Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Freeware Forum > General Computer Support

Reply
 
Thread Tools Display Modes
Old 21. Sep 2010, 08:45 PM   #1 (permalink)
Member
 
Join Date: Aug 2010
Posts: 2
Default $69 Software Giveaway: Video Converter Ultimate

When I began to install this my Comodo Internet Security popped up the following warning
"A malicious item has been detected!
"Trojware.Win32.Buzus.vbf@101147784
"Location C:\Users\Appdata\.....\WS_AgentProcess.dll"

The file could not be disinfected.

I had Virustotal check out the installation file - 43 test sites (including Comodo) reported the file to be clean.

I am uncertain what to make of the conflicting results.
bluetongue is offline   Reply With Quote
Old 21. Sep 2010, 10:19 PM   #2 (permalink)
Member
 
Join Date: Aug 2010
Posts: 2
Default more information on trojan warning

The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.

A VirusTotal scan of this file resulted in Comodo reporting it as a trojan and 42 other scanners reporting it as safe.
bluetongue is offline   Reply With Quote
Old 21. Sep 2010, 10:35 PM   #3 (permalink)
Been Here Since the Begin
 
kendall.a's Avatar
 
Join Date: Apr 2008
Location: Colorado, USA
Posts: 2,335
Default

If VirusTotal claims it is safe and the only one that says it isn't is Comodo, then in my opinion, it is a false-positive on Comodo's part.
__________________
Been here since the beginning.
kendall.a is offline   Reply With Quote
Old 22. Sep 2010, 06:18 AM   #4 (permalink)
Senior Member
 
Ritho's Avatar
 
Join Date: Apr 2008
Location: Planet Earth
Posts: 1,379
Default

Quote:
The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.
When you run something through virustotal and you have just a positive or two, check to see what part of the security program detected it. If I remember right it is reported under the program name. I have often seen it say it was detected by heuristics. If that is the case then it is not a "true" detection like it would be if it was found based upon a signature. Heuristics detect based upon how a program acts, and that may be one reason why it can't be disinfected because as far as I know it needs a signature to do that.

It could still be a real "zero day" virus and in that case the heuristics is doing what it is supposed to. The best line of action is to quarantine that file and see if the program will still run without it.
__________________
The smallest good deed is better than the greatest intention.
Ritho is offline   Reply With Quote
Old 22. Sep 2010, 09:24 AM   #5 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,282
Default

I think it is also important not to just sit on such an event and do nothing else with it. Most vendors offer a system whereby suspicious files can be submitted for analysis and for the benefit of the community as a whole it is important that this facility is used.

Vendors can then either issue a signature to detect it as true malware or ignore it during future scans in the case of a proven false positive.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is online now   Reply With Quote
Old 25. Sep 2010, 03:51 AM   #6 (permalink)
Senior Member
 
bo.elam's Avatar
 
Join Date: Nov 2009
Posts: 1,714
Default

Quote:
Originally Posted by bluetongue View Post
The file reported as a trojan is C:\Users\username\AppData\Local\Temp\is-BL8U6.tmp\WS_AgentProcess.dll.

A VirusTotal scan of this file resulted in Comodo reporting it as a trojan and 42 other scanners reporting it as safe.
The Virus Total results tell me that most likely is a false positive but
it has happened before that when the file is executed, then it gets
detected by your AV, even though your AV was quiet when the file
was uploaded to Virus Total. If I was you and #1 Feel confident that
the file is from a trusted company and # 2 Really wanted that program,
then I would ignore the warning or exclude the file from being detected
and install the program.
MC s recommendation to send the file to your AV is a most so they
change the detection or confirm it. If they change it, great. If they
don't and you want the program, then keep the exclusion.


Bo
bo.elam is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 12:32 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.