false negative.

K

keepout

Much worse than a false positive.

What I have is the Rogue.SpywareProtect. I've had it now for a week or two. It
totally destroyed Mcaffee in the 5 seconds it ran. It took Malwarebytes to
identify it.
I have it sitting disabled in my C:\temp directory. So far everything I've
thrown at it claims it's not a problem... Except MB, AND my eyes. I saw what it
did when I accidentally ran it for 5 seconds.

I tried submitting it to Mcaffee. No reply.
I have no idea who to give it to at M$ cause they can't see it either.

I'd send it to other virus people, but have no emails to send it to..
Mcaffee's trial is up in 6 days, I'll be trying Kaspersky then.

Any idea who to send this to at M$ cause they really need to add this nasty to
their lists.. Cause right now it's under the radar on the things I've used.
Spybot can't see it either.
 
A

Alan D

Thanks for this helpful tip, Dave. I didn't know about the existence of this
site.
Alan
 
B

Bill Sanderson

Indeed this is good knowledge to spread.

Stuff submitted to Microsoft via the security portal is also shared with a
partner group--which I think is pretty large and inclusive, but I don't know
the details to be sure.
 
K

keepout

If you submit the suspicious file(s) to http://virscan.org/index.php

and "if the file you upload is detected as suspicious, VirSCAN will send
the file and report off to the antivirus vendors participating in the
VirSCAN service to be analyzed. Antivirus companies will update the
signature virus database if a real malware is found." Microsoft, McAfee,
Symantec, and many other security software vendors participate.

Even Better to know. FWIW: You need to submit it as an exe. Otherwise the
upload fails.

And Even Better to know is the report.
3/37 actually identified it all as something else.

And for those that read this far, here's the names of the 4 that actually
identified it in no special order

AVG, Sophos, Malwarebytes and Microsoft.

Though I have no idea what that means that MS identified it. I've been running
defender, and it can't even see it. Hmm... I've also disabled it by renaming it
Rogue.SpywareProtect_exe.OLD
But that still doesn't change the internals of the file. It's still a virus
software killer.
Nice touch, I won't be trying Kaspersky, since it can't see this thing either.

This scan has made me see one thing. It's not about security, it's about money.
8% of those testing it found something.

full report
 
K

keepout

privacy statements on these sites. It seems to me it's worthwhile to
spread the knowledge to many of them rather than just passing it on to a
single vendor, despite any competitive advantage that doing this could

comment I made about it all being about money, vs actual security, only 3of 37
vendors identified my submission [that Malwarebytes ID'd to me.] And all 3 gave
it a different name. Same thing and 4 different names. Seems to me when we're
talking about such a global thing as virus security, To prevent duplication of
effort, and actually go after eradicating this stuff it would seem it would
make a lot more sense if all the different virus people were hunting the SAME
target.
 
A

Alan D

"Dave M" wrote
Actually, I owe the thanks to you (or our other Alan), going back to when
we were looking at how compressed files from a quarantine were then
analyzed by the multi-scanners. From that discussion, I actually read the
privacy statements on these sites. It seems to me it's worthwhile to
spread the knowledge to many of them rather than just passing it on to a
single vendor

Yes, I remember that, and how shocked I was by the outcome (I wonder how
many people are falsely reassured by submitting quarantined files to the
scanners) - and yes, sometimes the smallest thing can set us off
investigating something we might otherwise have missed. You're right - the
idea of spreading alerts to all makes so much more sense, when you think
about it. Furthermore, your information about the site is itself is worth
spreading around (just like the alerts). Much obliged.
Alan
 
B

Bill Sanderson

There's a project run by the same folks who maintain the database of
vulnerabilities to create standardized names for malware as well. It's been
a long time since I looked it up, though--I wonder if it is still happening?
They don't do all malware, just the more significant critters, as I recall

Nope - it died. However, it is still interesting to look at the site and
read the why...

http://cme.mitre.org/

I'm in complete agreement with you--if you have bug aaa, variant 1 and bug
aaa variant 2, which may require rather different cleaning strategies, it is
quite annoying to discover that vendor A uses the second name for the first
critter, and vendor B vice-versa. This has happened. Of course, most
vendors these days provide cleaning instructions which require the use of
their software--that is, after all, how their research is funded.

The tower of babel is still annoying.

privacy statements on these sites. It seems to me it's worthwhile to
spread the knowledge to many of them rather than just passing it on to a
single vendor, despite any competitive advantage that doing this could

comment I made about it all being about money, vs actual security, only 3
of 37
vendors identified my submission [that Malwarebytes ID'd to me.] And all 3
gave
it a different name. Same thing and 4 different names. Seems to me when
we're
talking about such a global thing as virus security, To prevent
duplication of
effort, and actually go after eradicating this stuff it would seem it
would
make a lot more sense if all the different virus people were hunting the
SAME
target.


--
 
B

Bill Sanderson

Windows Defender is not Microsofts antivirus application.

In the consumer market, OneCare is. You can download a trial of OneCare
still, I believe.

There is also Forefront Client Protection in the corporate market, and a
variety of other products for the protection of servers and specialized
applications and servers.

The same definitions and scanning and cleaning abilities are available at
http://safety.live.com which is free for anyone, but does not give resident
real-time protection.


Even Better to know. FWIW: You need to submit it as an exe. Otherwise the
upload fails.

And Even Better to know is the report.
3/37 actually identified it all as something else.

And for those that read this far, here's the names of the 4 that actually
identified it in no special order

AVG, Sophos, Malwarebytes and Microsoft.

Though I have no idea what that means that MS identified it. I've been
running
defender, and it can't even see it. Hmm... I've also disabled it by
renaming it
Rogue.SpywareProtect_exe.OLD
But that still doesn't change the internals of the file. It's still a
virus
software killer.
Nice touch, I won't be trying Kaspersky, since it can't see this thing
either.

This scan has made me see one thing. It's not about security, it's about
money.
8% of those testing it found something.

full report


--
 
K

keepout

Good information, Microsoft wins one... this time. What that's saying is
that the Microsoft AV+AS+Malware signatures (what you'd get with
Microsoft's OneCare or the free online Safety Scanner) would have this
detection, while Defender alone would not, because this threat is only
detected by the Microsoft antivirus engine, not their antispyware engine.

FWIW: After updating defender, it did find and totally destroyed both copies I
had of it. I really need more input than some program randomly destroyingwhat
it's told to by some internal programming.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top