False positive

A

Anonymous Bob

I perceive a need for better threat analysis and much better consistency in
now items are reported.

My connection is wireless and PCANDIS5.SYS is part of that connection. If
it's deleted I would be dead in the water. The advice below to immediately
remove this file is very misguided and will cause many users extreme pain as
this file is widely used by many vendors.

**From the history display:

Description:
This program has potentially unwanted behavior.

Advice:
Allow this detected item only if you trust the program or the software
publisher.

Resources:
driver:
PCANDIS5

file:
F:\WINNT\system32\PCANDIS5.SYS

Category:
Not Yet Classified

**From the Event log:

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 3/13/2006
Time: 7:25:21 PM
User: N/A
Computer: You don't need to know that.<g>
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {902C1C5B-E401-4205-99BC-CD8F9538F2F8}
User: You don't need to know that, either.<g>
Threat Name: Unknown
Threat Id:
Threat Severity:
Threat Category:
Path Found: driver:pCANDIS5;file:F:\WINNT\system32\PCANDIS5.SYS
Threat Classification: Unknown
Detection Type:

Event Type: Information
Event Source: WinDefend
Event Category: None
Event ID: 3005
Date: 3/13/2006
Time: 7:25:21 PM
User: N/A
Computer: You don't need to know that.<g>
Description:
Windows Defender Real-Time Protection agent has taken action to protect
this machine from potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {902C1C5B-E401-4205-99BC-CD8F9538F2F8}
User: You don't need to know that.<g>
Threat Name: Unknown
Threat Id:
Threat Severity:
Threat Category:
Threat Classification: Unknown
Action: Ignore

**From allowed items:

It's identified as Winlog with the following:

Description:
This program has potentially unwanted behavior.

Advice:
Remove this software immediately.

Resources:
Not available

Category:
Trojan

Respectfully,
Bob Vanderveen
 
A

Anonymous Bob

Mike Treit said:
Please submit the file using the instructions on the following page:

http://www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx
Click to expand...
Thanks, Mike.

I've tried that procedure in the past, but this line seems to limit its
usefulness:
"The person who submits the form should also be the vendor of the program."

Also, the "false positive" in this case, isn't because it's being mistaken
for another program. The problem is that the WD team assumes that the
presence of this file indicates a Winlog infection. That assumption is in
error.

Bob Vanderveen
 
G

Guest

It reports it because it does not know what it is ('Not yet classified').
Unfortunately, the rest of the message (except maybe for the word
'potentially') is very misleading. I have several of these from various 'not
yet classified' legitimate apps.

You could try adding F:\WINNT\system32\PCANDIS5.SYS in the Tools general
settings, advanced options in the do not scan box (note you have to include
the file name; the exclude does not work for folders as of now, as reported
elsewhere). You won't get an alert requesting you to allow it each time
although there will still be a warning log in event viewer/system telling you
it detected it (another bug, I think).
 
A

Anonymous Bob

JRosenfeld said:
It reports it because it does not know what it is ('Not yet classified').
Unfortunately, the rest of the message (except maybe for the word
'potentially') is very misleading. I have several of these from various 'not
yet classified' legitimate apps.

You could try adding F:\WINNT\system32\PCANDIS5.SYS in the Tools general
settings, advanced options in the do not scan box (note you have to include
the file name; the exclude does not work for folders as of now, as reported
elsewhere). You won't get an alert requesting you to allow it each time
although there will still be a warning log in event viewer/system telling you
it detected it (another bug, I think).
Click to expand...

Thank you. I've now done that and I agree about the "other" bug. <bEg>

That's not a bug in the sense of a coding error, but rather a design flaw.
It seems to me there's a need for another level of intelligent filtering
after a potential threat is detected.

Finding a legitimate file, even though that file is used by a trojan, does
*not* indicate an infection if that file is being used in the proper
context.

First, do no harm!

Bob Vanderveen
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Process explorer: no alert but warning in Event log 5
0x8050800c and Defender Followup 6
Trend Officescan being blocked? 2
User Profiles Hive Cleanup version 1.6.30 issue 2
User Profiles Hive Cleanup version 1.6.30 3
User Profiles Hive Cleanup version 1.6.30 and Window Defender 3
Windows Defender and UPHclean v1.6 9
msfwhlpr.sys potential malware message in event log 7

Top