I thought I would report a false positive I’ve started hitting this weekend with the last def update.
The file is iterasiFFscheduler.exe. I’m getting this on a variety of machines on different networks I maintain. I’ve uploaded the file to www.virustotal.com and also tested in a clean sandbox here just to verify that the file is actually clean. And as I work for Iterasi, I can trace all the way back to the source. =)
All show clean, including Avast, only GData shows a hit.
I’m currently using the 10/18/08 def file. Looks like VirusTotal is using a 10/15/08 def.
Results of virus total:
File iterasiFFScheduler.exe received on 10.20.2008 17:00:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/36 (2.78%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.20 -
AntiVir 7.9.0.5 2008.10.20 -
Authentium 5.1.0.4 2008.10.20 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.20 -
BitDefender 7.2 2008.10.20 -
CAT-QuickHeal 9.50 2008.10.20 -
ClamAV 0.93.1 2008.10.20 -
DrWeb 4.44.0.09170 2008.10.20 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6159 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 4.4.4.56 2008.10.20 -
F-Secure 8.0.14332.0 2008.10.20 -
Fortinet 3.113.0.0 2008.10.20 -
GData 19 2008.10.20 Win32:Zlob-CPC
Ikarus T3.1.1.44.0 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 7.0.0.125 2008.10.20 -
McAfee 5408 2008.10.17 -
Microsoft 1.4005 2008.10.20 -
NOD32 3538 2008.10.20 -
Norman 5.80.02 2008.10.17 -
Panda 9.0.0.4 2008.10.20 -
PCTools 4.4.2.0 2008.10.20 -
Prevx1 V2 2008.10.20 -
Rising 20.67.01.00 2008.10.20 -
SecureWeb-Gateway 6.7.6 2008.10.20 -
Sophos 4.34.0 2008.10.20 -
Sunbelt 3.1.1732.1 2008.10.18 -
Symantec 10 2008.10.20 -
TheHacker 6.3.1.0.119 2008.10.18 -
TrendMicro 8.700.0.1004 2008.10.20 -
VBA32 3.12.8.7 2008.10.19 -
ViRobot 2008.10.20.1428 2008.10.20 -
VirusBuster 4.5.11.0 2008.10.20 -
Additional information
File size: 81920 bytes
MD5...: 25120390da2ac835736ff4b969243005
SHA1..: b77a79f514cde00132c80f669f95994d59c8dc9c
SHA256: a704e145213f75737cd65b505a6350e7ff2e244c93616d95e7f0af0bc1db040b
SHA512: c7687f61e61d43eef5a2e5348500299c40f5137e383d76d62154bf8f0d7fefab
5938ac46cb17e68eec32ab616185b6a2735f758c75e1aeb15948b95ae78156bf
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x404882
timedatestamp.....: 0x48c15f4e (Fri Sep 05 16:33:18 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc5e8 0xd000 6.47 1c5dce2396e8b0ee0c75ecdd6dd915f3
.rdata 0xe000 0x31b6 0x4000 4.41 efa3c8326e02122598a72abe6993b7fb
.data 0x12000 0x19e0 0x1000 2.52 3840ca7b92e7db4384ca661e7a90b141
.rsrc 0x14000 0xb0 0x1000 3.06 cec9b95146f57b35474dc9da6c445146
( 4 imports )
> PSAPI.DLL: GetModuleBaseNameW, EnumProcesses, EnumProcessModules
> KERNEL32.dll: CreateMutexW, OpenProcess, SetThreadExecutionState, CreateWaitableTimerW, OpenWaitableTimerW, GetLastError, CloseHandle, TerminateProcess, CreateProcessW, SetWaitableTimer, GetExitCodeProcess, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, CompareStringA, CompareStringW, Sleep, TlsFree, GetFileAttributesW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, RaiseException, RtlUnwind, WideCharToMultiByte, GetTimeZoneInformation, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, SetEnvironmentVariableA, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSection, LCMapStringA
> USER32.dll: SetTimer, KillTimer, GetMessageW, CreateWindowExW, wsprintfW, TranslateMessage, DispatchMessageW, RegisterClassW, DefWindowProcW
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCloseKey
0 exports
Can you guys take a look? I don’t want all our iterasi users that have Avast to start freaking out. =)