Genuine concern about recent false positive detected in rel 5709!

[Jack Bauer]

I hope that MS has genuinely tweaked the detection
algorithm for NS keylogger, rather than hurriedly remove
it, so that they could release 5711 without any alerts.

For me, two, not just one, Inno Setup Installers where
flagged by MSAS(rel. 5709).

Extreme Thumbnail generator & spyware blaster
uninstallers.

Both files were identical!!
Inno Setup
file version 51.34.0.0
file size 640957 bytes (625Kb !!)
MD5: 7f1f1e05a30a027583ff3406f48a4690

They both have the same MD5.

What are the odds, two different apps, downloaded at
different times, have exactly the same uninstaller?!!!

No other two Inno Setup installers on my system are the
same in size or MD5 for the other apps on my system!!

Could someone also confirm for me that the spywareblaster
uninstaller unins000.exe for such a small app was a
whopping 625Kb!

I think the rush to call this an FP, was too quick IMO,
just because it was packaged with a reliable app.

That did not mean that the file could not have been
modified by some other undetected malware once it had
been downloaded onto a system.

For now though, i will accept this was an FP, since the
MSAS rel. 5711 is no longer raising the alert for these
files!

Jack

 

[Jordan Russell]

What are the odds, two different apps, downloaded at
different times, have exactly the same uninstaller?!!!

If the two apps were built with the same version of Inno Setup (5.0.8),
then the odds are quite good that they have the exact same uninstaller.

Could someone also confirm for me that the spywareblaster
uninstaller unins000.exe for such a small app was a
whopping 625Kb!

That's the normal size for Inno Setup 5-based uninstallers.

I think the rush to call this an FP, was too quick IMO,
just because it was packaged with a reliable app.

Think what you want, but I'm the one who created unins000.exe with the
md5sum 7f1f1e05a30a027583ff3406f48a4690 (you'll note my name is in the
version info). I can confirm that that is the stock 5.0.8 version. Any
software that claims it has been infected with spyware is in error.

That did not mean that the file could not have been
modified by some other undetected malware once it had
been downloaded onto a system.

If the file had been tampered with in any way, the md5sum would have
changed. There is no reason whatsoever to be concerned about
unins000.exe files with an md5sum of 7f1f1e05a30a027583ff3406f48a4690.
They are genuine.

 

[plun]

If the two apps were built with the same version of Inno Setup (5.0.8),
then the odds are quite good that they have the exact same uninstaller.

Well, I think with a little boolesk algebra it is easy to
sort out the "evil one"
using this uninstaller. Not just looking for one file..........

 

[Bill Sanderson]

Just to add to Jordan Russell's comments: Jack--there's nothing at all to
worry about here. Jordan Russell is the author of the software in question,
and has been clear from the beginning that the file as checksummed on
end-users machine is identical to what he distributes. The MD5 checksum
process is sufficient to ensure that the file hasn't been modified in any
significant way.

False Positives are a significant problem in antispyware--every product has
this issue to one extent or another, and this is not the first with this
product. I'm very glad it was dispensed with quickly--thanks to everyone
who helped in that process.

 

[Jack Bauer]

Thank you for your comments/answers Jordan.

I never doubted your sincerity, when it came to your Inno
Setup being clean.

My concern was that something else, had perhaps altered
the file. Clearly this was an FP and your
assurances/answers, are more than enough to clear all my
doubts.

Thanks Bill for your input. Yes i realise this was a FP
and apps have this all the time.

Its just with so many alerts/FP's, you can either be
blaise about it, or become extremely paranoid!!!! Best to
exhaust every avenue to ensure that it is an FP. Doesn't
hurt to be a little paranoid

Jack

 

[Bill Sanderson]

Keyloggers are nothing to fool around with---they merit every bit of
paranoia we can come up with--so getting the details clarified is entirely
justified.