Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

OTL.exe being detected as false positive on multiple engines


  • Please log in to reply

#1
SongCloud

SongCloud

    Member

  • Member
  • PipPipPip
  • 121 posts
Sorry, I did not know where else to post this. :confused:

I tried to download the newest copy of OTL today to use at work in scanning some client machines and found that I was unable to do so as our Symantec Enterprise was detecting it as malware. The false positive is showing up as Backdoor.Graybird. I downloaded it on my home machine remotely and did an online scan with VirusTotal. 6 of 42 scanners picked it up as some sort of malware. The manufacturers who are detecting it as a false positive are ClamAV (PUA.Packed.PECompact-1), Dr. Web (Trojan.Siggen3.61192), eSafe (Suspicious File), PCTools (Backdoor.Graybird!rem), Symantec (Backdoor.Graybird), and VirusBlaster (Packed/PECompact). The MD5 of the file I got is fdf885ff476835b873d728abfe987d92 and it was downloaded directly from the main dist. source of http://oldtimer.geekstogo.com/OTL.exe.

Scan results can be seen here: https://www.virustot...sis/1336080118/

I will be alerting the anti-malware manufacturers as well so that the false positive detection can be removed.

Just wanted to make sure someone out there was alerted. :happy:

Edited by SongCloud, 03 May 2012 - 03:40 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,339 posts
  • MVP
I talked to Old Timer about it. He says it happens, often after an update to his program but sometimes when they update theirs. His suggestion is to get a better anti-virus. ;)

Ron
  • 0

#3
sari

sari

    GeekU Admin

  • Administrator
  • 20,959 posts
  • MVP
Unfortunately, it does happen. If you need any additional support in notifying the AV companies, please let us know. We've contacted themm before about this, we can do it again.
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Thanks for the report. I'll start contacting them about the false positives.
  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
FYI...

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at

http://securityrespo....download.html.


  • 0

#6
SongCloud

SongCloud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 121 posts
Once again Symantec and others are detecting OTL. I've submitted a false positive report again. Just FYI for all involved. :)
  • 0

#7
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,613 posts

Once again Symantec and others are detecting OTL. I've submitted a false positive report again. Just FYI for all involved. :)

OK and thank you. :)

Unfortunately this does occur from time to time with various security vendors and likely in this instance it is merely a heuristic detection rather than a specific file executable detection.

Such may occur again with some of the security vendors a few months down the line, regardless if their respective detection databases are updated accordingly within the next week or so for example.

--------------

For all other's who may read this particular post/topic, anything hosted here in Geeks to Go is in turn safe to download...
  • 0

#8
SongCloud

SongCloud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 121 posts

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at

http://securityrespo....download.html.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

Sincerely,

Symantec Security Response

http://securityresponse.symantec.com


Response from Symantec. Looks like they have once again removed it from the detection signatures. I've not yet recieved replied from the others that were detecting it, but my guess is that they will follow suit.
  • 0

#9
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,613 posts
SongCloud...On behalf of Geeks to Go, thank you! :)
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Thanks Songcloud. I received the same reply, but interestingly they are still detecting it (WS.Reputation.1). So, I actually went a step further and started the process to get it white-listed with Symantec.

Dr. Web sent an auto-reply to acknowledge the submission, but no follow up. eSafe didn't even acknowledge the submission.

Detection ratio: 3 / 42


  • 0

#11
SongCloud

SongCloud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 121 posts
I saw the whitelist link as well, but I was not sure if it would help since OTL is updated on such a regular basis. Still, I guess it could not hurt to try.

IMHO, I have had more problems with Symantec detecting false positives and letting the obvious slip on through. Unfortunately the IT consulting company I work for pushes Symantec, so I am kept busy disinfecting machines. :rolleyes:

Dr. Web Cure It! used to be one of my go-to scanners to ensure the machine was clean after a fix, but it increasingly seems to miss more and more these days as well as having more false positives. Not to mention that the download from their FTP servers can take forever.

Surprisingly, Microsoft's on-demand scanner (Microsoft Safety Scanner) has had detection results equaling and sometimes better than MalwareBytes. I know that no scanner is perfect, but these 2 seem to be the current frontrunners for on-demand as far as I can tell. Of course, while they are running, I am reading through the OTL logs. :geek:

Sorry to get off topic there, but I thought I'd share my thoughts. :)

BTW, latest Virustotal scan has it down to just Dr. Web and eSafe. Symantec is only detecting via it's Reputation engine as Suspicious.Insight.
  • 0

#12
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Ever considered GeekU?
  • 0

#13
SongCloud

SongCloud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 121 posts
Yep. Enrolled in it and got through PL5, then life got in the way. Marriage and a baby later and I am thinking about re-enrolling. I just want to make sure that I have the time to devote to it before I enroll again. I'd hate to start it and have to stop again, yet I love the challenge of helping others get rid of the nasties. If things go well, we may have another person joining the team at work which should allow my schedule to lighten up. If that happens, then I'm definitely going to try to get back in. :thumbsup:
  • 0

#14
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Sorry, I should have checked your history. :blush:
  • 0

#15
SongCloud

SongCloud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 121 posts
No problems. I'm just flattered that someone else would think that I could be an asset! :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP