I have had more problems with Symantec detecting false positives and letting the obvious slip on through. Unfortunately the IT consulting company I work for pushes Symantec, so I am kept busy disinfecting machines.

Dr. Web Cure It! used to be one of my go-to scanners to ensure the machine was clean after a fix, but it increasingly seems to miss more and more these days as well as having more false positives. Not to mention that the download from their FTP servers can take forever.

Surprisingly, Microsoft's on-demand scanner (Microsoft Safety Scanner) has had detection results equaling and sometimes better than MalwareBytes. I know that no scanner is perfect, but these 2 seem to be the current frontrunners for on-demand as far as I can tell. Of course, while they are running, I am reading through the OTL logs.

Sorry to get off topic there, but I thought I'd share my thoughts.

BTW, latest Virustotal scan has it down to just Dr. Web and eSafe. Symantec is only detecting via it's Reputation engine as Suspicious.Insight.

[admin]

Ever considered GeekU?

[SongCloud]

Yep. Enrolled in it and got through PL5, then life got in the way. Marriage and a baby later and I am thinking about re-enrolling. I just want to make sure that I have the time to devote to it before I enroll again. I'd hate to start it and have to stop again, yet I love the challenge of helping others get rid of the nasties. If things go well, we may have another person joining the team at work which should allow my schedule to lighten up. If that happens, then I'm definitely going to try to get back in.

[admin]

Sorry, I should have checked your history.

[SongCloud]

No problems. I'm just flattered that someone else would think that I could be an asset!