Major False Positive from latest update of Boclean

Hi,

The latest update detect shadowprotectsvc.exe from Shadow Protect has a trojan (:AGY)

This is for sure a False positive so please rectifie this situation as soon as possible…

Thanks,
Atomas31

Hello atomas31,

Is this part of the software from StorageCraft? If this is a real false positive, please, use the Excluder (drop the file into the Excluder).

Ark

Yes it is from storagecraft!
Why should I place it in the excluder when it is clearly a false positive shouldn’t be to comodo staff to rectifie this false positive? For now, Boclean is shutdown…

There is another false positive with today’s update. It is reporting RegDefend/Ghost Security Suite gss.exe as a trojan and shuts it down. Just scanned it with KAV (latest) and A-squared. It is clean.

Well lucky for me that I don’t use my Ghost Security suite in realtime anymore or else I would be very ■■■■■■ off with this latest update… Just wondering what’s going on at Comodo since Boclean never had so many false positive before it got buy by comodo???

I have the same alert re GSS.exe and suspected this too as a FP.
What should I do now ?
BoCleann offers me the option to remove the file too. Obviously I don’t want to do that thinking it is a FP. Does that mean that BoClean has only shut down GSS or has anything already been deleted? A second pc has a different alert saying that the trojan as system lock and cannot be shut down or something similar and I should immediately shut down my pc. Again, what should I do?

Founding new ways to track down the new threats may got som risks. Usually, the possibility to identify a normal program as a malware is very-very low but can happen. Happened with all virus vendors so far. An easy example:

  • You write a program which will connect to the Internet
  • The bad guy do the same and the codes are almost the same.
    When you create a signature to identify the malware, there’s a tiny risk that you’ll only have the signature part from the part which establishes the connection: so both of the softwares will be identified.

Thank you for your understanding. I guess the staff will release new update for this problem as soon as possible, after they’ve investigated the corresponing file. Please, submit the files to let the staff analyze them:

You can email them to: malwaresubmit [ at ] avlab.comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

While there’s no new update, please, use the excluder utility which is a great temporary fix for this problem.

Ark

Atomas31, maybe you should ask also what is going on with Kaspersky, NOD32, AntiVir enz. enz. because last year they all had false positives. If you had taken the effort to read the FAQ you would have known what to do m8 :wink:

Greetz, Red.

The difference is that in the old days with Kev and Nancy it would have been fixed in about an hour. :frowning:
(If it ever occurred in the first place.)

Hi Rednose,

I don’t know what you are talking about since I have NOD32 for more than 2 years and I don’t recall any false positive last year or at least, no one that might ■■■■■ my backup utilities… For your information, Boclean never had so much false positive since his acquisition by Comodo. Also, sorry for not reading the FAQ because I am little lost with all the forums and subforums… Also, I am an old user of Boclean and I was use to deal with Kevin. Like fphall said, before comodo buy Boclean the support was a lot better and certainly a lot faster.

Best regards,
Atomas31

Hi Atomas31 :slight_smile:

If you don’t beleve me 88) Here an example were an update of NOD32 destroyed the Telebanking software of one of the biggest Dutch banks last year :

I am sorry it is in Dutch, but I am sure you know how to translate it :wink:

Greetz, Red.

Coming back to the original point about the FP - I submitted my file (GSS.exe) and just received a confirmation that this indeed was a FP now fixed in the latest update.
I can’t say any re Shadowprotect though.

Hi,

I submit my file (shadowprotectsvc.exe) and like you I received a confirmation that this false positive was fix in the latest update. So, I downloaded the last update but the false positive still there except that now it is call Bkdr-Bifrose??? No congratulation there!

Man, do I miss Kevin and Nancy :cry:

Best regards,
Atomas31

Hi Rednose,

Well, that’s a pitty! But I was talking more about home user and not there commercial customer…

I also know (and expected) a security software to have sometimes false positive but then it depends what is targetting as a nasties and how long it takes for the compagnie to rectifie the situation. In this case, it could have ■■■■■ my backup utilities (and a security software making you vulnerables to nasties). I have to add that like mention before I received a email confirmation that the F/P was rectified and it is not. Let’s just say that it is kind of upsetting when you were use to an excellent support before when Boclean was still belonging to Kevin and Nancy (in less than one hour this problem will have been solved, now who knows!)…

Best regards,
Atomas31

the “gss.exe” false-positive was fixed with the update, last nite, but it is back, now, with the latest new update, dated 2008-1-22 14:04:58 UTC… i sent an email to comodo, notifying them about the false-positive…

i added the “gss.exe” file to BOClean’s “excluder” so BOC is not flagging the file, now…

update: well, that was f-a-s-t! after i finished posting, i ran the updater again and there was a new update, dated 2008-1-22 16:37:34 UTC, which fixed the false-positive!

thanks, Comodo! :slight_smile:

you know, maybe the reason we saw the false-positive is because comodo is on the cutting-edge with the malware-definitions…

i have a feeling that kevin mcaleavey is working on them, lately, which is a GOOD thing, if he is…

Hi atomas31 :slight_smile:

For your information : Telebanking software IS software used by home users to manage their bank accounts :wink:

About Kevin : If you want you can pm him to express your worries. But remember that with Comodo he is not only responsible for CBOClean but for CAVS as well. As far as I know he is now busy with the new Beta of CAVS and with re-coding CBOClean ( CBOClean 5.0 ??? ), but I expect we will see that only after the release of Vista SP1 :slight_smile:

Greetz. Red.

He must, i guess. As i remember, Kevin was happy cause he could have a more effiecent environment with the help of Comodo (but for a perfect answer, ask him). Also, as i know he’s working on CAVS as well.
I’m quite happy hearing that the FP is fixed :).
Ark

Well, after one or two last update that solve the problem, with the latest update (2008-01-23 - 15:45:46) The false positive about shadowprotectsvc.exe is back (:AGY)
It is now detected as BKDR -RBOT.JS

This is simply becoming ridiculous! Doesn’t Comodo test their update before releasing it? Now, they have no excuse to still detect shadowprotectsvc.exe has a malware since I have send them the file one or two days ago…

Hope they can solve this problem soon :THNK

Best regards,
Atomas31

Hello Atomas31,

It was indeed a false positive again and it has been fixed in a update a few moments ago. Thanks for taking the time in reporting to us about it. Much appreciated :). Sincere apologies for the inconvenience caused.

Thanks and Regards,
Baskar.

i figure that there must have been a good reason for “gss.exe” being flagged… if it was necessary in order for BOC to flag other malware that might have similar characteristics, that would have been fine with me… adding “gss.exe” to BOC’s “excluder” excluded “gss.exe” from being flagged…

i scanned for rootkits, recently, and i saw that “gss.exe” had some “hooks” similar to what rootkits would have, so my guess is that that was why it was being flagged… so, maybe it was good the way it was and we just needed to add “gss.exe” to BOC’s “excluder” so that it wouldn’t be flagged while malware with similar characteristics would be flagged… i hope y’all follow what i am saying… :slight_smile: whatever it was that was causing BOC to flag “gss.exe” might have been a good thing to have…