Trojan in "Free IP Scanner"?

Hello,

i am using the newest Version of COMODO Internet Security.
The ANTIVIRUS part says that there is a trojan in the following software:

Free IP Scanner 1.5

The Trojan is:
TrojWare.Win32.Trojan.Delf.fdm@842966

I am scared now, because the software was linked from one of my most trusted websites.
And i already used the “infected” software before.

Could you please check it?

Thank you very much!

Hi muhnwalker,

Hi,
When you have a detection it could be False Positive (error by the scanner) or infection (let’s hope not :slight_smile: ).
The procedure is pretty much common for any security software, which flagged something:
you have to send the file you have on your computer for analysis to the vendor of the software, which alerted you (in this case Comodo).
As far as I know the address for submission is malwaresubmit@avlab.comodo.com
The standard procedure is:
Put file(s) into passworded archive (Zip or RAR). Attach archive to the email and don’t forget to place password into email body. You may write some comments or better send the extract from report, so developers can see precise file/registry names and locations and exact detection name

My regards

P.S.
As for checking software as you requested by giving the link. It is physically impossible to download/install thousands of software packages users may have. Another few reasons why that doesn’t make sense:

  • Other version could be available at the time of download –that may not produce detection because of code changes;
  • Database of signatures may change already;
  • Never forget about poisoning by 3rd party ant that may’ve happened on your PC only.
  • -etc. so precisely the code you currently have should be analyzed

Thanks, I have done it that way.

Another thing you can do is to run the IP Scanner component that CIS is detecting through Jotti & VirusTotal to ensure that it is a False Positive.

VirusTotal: 21/37 (56.76%)
http://www.virustotal.com/de/analisis/46a8535c5e85a5648beb6cd31ab2c7d8

Jotti is still running (AntiVir, AVG, ClamAV, F-Prot, Kaspersky, NOD32, … found nothing)

I’m still hoping it is a false alarm.
“Generic” and “Other” doesn’t sound very 100% :wink:

check it with Camas too.

thanks
Melih

Thanks, everybody!

I contacted the author. He told me that the reason is that the program was compressed by using ASPack

He send the file to avira who rated it as FALSE POSITIVE.
Detection is removed from their virus definition file (VDF) with the version: 7.1.0.25.

Hi muhnwalker,

Initially you stated

… so that was a detection by Comodo AV
now you are saying

??? Well,… good for Avira users… but what about Comodo?
Have you got response from Comodo Lab, where you sent the file? … or file still being flagged by Comodo?

Another question is because of that. Are you running 2 (two) Antivirus Packages?
If so, you should use only one with its real-time Guard active;
the addidional AV can be used as on-demand scanner only otherwise you may have conflicts
(not saying that scans will be extremely slow when onAccess feature of both are active)

My regards

I scanned it with CIS, it’s safe it says :slight_smile:

Xan

Hi eXPerience,

Thanks for reply.
Nice thing to know… but sure not because of Avira fix hehe! :slight_smile:
Hope muhnwalker will answer the question
Cheers

Hi SiberLynx,

the author of the infected software wrote to avira.

I am using Comodo, and the new file is clean for Comodo, too.
I am using only ONE antivirus software ;D

Comodo did not answer my EMail yet.
But I will update this thread, if they do.

Thanks for reply, muhnwalker.

Well it means that Comodo fixed that FP detection it too.
Plus it would be 100% if you are saying that you are using the the very same Software and just rescanned after Comodo’s recent update :wink:

Cheers

Sorry I did not write this very clearly.
The author uploaded a new .exe without this ASPack compressing.

This one is clear.
The old one is still shown as infected by Comodo.
I can mail it, if someone wants it.

I now moved it to a correcter place, please follow these steps to report the FP

Thanks

Xan

I wrote another mail just as descripted in the steps.

Thank you.

aha! new exe, but still needs Comodo’s investigation -different story.
Thanks for clarifying that. Cheers!

still no answer from comodo.

BUT the old, former “infected” exe ist NOT shown as infected by comodo anymore.
I have automatic updates on, so I think they fixed it.

Hi muhnwalker,
I will shortly get back to you on this. Sorry for delay.

Thanks
-umesh

Hi muhnwalker,
As of database version 619, this detection has been removed.

Thanks
-umesh

Hello umesh,

thank you very much!!