Jump to content


Photo

New Tdsskiller False Positives & Contact Us Error Message


  • Please log in to reply
15 replies to this topic

#1 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 25 March 2014 - 09:26 PM

While launching TDSSKiller anti-rootkit utility today I recieved several quarantine responses by the SPERO detection engine when the executable attempted to update from version 3.0.0.25 to 3.0.0.26. This is not normal as I've never had any conflicts with this utility and Immunet before. Even after restoring 3.0.0.25 Immunet also attempted to quarantine the zip file (quarantine failed) for the new 3.0.0.26 build after downloading to C:\Users\Ritchie\Downloads\Software Installers. Since I place the .exe on my Desktop I used this exclusion which seems to have corrected the problem for now, C:\Users\Ritchie\Desktop\TDSSKiller. With this exclusion added the TDSSKiller GUI will launch and a scan is possible.

I have included the MD5-SHA256 for the newest build (see Images). Let me know if you would also like the SDT dump sent in.

OS: Win 7 Ultimate x64 SP1 - Immunet Plus version (TETRA enabled, ClamAV disabled): 3.1.8.9583

TDSSKiller 3.0.0.26 zip installer: Attached File  tdsskiller3.0.0.26.zip   3.92MB   2 downloads

Attached File  TDSSKiller 3.0.0.25 - 3.0.0.26 False Positives.jpg   102.24KB   18 downloadsAttached File  TDSSKiller 3.0.0.26 Zip File FP Popup.jpg   20.38KB   30 downloads

Attached Files


  • Robert G. likes this

* Immunet Global Forum Moderator *


#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 25 March 2014 - 10:06 PM

I have also tried several attempts to submit the FP at this Contact Us page but got a rather vague error message each time (see image). http://www.immunet.c...tact/index.html


Attached File  Contact Us FP Upload Error Message.jpg   13.05KB   9 downloads

* Immunet Global Forum Moderator *


#3 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 25 March 2014 - 10:49 PM

Forum member DimitriAus also had dificulty uplaoading a FP report at the same site. His thread can be found at the previous False Positives topic. He may not have archived the file in question to a .zip file prior to submission as he didn't mention that though. The file I attempted to submit "WAS" a .zip file and I filled in all necessary text fields but still got the error message.
  • Robert G. likes this

* Immunet Global Forum Moderator *


#4 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 27 March 2014 - 02:33 PM

Hi Ritchie,

That error in the Contact Us page might just cause me a heart attack.

Thanks for the heads up.

I think the pic you sent in is enough for what we need, but I'll let you know if otherwise.

Thanks,

-Jose
  • Robert G. likes this

#5 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 27 March 2014 - 10:52 PM

LOL! Sure, no problem my friend and don't have a heart attack man! Seriously though, thanks for looking into the issues and let me know if you need any additional data.

Best wishes, Ritchie...
  • Robert G. likes this

* Immunet Global Forum Moderator *


#6 Robert G.

Robert G.

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 28 March 2014 - 12:18 AM

Since I use the free version I also use TDSSKiller as a root-kit scanner and would like to see this false positive corrected too.

Edited by Robert G., 28 March 2014 - 12:20 AM.

  • ritchie58 likes this

#7 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 28 March 2014 - 12:35 AM

Hey Bob! I think Jose will take care of the issue now that he's aware of the situation.

* Immunet Global Forum Moderator *


#8 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 31 March 2014 - 04:41 PM

It has been marked as clean, so let me know if anybody is still having this issue. (Was marked a few days ago, I just lost track of this thread).

Cheers,

-Jose

#9 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 01 April 2014 - 07:40 AM

Cool! Thanks Jose. I do have a Sceduled Scan in place where it scans my entire C:\ drive once a week and SPERO did hit on the 3.0.0.25 installer with the same detection name that I have archived. I like to keep the previous installer of any software I'm using just in case.

* Immunet Global Forum Moderator *


#10 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 01 April 2014 - 04:34 PM

Hi Ritchie,

Just one sec: You hit a different detection on 3.0.0.25 as well? (Well, same detection name, but another hit I mean)?

-Jose

#11 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 01 April 2014 - 10:12 PM

Yup, that's the case Jose. I took a screen shot. It's really no big deal though. I doubt I'd have a reason to revert back to the old build since version .26 is working without issues. I'm assuming it would be ok now to delete that exclusion I made for the .26 executable on my Desktop. One way to find out is delete the exclusion and launch the program to see what happens I guess.

Deleted the exception and the .26 executable launched with no detection! Sweet! I did decide to delete the old .25 zip file so it wouldn't cause me any more problems and another detection occured when moving the file to the Recycle Bin. I did expect that to happen though so I had Immunet delete the file after the quarantine response.

Attached File  TDSSKiller 3.0.0.25 SPERO Detection - Software Installers Folder.jpg   75.13KB   4 downloads

Edited by ritchie58, 01 April 2014 - 11:09 PM.
Tried Program without Exclusion

* Immunet Global Forum Moderator *


#12 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 03 April 2014 - 04:28 PM

Hey,

Both of these should be good now.

Cheers,

-Jose

#13 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 08 April 2014 - 11:26 PM

Got some bad news Jose. While attempting to update to the newest 3.0.0.30 version the exact same thing happened. While downloading the .zip file and moving the .exe to the Desktop I encountered the exact same quarantine responses with the same detection name as before (see images). Do you want me to run the Hash calculator for this build too? Something has to be done so future builds of TDSSKiller do not keep getting quarantined. This utility does get updated quite frequently!

Cheers, Ritchie...

Attached File  TDSSKiller 3.0.0.30 .zip False Positive.jpg   20.99KB   4 downloadsAttached File  TDSSKiller 3.0.0.30 Desktop .exe False Positive.jpg   122.51KB   3 downloads

* Immunet Global Forum Moderator *


#14 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 14 April 2014 - 05:07 PM

Ritchie:

Just to let you know, we have cleared both .30 and .31 from this issue, and are having our response team look at this ASAP.

Spero detections are slightly harder to fix unfortunately.

Cheers,

-Jose
  • ritchie58 likes this

#15 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 14 April 2014 - 09:02 PM

Thanks so much for looking into this issue once again Jose! I do hope something can be done to avoid any further FP's in the future.

Best wishes, Ritchie...

* Immunet Global Forum Moderator *


#16 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,962 posts
  • LocationOil City, Pa. U.S.A.

Posted 22 April 2014 - 11:07 PM

Version .32 just got the same treatment! There's "got to be something" that can be done so future versons don't keep getting quarantined over and over again!

Attached File  TDSSKiller 3.0.0.32 SPERO Detection.jpg   116.9KB   1 downloads

* Immunet Global Forum Moderator *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users