FP - Flash_Disinfector

[Guest]

[SiberLynx]

Hi Guys,

BOClean 4.26 stoppes Flash_Disinfector.exe downloaded from
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
I tried "bleeping" too... both reliable sources. Sure I checked with
http://virusscan.jotti.org/
http://www.virustotal.com/
http://virscan.org/index.php
In average 5 detection each (mainly the same scanners). Probably it is redundant to post who and what detected. File is packed & stuff... and I am sure it is FP...
Well do we ever know for sure 
My Q is:
How it is handled here when I send for analysis. I got the address for submission in one of the posts by Rednose
 
Should the sender expect the reply? And how it is usually advised if FP confirmed?
Would it be necessary to keep the file in Exclusion List or there will be DB Update?

Thanks in advance
My regards

[Eric Cryptid]

Hi SiberLynx,
   If you send the file itself (In a Password Protected Zip File) including the password for the zip file that should be all that's needed.

   I have read somewhere about getting replies back but can't seem to find it at the moment. You should get some sort of a response from the team and/or post the file information here. Also, check again with Virus Total in a couple of days, sometimes it takes them a few to get new virus information on there.

You can post your BoClean Log on here as well.

As long as you're sure it's not a virus leave it in the exceptions list for the time being and give the team a few to check that it's a false positive and there'll be a subsequent signature update.

Eric

[SiberLynx]

Hi Eric,
Thanks for quick reply.
I did RAR. I hope that wouldn’t be a problem. If it is I’ll ZIP.
About being sure “it’s not a...” we all know that we never know... but sure- most likely Not 
Funny thing is that I never had FP from BOClean and I never used the said prog before. Since lately I was doing some testing with those external devices - Flash cards/Sticks/USB drives I decided to try the thing. Those devices I have are clean. I am sure!  At the same time the prog is used not for cleaning from viruses only but as a preventing measure.
And here we go - first attempt and first FP from BOC and - against the prog which fights viruses. What else? Entertaining! 
Cheers 

[Eric Cryptid]

It is actually particularly rare for BoClean to have any false positives as the malware signatures are studied carefully though there have been only a couple of FPs that I've seen this year and they were very quickly resolved with a signature update very soon after.

I know first impressions count etc but would like to see your BoClean Log on here so the rest of us can also lookup what FPs your getting.

Eric

[SiberLynx]

It is actually particularly rare for BoClean to have any false positives
I know first impressions count etc but would like to see your BoClean Log on here so the rest of us can also lookup what FPs your getting.

Hi Eric,

I totally agree with you about excellent rating of “practically no FPs” produced by BOC.
Hope my message was accepted correctly. It was not “bad first impression”. I do have “good old impression” about this Software and I feel very confident with BOC, I was just joking a bit 
More serious matter: got e-mail rejection. Probably address I found here was changed
I used malwaresubmit [ at ] avlab.comodo.com
Only _[at]_ was respectively changed and I'm never typing I’m copying/pasting 

Secondly, the report.
When the message about stopping trojan was displayed I just rejected the deletion of the file. But now when I use Examine report BOC only asks whether I want to create log, which means I don’t see what was created at the time of detection.
There are 2 files in
C:\Documents and Settings\All Users\Application Data\boc426\
boc426.XVU and empty boc426.txt.

I would appreciate few tips regarding report creation and e-address.

Best wishes 

[Eric Cryptid]

BoClean should have created a log when the file was detected but since you opted to ignore the file then that's probably why a log wasn't created. You can just click on Examine Report, Click No to Delete Contents and then click Yes to create file. It seems that BoClean only creates a log entry if the file detected is removed.

I'll ask the guys for the latest virus submit email address.

Eric

[SiberLynx]

BoClean should have created a log when the file was detected but since you opted to ignore the file then that's probably why a log wasn't created. You can just click on Examine Report, Click No to Delete Contents and then click Yes to create file. It seems that BoClean only creates a log entry if the file detected is removed.

I'll ask the guys for the latest virus submit email address.

Eric,
Thanks for reply.
Yes, regarding "highlighted blue". I think that 's what happening...
and it shouldn't be like that. The report has to be created anyway.
As for "highlighted brown" to be strict it is rather "ignore to delete" because you cannot ignore BOClean unless you shut it down - in this case the user would be called ignorant .
I'll wait for submit address. Cheers

[Eric Cryptid]

According to Melih,
   The correct email address is:   malwaresubmit[ at ]comodo.com

[SiberLynx]

According to Melih,
   The correct email address is:   malwaresubmit[ at ]comodo.com

Thank you Eric & Melih,
Yep, it's different address. File resent. At least no immediate rejection.
Cheers

[Eric Cryptid]

Great News... Let us know if we can do anything else to help. Fingers crossed they'll make the signature change in an update in the not too distant future.

Eric

[SiberLynx]

Great News... Let us know if we can do anything else to help. Fingers crossed they'll make the signature change in an update in the not too distant future.

Hi Eric,
I may report "half-great" news back.
I received a reply. Signatures were changed because Desinfector by itself was not flagged...
but... there was another detection. I sent a description of what was happening and an image to the above address for investigation.
Brief: prog. dynamically creates exe in Temp, that exe was flagged.
If you think that it will be helpful for others to post a bit more details here including image, please let me know.
My regards

[Kevin McAleavey]

Hi Eric,
I may report "half-great" news back.
I received a reply. Signatures were changed because Desinfector by itself was not flagged...
but... there was another detection. I sent a description of what was happening and an image to the above address for investigation.
Brief: prog. dynamically creates exe in Temp, that exe was flagged.
If you think that it will be helpful for others to post a bit more details here including image, please let me know.
My regards

Sorry to say, NIRCMD *is* perhaps THE most popular "pseudo-rootkit" installer known.   

It doesn't present *any* indication of what it's running, what it's doing and is extremely popular as a "hidden rootkit installer." Sorry to say, I've weighed in on this as being a VALID malware detect since removing it from BOClean detection would be a serious security breach. Unfortunately, the authors of that utility were unable or unwilling to write their own code as useful as it might seem. All I can tell you is that if you really want to run software of that level of dubiousness, you *can* open up the BOClean menu traybar and let it sit and that will cause BOClean to ignore it while the popu menu is visible if you *really* want to run that. I'd recommend not myself.

 Also noted was that the COMODO firewall also fired off on its "dubious registry mucking" as well ... that's two strikes right there from two separate proggies that tried to stop ya there. 

 Code written by professionals doesn't require the use of known malware to function.

---

Edit: clarified removing it from BOClean in "security breach" comment. "Nirsoft" wrote trojans before they wanted to get paid ... ancient history, but still highly popular to hide installs and Nirsoft never did anything to FORCE its "visibility" ... there's the problem.

[SiberLynx]

Sorry to say, NIRCMD *is* perhaps THE most popular "pseudo-rootkit" installer known.    ...
...removing it from BOClean detection would be a serious security breach.
... I'd recommend not myself...
...Also noted was that the COMODO firewall also fired off on its "dubious registry mucking" as well ... that's two strikes right there from two separate proggies that tried to stop ya there. 
---
Edit: clarified removing it from BOClean in "security breach" comment. "Nirsoft" wrote trojans before they wanted to get paid ... ancient history, but still highly popular to hide installs and Nirsoft never did anything to FORCE its "visibility" ... there's the problem.

Hi Kevin,
Thank you for spending time and explaining the matter.
I do understand your position.
I know than many are using Flash_Disinfector, which is often advised in many security related Forums.
When you said that "you wouldn't" does it mean that "Nir-proggie" would leave traces after finishing?

Well we leave in peace with Daemon’s sptd-“rootkit” aren’t we? 

And, Yes, I noticed CFP alerts as you see from images I sent. Who ever had any doubts about Comodo?
My best wishes 

P.S.
I am using a lot of Nirsoft’s SW for a long time. It looks like they stopped with trojans development 

[Kevin McAleavey]

Hi Kevin,
Thank you for spending time and explaining the matter.
I do understand your position.
I know than many are using Flash_Disinfector, which is often advised in many security related Forums.
When you said that "you wouldn't" does it mean that "Nir-proggie" would leave traces after finishing?

Well we leave in peace with Daemon’s sptd-“rootkit” aren’t we? 

And, Yes, I noticed CFP alerts as you see from images I sent. Who ever had any doubts about Comodo?
My best wishes 

P.S.
I am using a lot of Nirsoft’s SW for a long time. It looks like they stopped with trojans development 

 Hiya, and sorry for the wait ... been REAL busy lately tracking down all sorts of UFO sitings, acne and sunspots and a couple of them are actually MY fault!

SPTD rootkit ... I remember the original - if for some insane reason, it's not already covered, I went and googled and hit the usual suspects and came up dry ... if you HAVE a copy of it, it'd be really helpful if you could submit it to our lab guys so we have it ... I remember it being an antique as well as having BEEN covered when I did BOClean lab work in addition to all else ...

As to NIRSOFT ... lemme try this one more time, but this time, from a philosphical angle. Sad fact is that back in the BBS days, and even "early shareware period" of archaeology, you had bored glass room geeks who ran VAX and VMS who were bored out of their teat who went home, played with Billyware in their spare time, and issued out FREEWARE for the fun of it. You had professional programmers who put out some truly neat stuff which they wrote all by themselves, line by line in TurboBasic, TurboPascal or C just for the jollies of actually FINISHING a project and getting it out. Each and every line of code was manually written, original, and unique. Such was born "NSClean" back in 1995 after more than a decade of writing all sorts of stuff as a hobby and just giving it away - joyous in the number of downloads though nobody "registered" any of it and sent me ten bucks as a "donation." Nancy looked at the original NSClean and declared, "people will be willing to PAY for something like this!" ... eventually resulted in BOClean which was also once a "freebie" until after there were more than 20 trojans and more coming each week.   

 Point being, that back in MY time ... people wrote their OWN code. They also wrote perl scripts with proper exclusions of unallowed characters and phrases, blocked scripting on their inputs to prevent exploits, wrote filters that not only eliminated white spaces, but anything unintended and also wrote batch files in plain text. Whatever they wrote, it ALWAYS brought up a console window if not a whole elaborate GUI whenever anything happened. If all else failed, there'd at least be TTY output on the screen or to paper.

 They didn't use "utilities" they didn't write themselves, but were part of the OS with visible and expected outcomes they could see, and audit but it just wasn't "l33t" back then to use libraries from others, untrusted additions to OS's nor writing stuff in BASIC. That was a sure sign of someone who needed to have their butt kicked OUT of the glass room and sent out to install and replace parts on "desktops" ... they didn't HAVE a key card to get into the glass fortress - we'd send them EMAIL. 

 Philosophically, this is how BOClean works ... numerous infections are the result of "libraries" with "dual use" in the military connotation ... things like VNC, MIRC, NIRSOFT and many others who have been found to be COMMONLY used by the "no-goodniks" ... BOClean was NEVER originally intended to be a "consumer program" ... that's why so much of what it does is so "minimalist" and "behind the scenes" as to how it normally works, leaving little footprint, default for things to be hidden, and insanely SPARSE "activity reports" ... BOClean was always aimed at admins, keepers of the glass ornament, and those who wanted something that they could just PUSH out to desktops, remain hidden and silently "biff the bad guys." AND with the ability to exclude (rare when we first did it) ...

 Any ADMIN who chose to push out VNC, MIRC and other "utilities" not written "in house" wanted us to crush the hijackings by "legitimate software" and if they chose to push out a COMMON "configuration file" and "exclude database" then they could, if they actually WANTED any of those running on their desktops. Otherwise, they saw these utilities as a serious breach of security. That's how BOClean was designed - "set it and forget it" - and anything which could "sneak in" was to be "trip-wired." That's how BOClean works.

 Now for programmers of "l33t utilities" ... I'll offer THIS also as part of the "don't infect me" reality of BOClean's design. If you want to allow people to script rather than code and offer software, then simply CHECK to see if the window or console of YOUR program is VISIBLE! And ***if*** that window is ***not*** visible, then DO NOT execute the instruction! Throw up a MessageBox() or some *other* sign that something funny's going on there, and voila! I'll make sure BOClean will ignore it ... so LONG as the person at the screen gets SOME indication that something's going on!

 Absent that, ANY installer or "root" type thingy which can be hidden and NOT alert that it's hidden is FAIR GAME for BOClean to detect. If you REALLY want to run it anyway, then go ahead and EXCLUDE it ... but be governed accordingly. To take the point to extreme, if you're in MY face with a chunk of plutonium, even if all you want to do is boil water with it, I *AM* going to drop dime. And so goes BOClean.

 Sorry for any misunderstandings anywhere ... this has been a RULE of BOClean since 1998.

[SiberLynx]

Hi Kevin,

Sorry for the delayed reply. Honestly I wasn’t expecting more responses to the issue.
I do appreciate your detailed explanation and even a history tour in addition.

As to NIRSOFT ... lemme try this one more time, but this time, from a philosphical angle....
... Sorry for any misunderstandings anywhere ... this has been a RULE of BOClean since 1998.

1) NIRCMD.EXE
As I said before here, and in another thread - my opinion and as I found the opinion of some great (believe me) specialist/developers in Malware Removal area – the said flagged exe should not be considered as a threat. At the same time you have rights to leave it "as is". Well let's say we have “Riskware” detections. Some SysInternal Tools are good example from hundreds possible. Since we can ignore/Exclude - we are fine.

SPTD rootkit ... I remember the original - if for some insane reason, it's not already covered, I went and googled and hit the usual suspects and came up dry ... if you HAVE a copy of it, it'd be really helpful if you could submit it to our lab guys so we have it ... I remember it being an antique as well as having BEEN covered when I did BOClean lab work in addition to all else ...

2) SPTD.SYS.
First – please don’t flag that one  That will probably lead to removal of BOClean from millions of computers. That was half-joke... really just half...

Sending sptd.sys to you is not a problem. It is sitting in system32 here for ages being upgraded to the newest versions as soon as those available.
File by itself is not interesting thing. More interesting is how it’s installed.
And for finding that it is just a matter of getting free Daemon Tools Lite and watch it during installation procedure using all powerful tools you are equipped with.
Most of anti-rootkit utilities I ran just ignore it.
Mark’s Rootkit Revealer shows it and one or both Chinese ones Ice Sword and/or Darkspy (I did not run those for a while – that's why “or” was used).

Thank you again for your time

My regards

[Tags:]