Author Topic: Heuristic reports false positives  (Read 26102 times)

Offline BigMike

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 373
Heuristic reports false positives
« on: February 14, 2009, 04:47:08 AM »
Hi I updated yesterday to version 3.8 and first thing I had to do was to disable the heuristic in real time scanner :(
I did a full scan with enabled heuristic and this are the reported programs, which are hopefully not dangerous:

AIMP ( http://www.aimp.ru/index.php?do=lang-en )
Code: [Select]
Heur.Packed.Unknown ...\AIMP\AIMP2t.exe
Heur.Packed.Unknown ...\AIMP\bass.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bassmidi.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\aimp_library.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_alac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_flac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_ofr.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_tta.dll
Heur.Packed.Unknown ...\AIMP\System\aimp_shell.dll
Heur.Packed.Unknown ...\AIMP\System\bass_enc.dll

SUPER ( http://www.erightsoft.net/SUPER.html )
Code: [Select]

Heur.Suspicious.Attribs ...\SUPER Konverter\cygwin1.dll
Heur.Suspicious.Attribs ...\SUPER Konverter\cygz.dll
Heur.Pck.tElock ...\SUPER Konverter\ff2ogg.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mencoder.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mplayer.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\Setup.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Movawin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm7dmod.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Smabwin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm8dmod.spk
Heur.Pck.tElock ...\SUPER Konverter\SUPER.exe
Heur.Pck.UPX-Scrambler ...\SUPER Konverter\x264.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\_Setup.dll
Heur.Suspicious.Attribs C:\WIN\meta4.exe
Heur.Packed.Unknown C:\WIN\MOTA113.exe
Heur.Suspicious.Attribs C:\WIN\system32\aac_parser.ax
Heur.Suspicious.Attribs C:\WIN\system32\ac3DX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVCDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVSredirect.dll
Heur.Suspicious.Attribs C:\WIN\system32\CoreAAC.ax
Heur.Suspicious.Attribs C:\WIN\system32\cygwin1.dll
Heur.Suspicious.Attribs C:\WIN\system32\cygz.dll
Heur.Suspicious.Attribs C:\WIN\system32\DiracSplitter.ax
Heur.Suspicious.Attribs C:\WIN\system32\flvDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\i420vfw.dll
Heur.Suspicious.Attribs C:\WIN\system32\MatroskaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\msfDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\RealMediaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLAPEDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLMPCDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLOgg.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLSpeexDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLTheoraDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLVorbisDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\Smab0.dll
Unclassified Malware[at]4800749 C:\WIN\system32\VistaUltm.dll
Heur.Suspicious.Attribs C:\WIN\system32\x.264.exe
Heur.Suspicious.Attribs C:\WIN\system32\yv12vfw.dll
Heur.Pck.UPX-Scrambler C:\WIN\x2.64.exe

TuneUp 2009 ( http://www.tune-up.com/products/tuneup-utilities/ )
Code: [Select]
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmCommon.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmDisplay.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmNetwork.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmSystem.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmWizards.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\Internet.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TuApplications.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUInstallHelper.exe
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl

DivX Author ( http://www.divx.com/en/products/software/windows/author )
Code: [Select]
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\AudioPCM.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvBlend.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvLayerImageEffect.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvSlideShow.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvVideoFilter.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImageBitmap.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImagePSD.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\MovieDVD.vme

Finally I got a warning about:
Code: [Select]
Heur.Suspicious.Attribs C:\Documents and Settings\All Users\DRM\IndivBox.key

Offline damilner

  • Newbie
  • *
  • Posts: 1
Re: Heuristic reports false positives
« Reply #1 on: February 19, 2009, 02:54:59 PM »
I also just updated to 3.8 and started seeing false positives before shutting down the heuristic scan.

Tivo\Desktop\Vcl60.bpl    Heur.Pck.MEW

windows=system32\drivers\SSHDRV76.sys  Heur.Pck.PKLITE32

Offline WD-retired

  • Newbie
  • *
  • Posts: 1
Re: Heuristic reports false positives
« Reply #2 on: February 19, 2009, 07:12:21 PM »
Me too....getting

Heur.Pck.MEW

all over the place.

Offline Breen

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 332
Re: Heuristic reports false positives
« Reply #3 on: February 19, 2009, 07:31:34 PM »
Guys if You are certain that these detections are false (check on virustotal.com), please send samples to COMODO reaserch https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/reporting_false_positivessuspicious_files_submitting_them_to_the_lab-t27062.0.html;msg197464#msg197464

I think it's better to send samples of FP to COMODO than only posting it on forum.

Offline SA Jack

  • Comodo Family Member
  • ***
  • Posts: 88
Re: Heuristic reports false positives
« Reply #4 on: February 19, 2009, 09:24:35 PM »
Hi:
I Downloaded CIS 3.8.64739.471 this afternoon and it appears that a number of heuristic problems with respect to false positives and working with the "Exclusions" list have been resolved.  Initially I had a a few false positives, and there was a direct correlation between the heuristic level (Low, Medium, High) and the number of virus hits I saw.  However, on the current release, the anti virus module now properly handles "Exclusions" (Context Menu Scan, Manual, & Scheduled).  I had initially placed my false positives as exclusions, however, with the prior version not properly dealing with exclusions (except in Context Menu Scan), these files were tagged in Scheduled and Manual scans.  Now they are not.  I then removed these false positives from the "Exclusions" list, and they were not tagged using Low and Medium heuristic settings with all three (3) scan types.  (I haven't tried High as yet). 

From my point of view, this update addressed the only real issues I had with CIS 3.8.X.  Great job.  Can't wait for inclusion of BOClean in the near future.  -SA Jack
SA Jack

Dell XPS 8100, Intel i5 650 (3.2GHz), 6GB DDR3 1333 MHz Ram, Windows 8.1.1/x64 Pro (Fully Patched, Comodo Internet Security 7 (Config - Proactive, Full Install), Malwarebytes 2 Pro

Offline SWENG

  • Newbie
  • *
  • Posts: 1
Re: Heuristic reports false positives
« Reply #5 on: February 20, 2009, 07:19:26 PM »
I've been getting a lot of those too.
You might want to consider adding a few useful options to the results window:
* An option to copy location of file to clipboard
* An option to go to file location
* An option to submit file to Comodo for further scanning
(I checked all the false positives in virustotal.com)

Offline pelokee

  • Newbie
  • *
  • Posts: 2
Re: Heuristic reports false positives
« Reply #6 on: February 22, 2009, 12:56:19 PM »
After several rounds of testing, I think the solution at this point is to turn the heuristics feature OFF. This feature was just introduced to the Comodo product in the 2/14/09 update, so we aren't losing any functionality that we didn't have before.

For my full writeup, feel free to visit - Comodo tech support has acknowledged the issue and claims to be working on it.

http://pelokee.wordpress.com/2009/02/21/heurpckmew-comodo-false-positive/

Offline Surfinusa

  • Comodo Member
  • **
  • Posts: 27
Re: Heuristic reports false positives
« Reply #7 on: February 25, 2009, 12:15:31 PM »
I also have got the same problems with FP with the latest 19th February 2009 CIS Release.


I was getting virus warnings everywhere, every few seconds a new one would be identified.

Sounds like you guys hit the mark when you figured out the Heuristic issue.

I didn't know till now since I read your responses.  I am still using the 14th February 2009 Release CIS.

I hope they get this fixed soon so I can upgrade it.

For now it doesn't seem that the auto updater giving me any trouble before it wanted me to  upgrade to the 19th February 2009 Version.

Offline Ramanan

  • Comodo Family Member
  • ***
  • Posts: 63
Re: Heuristic reports false positives
« Reply #8 on: February 28, 2009, 01:21:33 AM »
Hi I updated yesterday to version 3.8 and first thing I had to do was to disable the heuristic in real time scanner :(
I did a full scan with enabled heuristic and this are the reported programs, which are hopefully not dangerous:

AIMP ( http://www.aimp.ru/index.php?do=lang-en )
Code: [Select]
Heur.Packed.Unknown ...\AIMP\AIMP2t.exe
Heur.Packed.Unknown ...\AIMP\bass.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bassmidi.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\aimp_library.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_alac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_flac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_ofr.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_tta.dll
Heur.Packed.Unknown ...\AIMP\System\aimp_shell.dll
Heur.Packed.Unknown ...\AIMP\System\bass_enc.dll

SUPER ( http://www.erightsoft.net/SUPER.html )
Code: [Select]

Heur.Suspicious.Attribs ...\SUPER Konverter\cygwin1.dll
Heur.Suspicious.Attribs ...\SUPER Konverter\cygz.dll
Heur.Pck.tElock ...\SUPER Konverter\ff2ogg.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mencoder.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mplayer.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\Setup.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Movawin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm7dmod.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Smabwin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm8dmod.spk
Heur.Pck.tElock ...\SUPER Konverter\SUPER.exe
Heur.Pck.UPX-Scrambler ...\SUPER Konverter\x264.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\_Setup.dll
Heur.Suspicious.Attribs C:\WIN\meta4.exe
Heur.Packed.Unknown C:\WIN\MOTA113.exe
Heur.Suspicious.Attribs C:\WIN\system32\aac_parser.ax
Heur.Suspicious.Attribs C:\WIN\system32\ac3DX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVCDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVSredirect.dll
Heur.Suspicious.Attribs C:\WIN\system32\CoreAAC.ax
Heur.Suspicious.Attribs C:\WIN\system32\cygwin1.dll
Heur.Suspicious.Attribs C:\WIN\system32\cygz.dll
Heur.Suspicious.Attribs C:\WIN\system32\DiracSplitter.ax
Heur.Suspicious.Attribs C:\WIN\system32\flvDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\i420vfw.dll
Heur.Suspicious.Attribs C:\WIN\system32\MatroskaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\msfDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\RealMediaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLAPEDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLMPCDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLOgg.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLSpeexDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLTheoraDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLVorbisDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\Smab0.dll
Unclassified Malware[at]4800749 C:\WIN\system32\VistaUltm.dll
Heur.Suspicious.Attribs C:\WIN\system32\x.264.exe
Heur.Suspicious.Attribs C:\WIN\system32\yv12vfw.dll
Heur.Pck.UPX-Scrambler C:\WIN\x2.64.exe

TuneUp 2009 ( http://www.tune-up.com/products/tuneup-utilities/ )
Code: [Select]
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmCommon.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmDisplay.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmNetwork.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmSystem.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmWizards.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\Internet.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TuApplications.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUInstallHelper.exe
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl

DivX Author ( http://www.divx.com/en/products/software/windows/author )
Code: [Select]
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\AudioPCM.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvBlend.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvLayerImageEffect.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvSlideShow.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvVideoFilter.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImageBitmap.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImagePSD.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\MovieDVD.vme

Finally I got a warning about:
Code: [Select]
Heur.Suspicious.Attribs C:\Documents and Settings\All Users\DRM\IndivBox.key

Hi BigMike,

These FP's are fixed, please update to latest CIS V477 and update virus signature database to latest.

Thanks
Ramanan

Offline g13

  • Newbie
  • *
  • Posts: 2
Re: Heuristic reports false positives
« Reply #9 on: June 07, 2009, 03:38:04 AM »
Yes Heuristic reports very false positives still  :-TD

Offline bequick

  • Comodo's Hero
  • *****
  • Posts: 1117
    • GooGle
Re: Heuristic reports false positives
« Reply #10 on: June 07, 2009, 03:45:45 AM »
Yes Heuristic reports very false positives still  :-TD
Yes,but comodo has the greatest community i've ever seen and i'm pretty sure that's just temporary issue.If you're scared of bears,don't go to the forest.  :P

Offline dph987

  • Newbie
  • *
  • Posts: 8
Re: Heuristic reports false positives
« Reply #11 on: October 22, 2009, 08:18:26 PM »
What would be really helpful is a short (or optionally detailed ) report detailing WHAT action was interccepted, or comodo virus scanner found, and WHY it thinks its a virus.

This would give more info to the user to make an executive decision regarding the message.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek