Softmaker Office 2006 F-prot Finds False Positive

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

Softmaker Office 2006 F-prot Finds False Positive

#1 Post by yorkiesnorkie »

I'd downloaded Softmaker Office for use with WINE. I was working with f-prot today and doing a scan of my jump drive when I ran into this problem. When I scanned this with F-prot using fpscan at the command line it identified the windows installer as having a password stealer. It can't be disinfected, only the exe deleted. This exe was downloaded from "http://www.softmakeroffice.com/"

Code: Select all

# fpscan /mnt/sdb1/ofw06freefull.exe 

F-PROT Antivirus version 6.3.3.5015 (built: 2009-12-23T13-43-55)


FRISK Software International (C) Copyright 1989-2009
Engine version:   4.5.1.85
Arguments:        /mnt/sdb1/ofw06freefull.exe 
Virus signatures: 2010070313370d183ddccd8e5fb930be3de9119a6e16
                  (/usr/local/f-prot/antivir.def)

[Found password stealer] <W32/Pws.BQZG (exact)>         /mnt/sdb1/ofw06freefull.exe

Disinfect? (Y)es, (N)o, (A)ll yes, (I)gnore all, (Q)uit scan: Yes

[Warning] <Error closing file: Invalid argument>        /mnt/sdb1/ofw06freefull.exe
[Deleted]       /mnt/sdb1/ofw06freefull.exe


Results:

Files: 1
Skipped files: 0
MBR/boot sectors checked: 0
Objects scanned: 1
Infected objects: 1
Files with errors: 0
Disinfected: 1

Running time: 00:52
# 
false positive? Anyway, I'm going to run clamav on it and see what that reports.

*****
UPDATE
Another scan with Avast turned up nothing. So, this is most likely f-prot indicating a false positive.

Y.
Last edited by yorkiesnorkie on Thu 08 Jul 2010, 15:50, edited 1 time in total.
[url]http://www.busygamemaster.com[/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

Likely a false positive

#2 Post by yorkiesnorkie »

Hi,

I checked the same file, ofw06freefull.exe, over with Avast for linux, and it didn't find anything. It may be that f-prot found a false positive.

Y.
[url]http://www.busygamemaster.com[/url]

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#3 Post by Makoto »

You can also submit the file to VirusTotal, which will scan it using multiple AV engines/setups, to further narrow down the possibility of a false positive.
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#4 Post by yorkiesnorkie »

Thanks for the link, quite useful. I'd probably submit the file but given its size I think at this point, based on the Avast test, both of the zip archive, and a scan of the installation of Softmaker, that it is very unlikely it contains a trojan. Avast passes it. So, it's most likely a false positive. I'll pass that on to f-prot and let them worry about that. :D

However, thanks again for the useful link.

Y.
[url]http://www.busygamemaster.com[/url]

Post Reply