ritchie58 Posted March 25, 2014 Report Share Posted March 25, 2014 While launching TDSSKiller anti-rootkit utility today I recieved several quarantine responses by the SPERO detection engine when the executable attempted to update from version 3.0.0.25 to 3.0.0.26. This is not normal as I've never had any conflicts with this utility and Immunet before. Even after restoring 3.0.0.25 Immunet also attempted to quarantine the zip file (quarantine failed) for the new 3.0.0.26 build after downloading to C:\Users\Ritchie\Downloads\Software Installers. Since I place the .exe on my Desktop I used this exclusion which seems to have corrected the problem for now, C:\Users\Ritchie\Desktop\TDSSKiller. With this exclusion added the TDSSKiller GUI will launch and a scan is possible. I have included the MD5-SHA256 for the newest build (see Images). Let me know if you would also like the SDT dump sent in. OS: Win 7 Ultimate x64 SP1 - Immunet Plus version (TETRA enabled, ClamAV disabled): 3.1.8.9583 TDSSKiller 3.0.0.26 zip installer: tdsskiller3.0.0.26.zip Link to comment Share on other sites More sharing options...
ritchie58 Posted March 25, 2014 Author Report Share Posted March 25, 2014 I have also tried several attempts to submit the FP at this Contact Us page but got a rather vague error message each time (see image). http://www.immunet.c...tact/index.html Link to comment Share on other sites More sharing options...
ritchie58 Posted March 25, 2014 Author Report Share Posted March 25, 2014 Forum member DimitriAus also had dificulty uplaoading a FP report at the same site. His thread can be found at the previous False Positives topic. He may not have archived the file in question to a .zip file prior to submission as he didn't mention that though. The file I attempted to submit "WAS" a .zip file and I filled in all necessary text fields but still got the error message. Link to comment Share on other sites More sharing options...
Jose Posted March 27, 2014 Report Share Posted March 27, 2014 Hi Ritchie, That error in the Contact Us page might just cause me a heart attack. Thanks for the heads up. I think the pic you sent in is enough for what we need, but I'll let you know if otherwise. Thanks, -Jose Link to comment Share on other sites More sharing options...
ritchie58 Posted March 27, 2014 Author Report Share Posted March 27, 2014 LOL! Sure, no problem my friend and don't have a heart attack man! Seriously though, thanks for looking into the issues and let me know if you need any additional data. Best wishes, Ritchie... Link to comment Share on other sites More sharing options...
Robert G. Posted March 28, 2014 Report Share Posted March 28, 2014 Since I use the free version I also use TDSSKiller as a root-kit scanner and would like to see this false positive corrected too. Link to comment Share on other sites More sharing options...
ritchie58 Posted March 28, 2014 Author Report Share Posted March 28, 2014 Hey Bob! I think Jose will take care of the issue now that he's aware of the situation. Link to comment Share on other sites More sharing options...
Jose Posted March 31, 2014 Report Share Posted March 31, 2014 It has been marked as clean, so let me know if anybody is still having this issue. (Was marked a few days ago, I just lost track of this thread). Cheers, -Jose Link to comment Share on other sites More sharing options...
ritchie58 Posted April 1, 2014 Author Report Share Posted April 1, 2014 Cool! Thanks Jose. I do have a Sceduled Scan in place where it scans my entire C:\ drive once a week and SPERO did hit on the 3.0.0.25 installer with the same detection name that I have archived. I like to keep the previous installer of any software I'm using just in case. Link to comment Share on other sites More sharing options...
Jose Posted April 1, 2014 Report Share Posted April 1, 2014 Hi Ritchie, Just one sec: You hit a different detection on 3.0.0.25 as well? (Well, same detection name, but another hit I mean)? -Jose Link to comment Share on other sites More sharing options...
ritchie58 Posted April 1, 2014 Author Report Share Posted April 1, 2014 Yup, that's the case Jose. I took a screen shot. It's really no big deal though. I doubt I'd have a reason to revert back to the old build since version .26 is working without issues. I'm assuming it would be ok now to delete that exclusion I made for the .26 executable on my Desktop. One way to find out is delete the exclusion and launch the program to see what happens I guess. Deleted the exception and the .26 executable launched with no detection! Sweet! I did decide to delete the old .25 zip file so it wouldn't cause me any more problems and another detection occured when moving the file to the Recycle Bin. I did expect that to happen though so I had Immunet delete the file after the quarantine response. Link to comment Share on other sites More sharing options...
Jose Posted April 3, 2014 Report Share Posted April 3, 2014 Hey, Both of these should be good now. Cheers, -Jose Link to comment Share on other sites More sharing options...
ritchie58 Posted April 8, 2014 Author Report Share Posted April 8, 2014 Got some bad news Jose. While attempting to update to the newest 3.0.0.30 version the exact same thing happened. While downloading the .zip file and moving the .exe to the Desktop I encountered the exact same quarantine responses with the same detection name as before (see images). Do you want me to run the Hash calculator for this build too? Something has to be done so future builds of TDSSKiller do not keep getting quarantined. This utility does get updated quite frequently! Cheers, Ritchie... Link to comment Share on other sites More sharing options...
Jose Posted April 14, 2014 Report Share Posted April 14, 2014 Ritchie: Just to let you know, we have cleared both .30 and .31 from this issue, and are having our response team look at this ASAP. Spero detections are slightly harder to fix unfortunately. Cheers, -Jose Link to comment Share on other sites More sharing options...
ritchie58 Posted April 14, 2014 Author Report Share Posted April 14, 2014 Thanks so much for looking into this issue once again Jose! I do hope something can be done to avoid any further FP's in the future. Best wishes, Ritchie... Link to comment Share on other sites More sharing options...
ritchie58 Posted April 22, 2014 Author Report Share Posted April 22, 2014 Version .32 just got the same treatment! There's "got to be something" that can be done so future versons don't keep getting quarantined over and over again! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.