MSAS False positive XferPro

[Guest]

This looks like a false positive to me. I installed Wincode and under
Configure I clicked on Associate, so it would operate automatically on 18
extensions such as .b64 and .mme .
Microsoft Anti-Spyware (1.0.701, just updated 12/2, it says 5779) flagged
one of them, .xx, as XferPro Trojan Downloader.

XferPro Trojan Downloader more information...
Status: Ignored
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\software\classes\.xx
HKEY_LOCAL_MACHINE\software\classes\.xx\shell\open\command
c:\zip\wincode\wincode.exe %1

 

[Dave M]

Hi PGroot;
Your actually a sig definition (and two weeks behind):
Spyware Definition Version: 5781 (12/1/2005 8:33:08 PM)
Try it with that one and let us know if it still detects.

 

[Bill Sanderson]

I like Dave M's advice--do another File, Check for Update, and see if you
can get to 5781, and recheck this. False Positives are a problem in
antispyware, and Microsoft Antispyware has had its share--so you may well be
absolutely correct, but lets tie it down with the current definitions. It's
also easier to get this fixed if you can get the vendor directly in touch
with Microsoft. Here's the web form they should use to open a case:

http://www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx

 

[Guest]

XferPro is the same in 5781. It gives the update date as yesterday 12/2, so
I think there's a beta bug that when it updates, it doesn't update the Help,
About Spyware Definition version.

 

[Bill Sanderson]

Yes there is such a bug, which is one reason I suggested re-trying the
update--normally that fixes the appearance issue. To be absolutely certain,
you can hit the diagnostics window and look for the line ending something
like 134/134. If both those numbers are the same, everything is good. If
they are different, keep retrying the update until they come out equal.

I'll make sure this is passed on. Such a false positive is typically
corrected in a succeeding definition set--often the next week, sometimes
longer.

--

 

[Bill Sanderson]

I'd like to be able to replicate this myself before passing it on. Can you
give a URL where you obtained WinCode, or give the version number?

And tell me where to find that "associate" function? I'm looking a 2.71,
and can't find where to set that associate function. It doesn't raise any
alarms just as installed with the defaults.

--

 

[Guest]

I have version 2.7.3 release date 1996.
Under Options, Configuration, tab Decode has the associate button.

You can get 2.7.3c at
http://www.pcworld.com/downloads/file_description/0,fid,1770,00.asp

 

[Bill Sanderson]

Thanks--I'll pull that down and test it.

I suspect (as I think you did) that it is the entries related to the
associate function that are triggering the false positive. This is a subtle
one, but it's good to get at these simplistic detections--they make the
product look bad.
--

 

[Bill Sanderson]

False Positive replicated--will get it reported sometime tonight.

--

 

[Guest]

still there in 5785. I found an old post under General that mentioned
XferPro in August, but slightly different.

 

[Bill Sanderson]

Yes - I saw it on a machine today. My desktop machine has gotten very
little use over the last week, because of a mail store corruption accident.
And I've been working long hours--will see if I can get this properly
reported...

--

 

[Guest]

XferPro false positive still there in 5789.

False Positive replicated--will get it reported sometime tonight.

 

[Guest]

XferPro still there in 5801 released 1/27/06.

False Positive replicated--will get it reported sometime tonight.

 

[Guest]

Fixed in 5803 released 2/3/2006, it only took two months.
Admittedly not a high priority.