$69 Software Giveaway: Video Converter Ultimate

[bluetongue]

When I began to install this my Comodo Internet Security popped up the following warning
"A malicious item has been detected!
"Trojware.Win32.Buzus.vbf@101147784
"Location C:\Users\Appdata\.....\WS_AgentProcess.dll"

The file could not be disinfected.

I had Virustotal check out the installation file - 43 test sites (including Comodo) reported the file to be clean.

I am uncertain what to make of the conflicting results.

[bluetongue]

The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.

A VirusTotal scan of this file resulted in Comodo reporting it as a trojan and 42 other scanners reporting it as safe.

[kendall.a]

If VirusTotal claims it is safe and the only one that says it isn't is Comodo, then in my opinion, it is a false-positive on Comodo's part.

[Ritho]

Quote:

The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.

When you run something through virustotal and you have just a positive or two, check to see what part of the security program detected it. If I remember right it is reported under the program name. I have often seen it say it was detected by heuristics. If that is the case then it is not a "true" detection like it would be if it was found based upon a signature. Heuristics detect based upon how a program acts, and that may be one reason why it can't be disinfected because as far as I know it needs a signature to do that.

It could still be a real "zero day" virus and in that case the heuristics is doing what it is supposed to. The best line of action is to quarantine that file and see if the program will still run without it.

[MidnightCowboy]

I think it is also important not to just sit on such an event and do nothing else with it. Most vendors offer a system whereby suspicious files can be submitted for analysis and for the benefit of the community as a whole it is important that this facility is used.

Vendors can then either issue a signature to detect it as true malware or ignore it during future scans in the case of a proven false positive.

[bo.elam]

Quote:

Originally Posted by bluetongue

The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.

A VirusTotal scan of this file resulted in Comodo reporting it as a trojan and 42 other scanners reporting it as safe.

The Virus Total results tell me that most likely is a false positive but
it has happened before that when the file is executed, then it gets
detected by your AV, even though your AV was quiet when the file
was uploaded to Virus Total. If I was you and #1 Feel confident that
the file is from a trusted company and # 2 Really wanted that program,
then I would ignore the warning or exclude the file from being detected
and install the program.
MC s recommendation to send the file to your AV is a most so they
change the detection or confirm it. If they change it, great. If they
don't and you want the program, then keep the exclusion.


Bo