Major False Positive from latest update of Boclean

[Guest]

[atomas31]

Hi,

The latest update detect shadowprotectsvc.exe from Shadow Protect has a trojan

This is for sure a False positive so please rectifie this situation as soon as possible...

Thanks,
Atomas31

[Arkangyal]

Hello atomas31,

Is this part of the software from StorageCraft? If this is a real false positive, please, use the Excluder (drop the file into the Excluder).

Ark

[atomas31]

Yes it is from storagecraft!
Why should I place it in the excluder when it is clearly a false positive  shouldn't be to comodo staff to rectifie this false positive? For now, Boclean is shutdown...

[G1111]

There is another false positive with today's update. It is reporting RegDefend/Ghost Security Suite gss.exe as a trojan and shuts it down. Just scanned it with KAV (latest) and A-squared. It is clean.

[atomas31]

Well lucky for me that I don't use my Ghost Security suite in realtime anymore or else I would be very pissed off with this latest update... Just wondering what's going on at Comodo since Boclean never had so many false positive before it got buy by comodo???

[mozart]

I have the same alert re GSS.exe and suspected this too as a FP.
What should I do now ?
BoCleann offers me the option to remove the file too. Obviously I don't want to do that thinking it is a FP.  Does that mean that BoClean has only shut down GSS or has anything already been deleted?  A second pc has a different alert saying that the trojan as system lock and cannot be shut down or something similar and I should immediately shut down my pc. Again, what should I do?

 

[Arkangyal]

Founding new ways to track down the new threats may got som risks. Usually, the possibility to identify a normal program as a malware is very-very low but can happen. Happened with all virus vendors so far. An easy example:
- You write a program which will connect to the Internet
- The bad guy do the same and the codes are almost the same.
When you create a signature to identify the malware, there's a tiny risk that you'll only have the signature part from the part which establishes the connection: so both of the softwares will be identified.

Thank you for your understanding. I guess the staff will release new update for this problem as soon as possible, after they've investigated the corresponing file. Please, submit the files to let the staff analyze them:

You can email them to: malwaresubmit [ at ] avlab.comodo.com .
You may want to specify in the subject line "False Positive?" for clarity's sake.
As usual, zip and password protect with "infected" including that information in the body.


While there's no new update, please, use the excluder utility which is a great temporary fix for this problem.

Ark

[Rednose]

Atomas31, maybe you should ask also what is going on with Kaspersky, NOD32, AntiVir enz. enz. because last year they all had false positives. If you had taken the effort to read the FAQ you would have known what to do m8

Greetz, Red.

[fphall]

The difference is that in the old days with Kev and Nancy it would have been fixed in about an hour.  :-(
(If it ever occurred in the first place.)

[atomas31]

Atomas31, maybe you should ask also what is going on with Kaspersky, NOD32, AntiVir enz. enz. because last year they all had false positives. If you had taken the effort to read the FAQ you would have known what to do m8

Greetz, Red.

Hi Rednose,

I don't know what you are talking about since I have NOD32 for more than 2 years and I don't recall any false positive last year or at least, no one that might screw my backup utilities... For your information, Boclean never had so much false positive since his acquisition by Comodo. Also, sorry for not reading the FAQ because I am little lost with all the forums and subforums... Also, I am an old user of Boclean and I was use to deal with Kevin. Like fphall said, before comodo buy Boclean the support was a lot better and certainly a lot faster. 

Best regards,
Atomas31

[Rednose]

Hi Atomas31

If you don't beleve me Here an example were an update of NOD32 destroyed the Telebanking software of one of the biggest Dutch banks last year :

http://www.security.nl/article/16333/1/Foute_update_NOD32_sloopt_Rabobank_software_*update*.html

I am sorry it is in Dutch, but I am sure you know how to translate it 

Greetz, Red.

[mozart]

Coming back to the original point about the FP - I submitted my file (GSS.exe) and just received a confirmation that this indeed was a FP now fixed in the latest update.
I can't say any re Shadowprotect though.

[atomas31]

Coming back to the original point about the FP - I submitted my file (GSS.exe) and just received a confirmation that this indeed was a FP now fixed in the latest update.
I can't say any re Shadowprotect though.

Hi,

I submit my file (shadowprotectsvc.exe) and like you I received a confirmation that this false positive was fix in the latest update. So, I downloaded the last update but the false positive still there except that now it is call Bkdr-Bifrose? No congratulation there!

Man, do I miss Kevin and Nancy 

Best regards,
Atomas31

[atomas31]

Hi Atomas31

If you don't beleve me Here an example were an update of NOD32 destroyed the Telebanking software of one of the biggest Dutch banks last year :

http://www.security.nl/article/16333/1/Foute_update_NOD32_sloopt_Rabobank_software_*update*.html

I am sorry it is in Dutch, but I am sure you know how to translate it 

Greetz, Red.

Hi Rednose,

Well, that's a pitty! But I was talking more about home user and not there commercial customer...

I also know (and expected) a security software to have sometimes false positive but then it depends what is targetting as a nasties and how long it takes for the compagnie to rectifie the situation. In this case, it could have screw my backup utilities (and a security software making you vulnerables to nasties). I have to add that like mention before I received a email confirmation that the F/P was rectified and it is not. Let's just say that it is kind of upsetting when you were use to an excellent support before when Boclean was still belonging to Kevin and Nancy (in less than one hour this problem will have been solved, now who knows!)...

Best regards,
Atomas31

[redwolfe_98]

the "gss.exe" false-positive was fixed with the update, last nite,  but it is back, now, with the latest new update, dated 2008-1-22 14:04:58 UTC.. i sent an email to comodo, notifying them about the false-positive..

i added the "gss.exe" file to BOClean's "excluder" so BOC is not flagging the file, now..

update: well, that was f-a-s-t! after i finished posting, i ran the updater again and there was a new update, dated 2008-1-22 16:37:34 UTC, which fixed the false-positive!

thanks, Comodo!

you know, maybe the reason we saw the false-positive is because comodo is on the cutting-edge with the malware-definitions..

i have a feeling that kevin mcaleavey is working on them, lately, which is a GOOD thing, if he is..

[Tags:]