Jump to content

Ad-Aware False Positive?

WDGC

By WDGC
in Malware Prevention and Security

 Share

Recommended Posts

WDGC

WDGC

Posted
Posted

I just ran a scan with Ad-Aware and was quite surprised to find 1 critical object had been found. First time ever.

Name:Spyware.AdvancedKeyLogger

Category:Spyware

Object Type:Process

Size:-

Location:C:\Program Files\Sygate\SPF\tse.dll

Last Activity:20-12-2005 9:37:47 AM

Relevance:High

TAC index:10

Comment:(CSI MATCH)

Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop

screenshots.

For further information one is directed to the "TAC page for Spyware.AdvancedKeyLogger" the URL of which is:

http://www.lavasoftnews.com/ms/display_mai...vancedKeyLogger

however this page is somewhat less than enlightening.

A search with Google for Spyware.AdvancedKeyLogger only found 4 instances, with only 2 of possible relevance. One is a Lavasoft blog showing Spyware.AdvancedKeyLogger is part of the latest definitions and the other is a French forum [in French] possibly saying something about a false alert.

Lavasoft blog

Fausse alerte - Spyware AdvancedKeylogger

The supposed location of Spyware.AdvancedKeyLogger - C:\Program Files\Sygate\SPF\tse.dll - seems rather odd, as tse.dll is a legitimate component of C:\Program Files\Sygate\SPF. What happens to the firewall if Ad-Aware quarantines or deletes "Spyware.AdvancedKeyLogger"?

MS AntiSpyWare, Spybot SD and AVG didn't detect anything and what the "Last Activity:20-12-2005 9:37:47 AM" entailed is beyond me.

I find it hard to believe something undesirable is present, but not having any experience of "critical objects", I'd appreciate the views of others on this matter.

.


suryad

suryad

Posted
Posted

I have had a false positive though I am not too sure with Pand Av online scan where it said there was a file called pinstall.dll in my windows directory but no matter what I did I just could not find it at all. I am not sure it if is a false positive or not actually. every search I did in google acknowledged that if there is a file with that name it would be in the Windows folder but there was nothing there and so I had to chalk it up to false postiveness.

WDGC

WDGC

Posted
  • Author
Posted

Since my previous message I have run the ewido anti-malware online scanner and it was completely clear.

http://www.ewido.net/en/

The tse.dll file present has the VeriSign digital signature and certificate.

Still, to be on the safe side, I suppose it is best to uninstall and re-install Sygate?

.

epic

epic

Posted
Posted

I tend to stress to consumers not to involve themselves with Ad-Aware... the software is known to flag legitimate applications as viruses and spyware.

As you stated you use MS AntiSpyWare, Spybot SD, I would recommend using SpywareBlaster and SpywareGuard with Microsofts antifpsyware and SpyBot.

WDGC

WDGC

Posted
  • Author
Posted
... Ad-Aware... the software is known to flag legitimate applications as viruses and spyware.

Since my last message I have sent the "1 New Critical Objects found" file - Location:C:\Program Files\Sygate\SPF\tse.dll - for online scanning at Virusscan and Virustotal.

Each reported tse.dll to be uninfected.

Ad-Aware continues to give the notification " Scan Complete, Summary: 1 New Critical Objects found", but I think this is almost certainly a false positive.

Your assertion "the software is known to flag legitimate applications as viruses and spyware." seems highly likely in this case.

Virusscan

Virustotal

.

WDGC

WDGC

Posted
  • Author
Posted (edited)

I also posted to an existing thread at CastleCops where a couple of similar instances have been reported.

CastleCops have informed Lavasoft of the issue.

Edited by WDGC
WDGC

WDGC

Posted
  • Author
Posted

Further to my other posts, yesterday I started another of my - mothballed - computers. This machine, Xp Home Edit. SP2, has not been used since mid-July - 5 months.

I ran an Ad-Aware scan with the existing [old] definitions and nothing was found. I then applied all necessary MS updates from a CD, connected to the internet [dial-up], updated the A-V program, updated Ad-Aware [sE1R82 19.12.2005] and scanned the system with Ad-Aware.

The result was exactly the same as with the every-day-used machine:

Name:Spyware.AdvancedKeyLogger

Category:Spyware

Object Type:Process

Size:-

Location:C:\Program Files\Sygate\SPF\tse.dll

Last Activity:25-12-2005 1:53:46 AM

Relevance:High

TAC index:10

Comment:(CSI MATCH)

Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots.

Last Activity:25-12-2005 1:53:46 AM is interesting - the system hadn't been running for 5 months until 9:30:01 AM, 25/12/2005

[Event Viewer, System entry]

Event Type: Information

Event Source: EventLog

Event Category: None

Event ID: 6005

Date: 25/12/2005

Time: 9:30:01 AM

User: N/A

Computer: WDGR

Description:

The Event log service was started.

I then subjected the system and tse.dll to the same tests and scans as reported before, with the same results - all clear.

The 2 computers referred to have never been connected or linked in any way. The Sygate installation on each is exactly the same - installed from the same CD to which I had written a copy of Sygate 5.5.2525 on 25/01/2004.

Whilst these results don't prove the Spyware.AdvancedKeyLogger detection is a false positive, I believe they further stregthen the evidence that such is the case.

.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...