Jump to content

Ad-Aware False Positive?


WDGC
 Share

Recommended Posts

I just ran a scan with Ad-Aware and was quite surprised to find 1 critical object had been found. First time ever.

Name:Spyware.AdvancedKeyLogger

Category:Spyware

Object Type:Process

Size:-

Location:C:\Program Files\Sygate\SPF\tse.dll

Last Activity:20-12-2005 9:37:47 AM

Relevance:High

TAC index:10

Comment:(CSI MATCH)

Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop

screenshots.

For further information one is directed to the "TAC page for Spyware.AdvancedKeyLogger" the URL of which is:

http://www.lavasoftnews.com/ms/display_mai...vancedKeyLogger

however this page is somewhat less than enlightening.

A search with Google for Spyware.AdvancedKeyLogger only found 4 instances, with only 2 of possible relevance. One is a Lavasoft blog showing Spyware.AdvancedKeyLogger is part of the latest definitions and the other is a French forum [in French] possibly saying something about a false alert.

Lavasoft blog

Fausse alerte - Spyware AdvancedKeylogger

The supposed location of Spyware.AdvancedKeyLogger - C:\Program Files\Sygate\SPF\tse.dll - seems rather odd, as tse.dll is a legitimate component of C:\Program Files\Sygate\SPF. What happens to the firewall if Ad-Aware quarantines or deletes "Spyware.AdvancedKeyLogger"?

MS AntiSpyWare, Spybot SD and AVG didn't detect anything and what the "Last Activity:20-12-2005 9:37:47 AM" entailed is beyond me.

I find it hard to believe something undesirable is present, but not having any experience of "critical objects", I'd appreciate the views of others on this matter.

.

Link to comment
Share on other sites


I have had a false positive though I am not too sure with Pand Av online scan where it said there was a file called pinstall.dll in my windows directory but no matter what I did I just could not find it at all. I am not sure it if is a false positive or not actually. every search I did in google acknowledged that if there is a file with that name it would be in the Windows folder but there was nothing there and so I had to chalk it up to false postiveness.

Link to comment
Share on other sites

I tend to stress to consumers not to involve themselves with Ad-Aware... the software is known to flag legitimate applications as viruses and spyware.

As you stated you use MS AntiSpyWare, Spybot SD, I would recommend using SpywareBlaster and SpywareGuard with Microsofts antifpsyware and SpyBot.

Link to comment
Share on other sites

... Ad-Aware... the software is known to flag legitimate applications as viruses and spyware.

Since my last message I have sent the "1 New Critical Objects found" file - Location:C:\Program Files\Sygate\SPF\tse.dll - for online scanning at Virusscan and Virustotal.

Each reported tse.dll to be uninfected.

Ad-Aware continues to give the notification " Scan Complete, Summary: 1 New Critical Objects found", but I think this is almost certainly a false positive.

Your assertion "the software is known to flag legitimate applications as viruses and spyware." seems highly likely in this case.

Virusscan

Virustotal

.

Link to comment
Share on other sites

Further to my other posts, yesterday I started another of my - mothballed - computers. This machine, Xp Home Edit. SP2, has not been used since mid-July - 5 months.

I ran an Ad-Aware scan with the existing [old] definitions and nothing was found. I then applied all necessary MS updates from a CD, connected to the internet [dial-up], updated the A-V program, updated Ad-Aware [sE1R82 19.12.2005] and scanned the system with Ad-Aware.

The result was exactly the same as with the every-day-used machine:

Name:Spyware.AdvancedKeyLogger

Category:Spyware

Object Type:Process

Size:-

Location:C:\Program Files\Sygate\SPF\tse.dll

Last Activity:25-12-2005 1:53:46 AM

Relevance:High

TAC index:10

Comment:(CSI MATCH)

Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots.

Last Activity:25-12-2005 1:53:46 AM is interesting - the system hadn't been running for 5 months until 9:30:01 AM, 25/12/2005

[Event Viewer, System entry]

Event Type: Information

Event Source: EventLog

Event Category: None

Event ID: 6005

Date: 25/12/2005

Time: 9:30:01 AM

User: N/A

Computer: WDGR

Description:

The Event log service was started.

I then subjected the system and tse.dll to the same tests and scans as reported before, with the same results - all clear.

The 2 computers referred to have never been connected or linked in any way. The Sygate installation on each is exactly the same - installed from the same CD to which I had written a copy of Sygate 5.5.2525 on 25/01/2004.

Whilst these results don't prove the Spyware.AdvancedKeyLogger detection is a false positive, I believe they further stregthen the evidence that such is the case.

.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...