Jump to content

grahamperrin

Immunet Insiders
  • Content Count

    83
  • Joined

  • Last visited

Posts posted by grahamperrin


  1. Within version 4.0.10 of VirtualBox, the installer for guest additions for Windows places a file that suffers from false positive detection:

     

    \Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe

     

    Affected: at least two machines. One running Windows XP, one 32-bit Windows 7.

     

    In the history interface of Immunet I see the file but not the name of the threat. Is that level of detail not saved in history? Lost after the pop-up is dismissed?

     

    Re Realtime protection with ClamAV on Windows I recall that the name began with W32. so the detections were cloud-based.

     

    http://www.virtualbox.org/wiki/Downloads

     

    http://www.virtualbox.org/wiki/Changelog


  2. Running Immunet Plus 2.0.15.12 alongside (unsupported) Sophos Endpoint Security and Control 9.

     

    Booting from C: with Windows XP Professional Service Pack 3.

     

    (D: has outdated Windows Vista Enterprise but I rarely boot from that volume.)

     

    Following boot and log on to XP, a yellow shield signified an automated Microsoft Update. The shield disappeared after maybe 9% download complete, which made me suspicious.

     

    The machine seemed to be slower than usual (blue shield for Sophos didn't appear in good time, and I don't recall seeing the Immunet Protect icon in the tray) so I opted to (a) log out or (B) restart the OS (I can't remember which I did, sorry).

     

    Following log on to XP, Immunet Protect alerted me to quarantine of

    Gen:Trojan.Heur.wf@@YEnq1Lki

    relating to a file in a subdirectory of D:

     

    Looking at history in Immunet Protect, I wasn't immediately convinced so I ran Microsoft Update, found and installed a definition update for Windows Defender http://support.microsoft.com/kb/915597/en-gb (note, however, that Windows Defender is not enabled).

     

    I see nearby http://forum.immunet.com/index.php?/topic/313-false-positive-updating-windows-defender/

    False Positive Updating Windows Defender

     

    http://www.google.co.uk/search?q=%22Gen:Trojan.Heur.wf@@YEnq1Lki%22 finds nothing but

    http://www.google.co.uk/search?q=%22Gen:Trojan.Heur%22 finds topics in a BitDefender forum.

     

    Might this be a false positive involving TETRA?

     

    Screen shots attached.

     

    Whether the quarantined file, which has a .temp suffix to its name, is still on disk, I don't know …

    post-133-084515700 1285114029_thumb.png


  3. I tried uninstalling, restarting the OS, reinstalling

    not to C:\Program Files\Immunet Protect

    instead to previously populated C:\Program Files\ClamAV for Windows

     

    Installing as free, without a key, updating, failed.

     

    Uninstalled, restarted. Then remaining:

     

    Directory of C:\PROGRA~1\CLAMAV~1
    
    03/09/2010  16:18    <DIR>          .
    03/09/2010  16:18    <DIR>          ..
    29/06/2010  07:57    <DIR>          1.0.26
    30/08/2010  09:42    <DIR>          2.0.14
    03/09/2010  16:17           698,368 cache.db
    03/09/2010  16:17         6,300,672 history.db
    03/09/2010  16:18               450 immpro_install.log
    03/09/2010  16:14             3,260 local.xml
    09/06/2010  10:52    <DIR>          Quarantine
    03/09/2010  16:18    <DIR>          tetra
    03/09/2010  16:18    <DIR>          update
                  4 File(s)      7,002,750 bytes
                  7 Dir(s)  134,094,163,968 bytes free

     

    and C:\Program Files\ClamAV for Windows\immpro_install.log comprises::

     

    Sep 01 18:51:25: Setting Cleanup Event
    Sep 01 18:51:25: caSetUninstallFlag: Entering Launch Elevated
    Sep 01 18:51:25: ERROR: caSetUninstallFlag: Failed to open event.
    : 2 : The system cannot find the file specified.
    
    Sep 03 16:18:01: Setting Cleanup Event
    Sep 03 16:18:01: caSetUninstallFlag: Entering Launch Elevated
    Sep 03 16:18:01: ERROR: caSetUninstallFlag: Failed to open event.
    : 2 : The system cannot find the file specified.


  4. A very minor UI issue

     

    There could be better distinction between the 'layers'. Blue on blue and the patterned blue areas create a slightly mushy effect.

     

    In the example below the x at top right can, at a glance, be mistaken for the close box for Settings.

     

    001.png?mode=list

     

    If this were a web app, I'd imagine the background being dimmed or greyed.

     

    For a Windows app, I don't know what's best.

     

    UI issues can take a back seat, IMO. (Features and bug fixes/workarounds take priority.)

     

    Regards

    Graham

     

    PS I haven't followed any previous discussions on UI, sorry if this is covered elsewhere.

    • Like 1

  5. In a little more detail, with screen shots … 

     

    Sophos Anti-Virus is currently configured to alert (not quarantine), plus both of profos.sys and tufos.sys are explicitly authorised in all three areas (Suspicious files | Suspicious behaviour | Buffer overflow).

     

    http://www.wuala.com/%23%23ClamAV/009 shot 001 reminds me that when this machine first failed to update:

     

    * it broadly coincided with installation of the high priority Microsoft Update to Sliverlight, AFAIR the completion of that one installation preceded the eventual failure of the update.

     

    * the Sophos shield was missing from the system tray notification area, and I saw no alerts (probably because of the shield's absence)

     

    * AFAIR I then found both profos.sys and tufos.sys not yet authorised in the Suspicious files and Buffer overflow areas; and only profos.sys (not tufos.sys) authorised in the Suspicious behaviour area — and so I in Sophos I relaxed the HIPS behaviour and completed the authorisations.


    Screen shots 002 and 003 capture the failures whilst later logged in as centrimadmin, with both profos.sys and tufos.sys fully authorised in the three areas, and no new alerts, and nothing new in Sophos quarantine following the failures.


  6. Different from nearby http://forum.immunet.com/index.php?/topic/304-201512-code-19010-unable-to-install-updates-following-application-of-an-extended-plus-key-on-a-second-computer/ — the security layer on this computer includes Sophos Endpoint Security and Control — so I don't expect support on this one.

     

    Yesterday, AFAIR logged on to XP as administrator 'centrimadmin' I applied a key then the resulting update/upgrade, including TETRA, succeeded.

     

    Today, logged on to XP as administrator 'gjp22' (also a member of the SophosAdministrator group):

     

    > Unable to install updates

     

    I tried logging out, logging on as centrimadmin to apply updates but still, no go.


    Sophos Anti-Virus is currently configured to alert (not quarantine), plus both of profos.sys and tufos.sys are explicitly authorised in all three areas (Suspicious files | Suspicious behaviour | Buffer overflow).

×
×
  • Create New...