False File creation alert- is ita ghost file or a serious bug ???

I tried malware Trojan-PSW.Win32.QQcv.12.b( KAV) against CFP Defence Plus.

Defence Plus gives an alert about creation of a new file MSCONFIG.exe in system32 folder. Infact such a file is never created as I counter checked with other HIPS, manual and automated search etc- no such named file is created in system32( I allowed the alert). Even rootkit scanners did not such a file in system32( if it was hidden).

Seems a bug. Can developers have a look on this issue?

Thanks

[attachment deleted by admin]

By the first Alert, & says you DO need to make sure malware.exe is a safe app before you allow it, plus it it trying to create a folder/file in msconfig (malware behavior), so originally you would deny the alert if you didn’t know what it was or if you were taking that particular action.

Other HIPS? Maybe Defense+ is too powerful. I don’t think it’s a bug IMO.

Cheers,
Josh

Thanks for your answer but you have not understood my post at all. Defence plus is powerful or not is another discussion.

Point here is that it alerts about an event( a new file creation) that according to my observation never happens.

Going through you’re Screen shots… Sorry. :slight_smile:

Just a thought aigle,

It`s not created a folder in system 32 has it? This would be next to the system32\config Folder,before the files.

Matty

Your latest CFP researches and tests looks particularly interesting :slight_smile:
Pushing V3 to the edges prove useful to understand how to use it properly.

This time I would like to ask you to gather more infos though.

IMHO that alert mean that Trojan-PSW.Win32.QQcv.12.b( KAV) really attempted to create a msconfig.exe .
Maybe was some kind of test ???

Anyway to confirm this and to gather other infos it could be useful to use filemon to monitor all file activities of that trojan (you can filter malware.exe to remove other entries from the logs)

Hi Matty_R and gibran, thanks a lot for your comments.

I checked carefully. No such file is created any where on my HD, even hidden. I even deleted the orginal msconfig file in C:\WINDOWS\pchealth\helpctr\binaries to see if it,s re-created. Nothing like this.

Might use filemon later but I wish if developers can have a look into this issue.

BTW, you will see more tets coming, more possible failures of Defence Plus may be, not sure at the moment.

Thanks.

Please post those logs as soon as possible since this way it will be clear if it is ghost file or a bug