Ping: David

[Andy Walker]

I read this and thought I'd ask...

>From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>Newsgroups: alt.privacy.spyware
>References: <9paMk.144919$ZW7.67669@fe10.news.easynews.com>
>Subject: Re: Would someone please do a virus can on this file for me
>Date: Tue, 2 Dec 2008 19:01:12 -0500
>From: "Rotten Ronny" <rotten@ronny.here>
>
>| At this link
>| http://sourceforge.net/project/showf...kage_id=205228
>| this file bs2b_winamp-2.1.0-bin.zip comes up as a Trojan in the Avast scan.
>| I'm fairly certain it is a false positive but would appreciate if someone
>| would confirm that for me with a different AV scanner.
>
>
>UPDATE:
>
>This appears to be a MASS False Positive.
>
>AV vendors are now retracting their declararions of this being malware and several AV
>vendor are looking at how and why this was falsely declared as malware.

Do you have any further info about the "Mass false positive"? I'm
interested in what would have caused so many vendors to determine that
the file was malicious.

Best regards,
Andy

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>


| Do you have any further info about the "Mass false positive"? I'm
| interested in what would have caused so many vendors to determine that
| the file was malicious.

| Best regards,
| Andy

That is a good question and may be hard to answer. The file in question is a Bauer
stereophonic-to-binaural DSP and was not malicious.

What *may* be the case here was software that is used to automatically detect malware in
suspect files used by anti malware vendors. It was only after examination of the source
code, dissasembly and full examination by human researchers was the file deemed non
malicious and the signatures indicating otherwise were removed.

I can't say directly why this happened. I can say that I reorted the file in a closed
forum where researchers were able to specifically examine the file and one person
championed the cause to have the False Positive declarations removed.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>
>| Do you have any further info about the "Mass false positive"? I'm
>| interested in what would have caused so many vendors to determine that
>| the file was malicious.
>
>| Best regards,
>| Andy
>
>That is a good question and may be hard to answer. The file in question is a Bauer
>stereophonic-to-binaural DSP and was not malicious.
>
>What *may* be the case here was software that is used to automatically detect malware in
>suspect files used by anti malware vendors. It was only after examination of the source
>code, dissasembly and full examination by human researchers was the file deemed non
>malicious and the signatures indicating otherwise were removed.
>
>I can't say directly why this happened. I can say that I reorted the file in a closed
>forum where researchers were able to specifically examine the file and one person
>championed the cause to have the False Positive declarations removed.

It would be interesting to see the origination of the signature
involved and find out what the original target of the signature was,
but I know that is unlikely to happen in an open forum...so I won't
ask. ;-)

Thanks for the info and thanks for helping validate the plugin - which
appears to be useful free tool.

Regards,
Andy