False Positive with Sunthreat?

system · 2006-09-12T18:08:58.000Z

Hey all, I did a virus scan today and a total of three “viruses” where found… What’s interesting is that all of them have the name Sun Threat RegKey.sdb The name of the “Virus” is Win32:Delf-AOR [Trj] (for all the viruses)
There is three locations for this “Virus”
#1 C:\Program Files\Sunbelt Sofware\CounterSpy\Consumer
#2 C:\Documents and Settings\computer name\Local Settings\Temporary Internet Files\Content.IE5\UZQTC7MH\ThreatDB407[1].Zip
#3 C:\Documents and Settings\Computer name\Local Settings\Temporary Internet Files\Content.IE5\4DWDIHUL\ThreatDB405[1].Zip
Are these False Positives or is this real? Thanks in advance for all your help

DavidR · 2006-09-12T18:53:06.000Z

Well clear you temporary internet files to deal with these, it isn’t worth investigating temporary files.

The other for Sunbelt CounterSpy there isn’t a file name so no way of doing any google searches, etc. to try and identify the file, if it were to be a signature file of counterspy and it wasn’t encrypted then it could possibly be that. So if you can check the avast Log Viewer and supply the file name, that could help.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

system · 2006-09-12T21:48:46.000Z

ok so I used the VirusTotal - Multi engine on-line virus scanner correct me if I’m wrong but you upload the file and then the website runs the file through several virus scanners, correct? If so all the others checked out but the Avast anti virus. This leads me to believe that this is a False positive. Is this assumption correct? ???

P.S I also scanned the file with Jotti - Multi engine on-line virus scanner same thing came up the only scanner that detected this “virus” is Avast. “Malware infected” to quote what this particular website stated

DavidR · 2006-09-12T22:28:49.000Z

That is the idea, check against multiple scanners and if avast is the only one detecting it then it is likely it is a false positive detection.

Now you need to send the file/sample to avast so they can analyse it and correct the signature detecting it. Click on the Mini Sticky link to see how to send it to virus @ avast.com. You will also need to add it to the exclusions as I mentioned so you can continue to use the program without avast detecting it and do the periodic checks as previous post.

system · 2006-09-12T23:32:29.000Z

Oh and by the way this is after I reconfigured my computer. I simply installed my driver/Security Software and scanned that file (after updating) and it came up.
Note: This did not come up with the old version of Counterspy.

DavidR · 2006-09-13T13:45:52.000Z

I’ve never used CounterSpy so I can’t comment on the changes if they might have caused a problem, but I doubt it was the issue. Signatures are looking for common strings and it may be possible that the string is present but is not a trojan in this case. Unfortunately false positives are a fact of life, which is why you should ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Yesterday I have 9 false positives in AdAware but I recognised them as such, today there is a correction of those false positives. This is why it is important to report and send samples of false positives so they can be corrected.

Announcements