False positive or trojan revealed after months of work?

Hi,

After today’s CIS update antivirus’ detected a trojan program, that’s supposed to be a key logger (TrojWare.Win32.Magania.~AB@25568567) in one of the programs I use. I can’t tell for sure this program is not malware, but this program worked for a few months and as far as I can tell there were no incidents or suspicious behavior.

So I’ve uploaded that app to virusscan.jotti.org and all reports were the file was “clean” (here’s summary: http://virusscan.jotti.org/en/scanresult/e89427ddf1d7f1931ecfd8ebdfdf4448260f48f3)

Then I tried to use Comodo Instant Malware Analysis, and it hasn’t found anything suspicious either: http://camas.comodo.com/cgi-bin/submit?file=4d2a6120316eb1bc04df029e76bb92357cf3035abe3cde4c31fc9a405bb6e2e3

I’ve also searched the internet for this virus description and removal instructions, but haven’t found any files or registry keys that should’ve been created by this virus.

On the other hand, the program’s function is somewhat close to that of keyloggers, it’s actually a hotkey helper: it watches a certain program’s window for certain keystrokes and when found, sends another combination to the program window (through Win32 API WM_CHAR).

So my question is, if Comodo antivirus identifies a threat by its name (in this case, Magania), is there still a possibility of “false positive” or is it definite? Could a legitimate program have a piece of code that matches a signature of some known virus?

Thanks.

Please follow this guide on how to submit FP, if its found a False Positive it will be fixed, if its not a FP it will wont be fixed.

https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/how_to_report_false_positivessuspicious_files_how_to_submit_them-t36051.0.html

I did that, here I was just asking what could be the chances :slight_smile: Is it a common practice, to have many false positives at default scanner settings?

I mean, if a suspicious code was detected using heuristic, it wouldn’t report a virus name or family, or would it?

Thanks for reporting it.
Currently with CAVs you do get FP with the the defualt setting, how ever i would recomend you keep the defualt settings and report any FP’s detected.

P.S. The FP problem is being fixed.