definite false positive

All of a sudden BOclean decided UniExtract.exe is a trojan horse. This file is part of the program Universal Extractor, http://legroom.net/software/uniextract.

Is was OK before and I’m sure it still is.

What is the name of the trojan that BOClean detected it as?

Is that the name at the top of the pop up warning message?

If yes, it is DLDR-AUTOIT

If no, where can I find it?

BOClean detected that UniExtract is a script compiled by AutoIt (which is true). So the detection is correct. The question is rather if AutoIt must be considered as a malware vector or not. As a workaround you can add UniExtract to the exclusion list.

Hello user4,

The detection was a false alarm, and it has been fixed in the latest update.

Thanks for reporting it.

Regards,
Baskar.

Another FP reported, this time on a Panda AV file:

[attachment deleted by admin]

Hi TK,

Good to see you here. :slight_smile:

Thanks for pointing out the FP, it has been fixed in the latest updates. Much appreciated :slight_smile:

Regards,
Baskar.

Hey Baskar!

Wow, long time no see! :slight_smile: I had no idea you were working here…

And you’re very welcome; keep up the good work!
http://castlecops.com/modules/Forums/images/smiles/eclipsee_gold_cup.gif

Well, my first inpiration on malware arena who answered my first post at SWI - and so thats how the trigger was pulled and here i am. :smiley:

Regards,
Baskar.

Hey, it really is a small world, isn’t it? :wink:

Cheers,

This is the third time BOClean sounded the alarm bell since I installed and it might well be the third false positive.

Complainterator12.exe is said to be a trojan horse. I have never used it (before), but the source should be OK.

They are “anti-spam-guys”, if I can put it like that, from a forum that’s known in the anti-spam community.
http://thecarpcstore.com/phpbb2/viewforum.php?f=4&sid=5ad3eecea9f4651311fb6c00e0445e75

I checked the zipfile Complainterator12.zip on www.virustotal.com, result from different AV’s;

TrojanDownloader.AutoIt.g
IM-Worm.Win32.Sohanad.aa
Worm.Win32.ModifiedUPX.gen!90 (suspicious)
suspicious Trojan/Worm

???

Yep, my fellow countryman ctrlaltdelete is right. There are 4 positives on www.virustotal.com

Greetz, Red.

I am the author of Complainterator. It is written in AUTOITV3 code, ( http://www.autoitscript.com/) then compiled. The compile allows for the executable to be decompiled.

AUTOITV3 is a keyboard/mouse/screen driver. Any program compiled from that code may result in false positives. It is noteworthy that the likes of AVG, Symantec, McAfee and Kapersky all give the same Complainterator12.exe a clean bill of health.

The FPs were reported by

CAT-Quickheal (Autoit)
eSafe (suspicious)
Ikarus
Webwasher-Gateway (suspicious)

So to test the validity of the virus checkers, I wrote a new, one line Autoit program which set a variable
;—
$x = 1
;—
I compiled it and sent it in for testing. Same set of false positives.

Complainterator12.exe is clean, those AV checker results are false.

Red Dwarf
http://thecarpcstore.com/phpbb2/viewtopic.php?t=746

Thank you very much for the explanation. Much appreciated.

That makes it the third false positive by BOClean I have come across in a few weeks. Is that normal?

It is absolutely normal for all security software to have the occasional false positive. BOClean is no exception to the rule.

It is unfortunately a fact of life, as you obviously can’t possible test an AV or AT against every single one of the hundreds of thousands different applications available…

Also, users demand protection against ANY new malware NOW, not after getting infected, which, especially taking onto account the avalanche of new malware hitting the scene on a daily basis is something that, although perhaps understandable, is something that’s just not always humanly possible to realize.
One can only hope to approach perfection…
Another reason why, under the pressure of time, FPs are impossible to avoid altogether

Where BOClean does (or at least did) stand out is with regards to the speed any FPs were dealt with. I trust this time it will not be any different.

I understand that. We’ll just assume that this (three times in “short succession”) was an incident. Because if this is the average level, than there must be a huge amount of false positives. And that doesn’t seem to fit in with the enthusiastic stories from the BOClean shareware users I have read here and there.
Of topic, perhaps they were a bit biased\blinded by their love for the product…

There will be more, as, now that Comodo has acquired BOClean’s assets a lot more people will be using it.

But as I just said, this is by no means uncommon. And this is a BOClean board, so it’s s only natural that all you’ll hear about is BOClean problems and FPs.

Other AVs/ATs have them just as well, and I can assure you that BOClean really doesn’t stand out in any negative way from any others.

I’m confident that any FPs reported will be dealt with swiftly; in fact that’s one way where user communities like this one can be extremely useful.

Personally I’ve had BC installed on a variety of machines since 2001, and during all that time it has only given me one single FP, I believe it was on an Editpad Lite file, which at the time was promptly dealt with by Kevin.

In that respect it compares favorably to other security software I’m familiar with…

Once again, FPs are a fact of life and by themselves nothing to get upset about.

To give you one example, in recent times I’ve seen (rapidly fixed) Kaspersky FPs for CCleaner, SpySweeper, WinRar, Avant Browser and more, and yet noone’s suggesting that that excellent AV s*cks…

I could draw up similar lists for most other respected AVs and ATs…

So I can only encourage you to try and see things in perspective.

I won’t get my knickers in a twist over something as trivial as this. ;D
I have spoken up for Antivir\Avira in this forum when it was claimed that it is notorious for producing FPs. Simply because I know from experience that this is not true. Facts, not tales.

I’m not saying BOClean is good or bad because of three FPs. It’s just that from what I read I got the impression that this was an “install and forget” program. And three FPs in a relatively short time (also a fact) seem to contradict those (over)enthusiastic comments and stories. That’s all.
Don’t worry, BOClean won’t be uninstalled. :wink: I’m happy with the extra protection.

That’s not entirely correct: there have equally been recently reported AntiVir FPs for Diamond CS Advanced Process Termination, USB Mouse Rate Switcher 1.1, XPize, a GUI enhancer, SiteHound’s updater, Firefox’s phishdata.xml file, the SilentRunners.vbs diagnostic script, and even an AVG AV file:

E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [DETECTION] Is the Trojan horse TR/Rootkit.Gen [INFO] A backup was created as '4650fbfa.qua' ( QUARANTINE )
Facts, not tales.

Exactly like what I’ve tried to contribute…

It's just that from what I read I got the impression that this was an "install and forget" program. And three FPs in a relatively short time (also a fact) seem to contradict those (over)enthusiastic comments and stories.

No, it doesn’t really. BOClean IS an install and forget program, BUT at the same time every AV/AT product will continue to suffer from the occasional FP.

Look, all I’m trying to explain is that, although as an individual user you might in effect NEVER experience a BOClean (or for that matter a Kaspersky, Nod32, AntiVir, or whatever) FP, you certainly WILL encounter them once the experience of many hundreds or even thousands of users is lumped together like what happens in a discussion forum as this one…