Hi guys,
today i’m scanning my pc with CCE when for the first time it indicates me this key
hkey_local_machine\software\wow6432node\norton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\ding\update
like an hidden key with high risk.
I have to say that:
- Pc is formatted from two days and scans of Norton, MalwareBytes e TDSS killer are clean
- Also the previous scans of CCE were clean…
- if i erase the key norton update doesn’t work
I think it’s a false positive but i’m not sure…
What do you think?
Thank you in advance
Luca
If erasing the key makes Norton Update not work then that proves to me it belongs to Norton and is legit. It is a false positive.
If only Comodo shows foxitupdater as malicious you can safely assume it is a false positive. If you can positively identify foxitupdater as belonging to Foxit Reader you can safely assume it is a false positive. In case the file is digitally signed by the publisher of Foxit you can check its signature. If the signature is OK then it is untouched.
i’m sure that they are false positive…i have reported them to comodo…
I have done a try…i have done some recoveries of the whole system (with an image i have done with acronis true image of the clean system) and:
- sometimes when comodo scans the system find this key as dangerous
- sometimes comodo doesn’t find the key dangerous (2 times)
strange thing
However they are false positive surely
If you have something of Norton running in the background that could explain the discrepancies. If a rootkit scanner scans by comparing a raw look up and regular look up using the Windows API it may see a discrepancy when that key was accessed, created or deleted in between the two look ups.