Topic: Spybot false positive on Vortex

[-<WillyP>-]

Update: Spybot has confirmed that there have been some false positives. They have promised a fix in the next detection rules update.

If you are running the popular anti-spyware program Spybot Search and Destroy, you may recently have gotten blocked from using Vortex. Spybot will shut down a process immediately if it detects a threat, and, by default delete the infected file. Yesterday I went to open Vortex and spybot alerted me to the presence of RBot.skp. I deleted my entire Vortex folder and reinstalled from a fresh download. No go! Some research on RBot.skp shows it to be a root-kit Trojan, very serious infection indeed.

I was very glad to have found out that some users have reported a false positive on RBot.skp. Spybot has confirmed the false positve. Multiple scans with many different programs all show my machine is clean. However considering the very serious nature of this Trojan, I will, and advise anyone else, not to use Vortex it is confirmed and repaired as a false positive.

I'll update this topic as I learn more.

Update: From the Spybot Team

I can confirm this false positive.
The reason for this false positive is a different one. An erroneous detection rule flags all executable files that have a file size between 100000 and 1100000 byte, with no version information, no digital signature and file section properties that also match to some upx packed executables.

A fix will be provided with the next detection update.
You can tell TeaTimer to ignore/allow the detected file permanently, the same goes for the download file scan within Spybot S&D.
If you need a fixed detection file you can contact us via email and we will send it to you.

[D2Disciple]

Much thanks for this notice!

[Thomas]

WillyP,

it is the other way round. Never trust any anti-virus software when it finds a virus, trojan, or worm, unless you can confirm that yourself.

Look at it logically: If there was something wrong with Vortex you'd not be the first and last one to spot it.

This is clearly a false-positive, and your AV software developers should get smacked for this error, as every other AV software developers should.

A good verification source is http://www.virustotal.com .

Just upload any suspicious file and let it get checked by a lot of virus scanners at the same time. If you get warnings all over the place you should worry. If you only get one warning, then it is very hard to believe that all the other scanners are not good enough to find the issue. It is rather very likely that the one with the warning had again an apprentice working on the virus definitions, which seem to be very common for AV vendors these days.

By the way, that one (http://www.dateiliste.com/en/descent-3/6-descent-3-files-section/74-startsp-a-wrapper-for-qdescent-3exeq.html) was on the list last month, and it took Avast a few days and McAfee almost 4 weeks to rectify their bodges. Idiots! What else can I say?

Very annoying, I can tell you. All the complaints I received telling me that I'm spreading viruses, just because Avast and McAfee have hired bar staff instead of software developers...

[Thomas]

However considering the very serious nature of this Trojan, I will, and advise anyone else, not to use Vortex it is confirmed and repaired as a false positive.

I think this advice is quite inappropriate. It should more likely read "Don't use Spybot Search and Destroy if your problems persists" (as usual). 

http://www.virustotal.com/analisis/b2555aec4450dd903340e9916d52de39816bb2d8b220d6a984d6ee46941b50f1-1258936557

[Thomas]

...and here's the one for StartSP from the middle of October, after Avast had fixed their issues already, but the tea break in McAfee's office took a few weeks longer:

http://www.virustotal.com/analisis/3f03f5b8e44c43d0fe525b6e53c0b25a93342dcccedcc0469e8874ab39a489d9-1255543169

[-<WillyP>-]

Thomas, I disagree, and you did not read the update I posted. Spybot has confirmed a false positive, Vortex is safe to use. But if you at all suspect a trojan, you need to insure you have either removed it, or it is a false positive. If everytime you get a hit from an anti-virus you shut off your antivirus, what's the point of having anti-virus? That just does not make sense!

However, I will change my original post to make the issue more clear.  

And thanks for the tip about virustotal.com, I had never heard of that.

And about your comments on the programmers... when a new virus, trojan, or whatever is released, time is of the essence. It's critical to get the new virus definitions released as soon as possible to minimize the spread. C'mon now, everybody makes mistakes! Most initial releases of software is full of bugs.

Also I never claimed Vortex shipped with a virus, in fact, I thought that somehow I had gotten it, and it was being activated by something in Vortex. I am not a programmer and I am not sure how, or if that would work.

[SaladBadger]

The only way vortex could activate the virus from another source is if one of the Dynamic Link Libraries it links to is affected. But then the virus would be found there, and other software would likely trigger it.

[-<WillyP>-]

Perhaps someone could write a better article about keeping your computer clean. Either a soupe or another page. Then I could remove this entire topic.

[Thomas]

I'm certainly not the right person to write about virus scanners.

I'm not even running one myself on any of my computers, and neither do I have a firewall. The latter is usually not required for average computer users anyway.

Probably the best security advices are to run the operating system's update daily and don't trust sofware if you don't know where it's coming from.

[-<WillyP>-]

There isn't any software that I know where it is from.

[Scyphi]

Techpro had better not see this thread, or you're going to get an earful, Thomas.

[TechPro]

OK, I saw the thread.   Surprise! I'm not going to give Thomas an earful about his take on the need for firewalls.  I know enough about Thomas to know he can take care of himself.

Since the subject was brought up ... I suppose I should describe my thoughts about firewalls and anti-virus software ...

It boils down to this:  Firewalls do indeed provide a good and valid service.  However it is also true that the "average" user does not have much need for a firewall ... so long as that average user is fortunate to not get targeted by any malicious malware/spyware/hackers (it does happen, rare, but happens).  You'll find that in nearly all cases where "average" users get their systems "mucked up" the presence of a firewall wouldn't have stopped most of the problem anyway because the user usually did the damage to themselves by poor choice of Internet activity.  Thus you can reason that the "average" user is not required to run a firewall.

I prefer to err on the side of caution.  I've seen where firewalls did a good and valid service for "average" users and so I encourage firewalls but I don't lose much sleep over it because most users (not all, but most) happen to be connecting through a router and/or Internet connection that provides a hardware firewall ... that coincidentally handles the firewall job very well (and in some cases better), the job that the software firewall on the computer is supposed to do.  That's why I don't lose any sleep over the fact that three of the computers in my house are not running any firewall because for those computers it isn't required (it would be good, but not required).

As for anti-virus software ...
This is the item where I'll agree to disagree with Thomas.  Every computer should have a good (or at least decent) anti-virus software on it.  Every year I make a fair amount of pocket change on the side from cleaning up systems that got infected because the system wasn't protected from a computer virus due to non-updated, not-functioning, or not present anti-virus software.  I highly recommend everyone use one, and be sure it's a good one.

Now if someone doesn't want to use one, that's OK.  When they need my assistance, I know how to bill for my time.

[-<WillyP>-]

I have both a software and hardware firewall, the software firewall watches stuff after I have already downloaded it, and pops up saying, for example, 'xyz is unknown and is attempting to modify protected key abc. If xyz is one of your everyday programs you may safely allow this' or some such. Then I can block it, allow it, treat it as an updater or installer, etc... Occasionally it will pop up and tell me something is going on that has nothing to do with what I am doing, so I Google the file that is initiating the action... usually it turns out to be an update or something running in the background.

Anyway... My thinking about having both hard and soft firewall is this: The hardware firewall protects all the machines on my home network. My kids have there own machine, and I give them a lot of latitude with it. There is no critical data, no online banking, or anything like that on it. Nor do they have admin privlidges on it. But they do download and install games and stuff, and I have found spy-ware and mal-ware on it occasionally. So I don't want anything to infect my machine or my wife's laptop, so we also run firewalls on our own machine.

[Thomas]

@TechPro:
I could partly agree with your AV attitude if you could answer the question about what a "good (or at least decent)" virus scanner is. I have yet to see one. They are all good and crap at the same time. AV software is a money-making machine with people's fear. That's why the salesman at PCWorld tries to sell you a scanner at the checkout, although you can download enough products for free.

My software is claimed to contain worms and trojans several times a year. Very often it's just the installer (NSIS or Inno Setup) that brings up a warning or is automatically deleted by AV software that should have remained in the drawer instead of being thrown at poor users.

Name an AV product and I'll find you on Google what it did, but I guess you can find it yourself in the same way. Kaspersky (alledgedly one of the best scanners ever, because written in Assembler) for instance wiped out entire Windows systems last year by deleting a vital file.

Going through the list of the most dangerous viruses/worms/trojans found during the last few months, all virus scanners were useless if the users' systems weren't patched properly. This fits my experience too. Daily patching of Windows and browsers/browser plugins is more important than the "best" virus scanner, which simply doesn't exist.

As noted before, you can always use Virustotal if in doubt, because this is a tool that gives you a proper overview of a bunch of scanners and not just the one you may be running.

@WillyP:
You should be aware of the fact that the Windows firewall as well as most others (including ZoneAlarm) provide APIs and tricks for software to create entries in their exception lists, rendering software firewalls absolutely useless if the malicious software is smart enough. Ah, well, of course without any user interaction. You won't get a nice warning. Sorry to have to tell you that.

A software firewall only makes sense if you got a machine directly connected to the internet (without a router). But then, patching the OS is still more important, hence you can as well turn it off immediately and save yourself some headache. It doesn't do what it claims or what you think it does. Sorry again to having to disappoint you here.

For your kids' computers: Turn off the firewalls, download one of the free AV and malware scanners, turn on the real-time scan (some companies call it "guards" or similar promising), make sure it updates at least daily (and without interaction - otherwise your kids might cancel it), and do the same for the operating system and browsers/browser plugins, if available. That works certainly better than any other precaution. The real-time scan is important because kids tend to download and click on everything they can reach. Remove the IE icon from the startmenu and desktop and install Firefox. This is because of the regular Active-X threats that come out once a month. Make sure Firefox updates daily, because it is not much better than any other browser. It's only not targeted as often as IE, according to the stats.
The same goes for many inexperienced users, so prepare you parents' computer(s) in the same way.

[-<WillyP>-]

I already have Spybot and AVG set up on the kid's machine, they run real time, and scan, auto updated, every alternate day. I use Commodo firewall. My mom has a laptop but there is no internet connection in her town so she only goes online at the library where she works. The have a satellite dish there.

I also have Trend Micro RUBotted on my machine. I also have a few others I run randomly.

I just elevated Curt's account to administrator because I got tired of having to type my password for him to run Vortex as admin, and another game that wouldn't run. But mostly they play browser games, they use FireFox.