Harmful file?

Is it possible that BoClean might give an alert about a file because it is capable of trojan behaviour, rather than because it is actually doing something nasty? Can a program use such a file legitimately but be flagged as spyware by BoClean anyway? Now to why I ask.

I bought a game called ‘Bejeweled 2’ (by PopCap Games) from iWin.com. In the directory is a file called ‘WinBej2.ifn’. BoClean gives a trojan alert about this file when the game is started. A search on Google for information on it produces nothing. However, a search for ‘WinBej2.exe’ brings up many entries about malware …all apart from here where it says the file is quite alright.

Perhaps if I’d bought the game directly from PopCap, I would have got ‘WinBej2.exe’ and not ‘WinBej2.ifn’. I wonder if the ifn extension is just iWin.com’s version of the same file. In view of the listings about ‘WinBej2.exe’ in Google, it seems fairly likely that even if I had this file, BoClean would still have given a trojan alert (yet Spyware-Net says it’s OK).

I found I couldn’t add ‘WinBej2.ifn’ to the Boclean Excluder because it isn’t an exe file. The only way the game would run was to exit BoClean before starting it. BoClean isn’t operational at present. I have installed the 30 day trial of A-squared Anti-Malware. In this, I can set up some rules for the file. These are:

Protect this application from process manipulations.
Monitor this application and block unwanted activities.
Allow this program to install something invisibly.

The last point is very worrying of course but without a tick next to that option, the game won’t run. So that brings me back to the original question. Although the file has been flagged as having harmful capabilities, is it necessarily being used in a harmful way? I think Bejeweled 2 is quite a popular game.

Run the suspect file through jotti: www.virusscan.jotti.org/
and through virus total: www.virustotal.com/

If nothing is detected then submission of false positives is in the FAQ:


Thanks Rotty - The scans you linked to certainly are numerous. They all found nothing apart from one. Webwasher-Gateway found: ‘Virus.Win32.FileInfector.gen!94’. Maybe loosely connected is this (see the last line) where Webwasher-Gateway in found this virus in another file, yet AVG assured the person it was a false positive. Not any feedback after that though.

I knew the pattern of behaviour had been found suspicious regarding WinBej2.ifn by Boclean, so I kind of expected something would turn up in the scans. In view of the above link though, I’m still unsure if Webwasher-Gateway has it rightly flagged. A-squared finds nothing wrong with the file when scanning the system. It’s only when the file starts to be used that a-squared (and BoClean) gives an alert.

I still have the niggling question about whether a file found suspicious by anti-malware programs can be used for acceptable purposes as well. I mean, how about something that silently checks for updates, such as an AV program? If that action wasn’t related to a known safe program, might any monitoring anti-malware program detect that pattern of behaviour as suspicious?

As far as I know, where I bought the game from are an OK company. Perhaps I’ll ask them about the file and mention the anti-malware program findings before deciding if it’s a false positive or not. The computer appears to run fine.

Sorry but just one more question. If I decide to trust the file for a while to see how things go, is there a way I can add it to the Excluder? The extension (.ifn) couldn’t be added last time I tried it.