FP in temporary file while installing a game

Unclassified Malware@9613154
Pw: clean

Btw: When will we see the improved packer detection heuristics out of 3.9 beta for the final release?
A lot of FPs again.

[attachment deleted by admin]

I don’t know what improvements you wish for the packer detection but it looks like that heuristic detection of the above sample would be reasonable.
http://www.virustotal.com/en/analisis/3449b89fe18fa41907b348908ada0462
http://camas.comodo.com/cgi-bin/submit?file=703e9c72970068d1c6c01685feed72c96ed6cf4b36ca983b7f630ea770ac4e7e

Apart from posting it here did you directly submit that sample to Comodo AVlabs too?

BTW: does anybody know if the [at]9613154 can be decoded to something more meaningful?

Hi,

We will check the reported sample and fix the issue if confirmed as false positive.

Thanks,
Ionel

Why do u think I could have written “Btw:”? Because it has not much to do with the stuff I wrote above it :wink:
The beta heuristics made much less FPs than the current final ones and I asked when we will see them going final.

These scanners are all wrong: It’s just a setup for a driver that provides copy protection.

Btw: This also ratifies my observation that Kaspersky is in reality much lower on FPs than most other scanners.

No, that’s why I post it here. Did so in the past and it always went well so no need to change this.

Thanks, ionelp :slight_smile:

??? I guess you may have been confused by the fact that I quoted your whole post whereas you got the impression my reply was focused on that BTW part alone.

Indeed even backdoors/rootkits just install a driver but anyway IMHO there is no point arguing whereas little is know about why Kaspesky did not detect this sample and whenever it got (or not) similar heuristic to detect what the other AVs got wrong.

Indeed this topic rapidly fulfilled its purpose. If the sample does not pertain Appunsafe, Hacktools or other categories it will not be detected anymore :-TU

Hi Endymion,

Thankyou for reporting the false positive. We have fixed the reported false positive. Please update your AV to dbVersion 1167 and confirm.

Thanks and Regards,
Sriram.P

Hi Sriram, thanks for the heads up, dbVersion 1167 doesn’t detect it anymore.

PS: Credits for submission as FP go to evil_religion though.

Thank you both for solving and confirming it :slight_smile:
It’s always good if someone is attentive if it’s really a FP :wink:

BTW I gotta praise your attentiveness too as you were particurarly explicit about it being a FP from the beginning even without an AV analyst confirming that it didn’t pertain any riskware equivalent classes some don’t regard as FP. ;D