Ping: Art - Some Help Needed - F-Prot

Hi Art or Frederic or whoever LOL!

I am having a problem with F-Prot for DOS finding infected files within
the latest (6/25 and 6/26) Norton Anti Virus 2001 virus definitions.

I'm using the latest version of F-Prot for DOS (3.13) with updated macro
and def files. Set to scan compressed, archives and heuristic...

The files being flagged as being infected with a "new or modified
variant of Trivial" are these:

C:\Program Files\Common Files\Symantec\Virus
Def\20030625.19/HH-/pocketpcdefs1.zip\savce.def

And


C:\Program Files\Common Files\Symantec\Virus
Def\20030626.19/HH-/pocketpcdefs1.zip/savce.def

This is happening on both my WinME desktop and Win9SE laptop. Same 2
Norton AV files being flagged.

My Norton 2001 scan shows clean
TrendMicro Housecall scan shows clean
PandaScan shows clean
TrojanHunter 3.5 shows clean

F-prot is also flagging a file on my WinME desktop:

C:\Windows\System\Restore\Temp\A0045114.cpy

Says it "could be a boot sector virus dropper"

I cleared all my restore points and rebooted a few times, ran F-Prot
and I got another message about the same problem in a new restore .cpy
file.

Any help, advice or ideas?

Thank you,

+-

--

Add Subtract wrote:

> I am having a problem with F-Prot for DOS finding infected files within
> the latest (6/25 and 6/26) Norton Anti Virus 2001 virus definitions.
>
> I'm using the latest version of F-Prot for DOS (3.13) with updated macro
> and def files. Set to scan compressed, archives and heuristic...

The latest version is 3.13a though it will probably be replaced by
3.14 soon.

> The files being flagged as being infected with a "new or modified
> variant of Trivial" are these:
>
> C:\Program Files\Common Files\Symantec\Virus
> Def\20030625.19/HH-/pocketpcdefs1.zip\savce.def
>
> And
>
> C:\Program Files\Common Files\Symantec\Virus
> Def\20030626.19/HH-/pocketpcdefs1.zip/savce.def

Trivial is a family of extremely simple DOS viruses. These are
false alerts.

> This is happening on both my WinME desktop and Win9SE laptop. Same 2
> Norton AV files being flagged.
>
> My Norton 2001 scan shows clean
> TrendMicro Housecall scan shows clean
> PandaScan shows clean
> TrojanHunter 3.5 shows clean

I suggest you contact f-prot@f-prot.com.

> F-prot is also flagging a file on my WinME desktop:
>
> C:\Windows\System\Restore\Temp\A0045114.cpy
>
> Says it "could be a boot sector virus dropper"
>
> I cleared all my restore points and rebooted a few times, ran F-Prot
> and I got another message about the same problem in a new restore .cpy
> file.

Hmmm... I can't help you with that. If you write to Frisk, you could
send them this .cpy file at the same time.

On Sat, 28 Jun 2003 12:08:51 +0200, Frederic Bonroy <yorbon@yahoo.fr>
wrote:

>The latest version is 3.13a though it will probably be replaced by
>3.14 soon.

I extracted the 314 executable from the windows version, and plugged it
into my DOS folder, runs just fine.

Bart

On Sat, 28 Jun 2003 12:59:19 +0200, Frederic Bonroy <yorbon@yahoo.fr>
wrote:

>Bart Bailey wrote:
>
>> I extracted the 314 executable from the windows version, and plugged it
>> into my DOS folder, runs just fine.
>
>You have a fast connection, right? :-)

Somewhat.
The file (7,429,632) takes under a minute from the European FTP:
ftp://ftp-eu.f-prot.com/pub/windows/fp-win_trial.exe

Bart

On Fri, 27 Jun 2003 23:48:23 -0700 (PDT), Add Subtract <AddSubtract@webtv.net> wrote:

> I am having a problem with F-Prot for DOS finding infected files within
> the latest (6/25 and 6/26) Norton Anti Virus 2001 virus definitions.
> I'm using the latest version of F-Prot for DOS (3.13) with updated macro
> and def files. Set to scan compressed, archives and heuristic...

In f-prot, when you select options, and move the cursor to "Use heuristics",
the following shows at the bottom of the screen...

=========================
= Attempt to detect unknown viruses with the use of heuristics (rules that
= describe the behaviour and structure of viruses). This will increase the
= detection rate, at the cost of an increase in the chance of false alarms.
=========================

In other words, you should expect false alarms when the use of heuristics
is selected.

When a program is identified as infected, using heuristics, it just means
you should check the program very carefully, using other scanners, as you
have done, before running it.

I wouldn't worry about these false alarms, or bother reporting them.

Regards, Dave Hodgins

On Sat, 28 Jun 2003 17:44:40 +0200, Frederic Bonroy <yorbon@yahoo.fr>
wrote:

>Plus I would have to run the installation program, and I have no
>idea what it would do to my registry even if I chose to install
>only the DOS part. I just don't trust Windows programs.

Negative
Ghost the partition, install, snag the executable, reinstall partition.
Takes about 15 minutes,
besides you get a current image, not a bad thing to have.

Bart

Thank you very much you guys. I figured they were harmless but wanted
to follow up with some folks who have more experience with things like
this.

addsubtract@webtv.net

+-

--


On Fri, 27 Jun 2003 23:48:23 -0700 (PDT), Add Subtract
<AddSubtract@webtv.net> wrote:

I am having a problem with F-Prot for DOS finding infected files within
the latest (6/25 and 6/26) Norton Anti Virus 2001 virus definitions.

I'm using the latest version of F-Prot for DOS (3.13) with updated macro
and def files. Set to scan compressed, archives and heuristic...
In f-prot, when you select options, and move the cursor to "Use
heuristics", the following shows at the bottom of the screen...

=========================

= Attempt to detect unknown viruses with the use of heuristics (rules
that
= describe the behaviour and structure of viruses). This will increase
the
= detection rate, at the cost of an increase in the chance of false
alarms.

=========================

In other words, you should expect false alarms when the use of
heuristics is selected.
When a program is identified as infected, using heuristics, it just
means you should check the program very carefully, using other scanners,
as you have done, before running it.

I wouldn't worry about these false alarms, or bother reporting them.

Regards, Dave Hodgins