Beta false positives

B

Bill H

I downloaded the beta this evening and it found what I
feel are two false positives.

The first false positive it found was a program called
PSEXEC.EXE which is a freeware tool developed by Mark
Russinovich at www.sysinternals.com. This program does
allow remote execution of program on someone elses PC but
the tool is widely used by system administrators for
maintenance purpose.

The second false positive it found was 2 hits for
searchsquire that it found in
HKCU\software\microsoft\windows\currentVersion\internet
settings\domains. If I'm not mistaken this is the
registry key that contains the restricted sites under
internet options as I have this domain name listed twice
in my restricted sites.
 
P

Pat Cook

If you have XP Home, the registry entry is at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains and those are the
Restricted Sites entries.
It could be detecting the name "searchsquire" & nothing
more. If so, no big deal. Make sure nothing is
installed relating to Search Squire. Check this out for
info. on your false positive for Search Squire:
http://computercops.biz/postp427316.html as it will help.
Regarding PSEXEC.EXE, make sure that this freeware tool
is not crapware in disguise by searching for info. on
Google or at computercops (mentioned above). As with all
anti-spyware detections, research the items found to
discover info. about them, and then scan again using a
different anti-spyware program as NO single anti-malware
program is capable of detecting everything correctly or
exhaustively. Check this out for the best advice from
Eric Howes for which software to get:
http://spywarewarrior.com/asw-features.htm#rec
 
G

Guest

The domian entries are only in the resticted site if the
value * is set to 4 (as it is for searchsquire, put there
by Spubot and maybe others). Some malware puts a key to
their domain there with the value * set to 3 which puts
them in the trusted zone. Therefore it is a good thing
that these entries are checked, but the check should
include looking at the data for the * value.
The latest (today) signatures for MSAS (5685) no longer
flag searchsquire at that key, so presumably this has now
been fixed.
 
B

Bill Sanderson

Can you check and let us know if the second issue you mention is fixed,
using the current 5685 definitions--use File, check for updates to update if
that hasn't already happened--you can see the version number at Help, About.

Is Mark Russinovich's file being described accurately by Microsoft
Antispyware.

I had a conversation earlier in the beta about this same issue, and my
thinking then was that it was entirely appropriate that this file should be
called to the attention of the user--it is a tool which can have significant
security ramifications for other systems on a network. So, if it is present
without your knowledge, this is worth knowing. However, the detection was
not describing the file accurately, as I recall.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top