Assigned Zemana False Positive Report Thread

[Deleted Member 333v73x]

Hello, please use this thread to report false positives instead of making a separate thread, also I will tag @iIda15 and @TwinHeadedEagle so the false positives can be fixed

Spoiler: Only Staff Read This!

Please keep this thread so there aren't as many threads made simply for one false positive, although if you find it unnecessary then please delete it at your convenience

 

[frogboy]

A great idea but as far as i know i have only had one FP since i installed Zemana Antimalware.

 

[LabZero]

NirSoft WirelessNetView v1.68 is detected as malicious file (hack tool), on real time and contextual scanning.
It's obviously an FP but, if I remember correctly, other AVs detected it as infected.

View image Zemana detection

 

[Nightwalker]

Never had a false positive with Zemana Premium, guess I am lucky.

 

[Deleted Member 333v73x]

NirSoft WirelessNetView v1.68 is detected as malicious file (hack tool), on real time and contextual scanning.
It's obviously an FP but, if I remember correctly, other AVs detected it as infected.

View image Zemana detection

@iIda15

 

[Nightwalker]

NirSoft WirelessNetView v1.68 is detected as malicious file (hack tool), on real time and contextual scanning.
It's obviously an FP but, if I remember correctly, other AVs detected it as infected.

View image Zemana detection

Doesnt sound like a False Positive to me, it is detected by the name "Hack Tool", I think Eset Nod32 detects NirSoft too as PUP.

 

[Soulbound]

it is FP.
Here is a VT report

 

[Nightwalker]

it is FP.
Here is a VT report

a variant of Win32/PSWTool.WirelessNetView.A potentially unsafe - NOD32
Malwarebytes PUP.Optional.WirelessNetworkTool - Malwarebytes

It is a PUP, each vendor has a different policy regarding this kind of "threat".

IMO it is a safe app, but I see why some antivirus detect it as PUP.

I think Marcos from ESET has explained in Wilders Security forum sometime ago why Nod32 detects it, i will try to find his post.

 

[iIda15]

Hello everyone,

Regarding to "PUA:Win32/HackTool.Nirsoft", this is not a FP.

We all love and use Nirsoft utilities but the bad guys also love them, and anyone without any programming knowledge can make a USB stick with a small bat script around Nirsoft password recovery tools by using their CLI interface so when the USB stick is inserted, it can export all the saved passwords and copy them back to the USB again.

So advanced users like you can exclude them, and then the new users who never heard about the Nirsoft utilities can be protected from such attacks. In order to not hurt Nirsoft utilities as a Trojan, we detect them as a "PUA:Win32/HackTool.Nirsoft" but in future releases we can put an option for hack/research tools so when you check this option they will not get detected.

Regards,

Ida

 

[illumination]

So advanced users like you can exclude them

Regards,

Ida

This pretty much sums it up, I would not think you would need to add another way to run tools that are deemed trusted. Once excluded they are exempt from future scans of realtime and detection correct?

 

[frogboy]

This pretty much sums it up, I would not think you would need to add another way to run tools that are deemed trusted. Once excluded they are exempt from future scans of realtime and detection correct?

Yes that is correct.

 

[illumination]

Yes that is correct.

That was a rhetorical question

In all seriousness, they could put forth some thought into just renaming exclusions to trusted list to make it more apparent.

 

[iIda15]

This pretty much sums it up, I would not think you would need to add another way to run tools that are deemed trusted. Once excluded they are exempt from future scans of realtime and detection correct?

I second that even if it's a rhetorical question

That was a rhetorical question

In all seriousness, they could put forth some thought into just renaming exclusions to trusted list to make it more apparent.

-I didn't quite get what you mean, but it's different per user.

 

[illumination]

I didn't quite get what you mean, but it's different per user.

It really is not necessary, but a thought of changing the name from exclusions to trusted list and adding a disclaimer in that section stating that false positives or trusted applications can be placed here. This way it is more obvious even for users who are not quite advanced. Some tools as stated above are potentially unsafe "depending on how the users uses it" would need to be placed there to avoid further detection, False positives can be placed there until they have been reported and fixed.

 

[LabZero]

Thanks ilda15 for the explanation, but, quoting the article by Nir Sofer about this topic, I would like to make some observations.

Nir Sofer said that some antivirus classify absolutely legitimate software as infected and, about password recovery tools that people use to recover their lost passwords, it is true that these tool for passwords, like so many other utilities can be used by criminals, who have bad intentions, but the behavior of many antivirus it is rather selective: a tool that can be used by criminals is classified as malware, although almost all of its users using them with good intentions.
But Nirsoft does not distribute malicious code from his web site and the tools do not contain malicious code: the evil one is done on a presumption of dangerousness and not on the actual use of the malicious code.
Some antimalware vendors (such as Zemana) are more sensitive in the consideration of this issue and classify these tools as "hack tools", which is much better than classify them categorically as viruses or trojans, but prevents the user from using them, by simply removing or quarantining because many (average/basic) users do not know the difference between viruses, PUP, riskware, hack tool and when they receive such messages as "dangerous objects detected" , they continue to think that these tools are infected and don't use them.

For this reason I still think that Nirsoft tools are false positive: a legitimate tool is recognized "positive" to antimalware test, although in reality it is a legitimate software that does not contain sort of malicious code.

 

[Rishi]

I think we have reached a point where user intervention becomes neccessary with FPs like nirsoft,instead of just classifying it as hacktool , maybe some feature which helps even the novice user take an informed decision,like md5 sum check from official source or something like a warning - are you sure you downloaded this tool from legitimate source?Riskware.xyz something, caution needed.Or a knowledgebase link shown for reference.

 

[instawin]

I do believe I have found a false positive (it may not seem like it at first though; hear me out please). VirusTotal report for the file. For some reason, 2 other AVs have seemed to have detected it as well..

Zemana AntiMalware (I am using the free version if it matters) has labelled it as TrojanCryptor:Win32/Generic. I have done scans with MBAM and the AV I am currently using, yet neither have labelled it as malicious.

It's a file related to a game called Toontown Rewritten. The file is named TTREngine.exe when you install the game (windows version). The game is not malicious (along with the people who make it).. you can find out more about their team here (a press interview) and their website. The game has a rather large community, so if it was malicious then many people would be infected.

(Yes, I have downloaded the game and the file in question from their real website)

 

[Deleted Member 333v73x]

I do believe I have found a false positive (it may not seem like it at first though; hear me out please). VirusTotal report for the file. For some reason, 2 other AVs have seemed to have detected it as well..

Zemana AntiMalware (I am using the free version if it matters) has labelled it as TrojanCryptor:Win32/Generic. I have done scans with MBAM and the AV I am currently using, yet neither have labelled it as malicious.

It's a file related to a game called Toontown Rewritten. The file is named TTREngine.exe when you install the game (windows version). The game is not malicious (along with the people who make it).. you can find out more about their team here (a press interview) and their website. The game has a rather large community, so if it was malicious then many people would be infected.

(Yes, I have downloaded the game and the file in question from their real website)

@iIda15

 

[iIda15]

@Tornado , Ida has contacted the development team already

I will keep you guys posted.

 

[iIda15]

I do believe I have found a false positive (it may not seem like it at first though; hear me out please). VirusTotal report for the file. For some reason, 2 other AVs have seemed to have detected it as well..

Zemana AntiMalware (I am using the free version if it matters) has labelled it as TrojanCryptor:Win32/Generic. I have done scans with MBAM and the AV I am currently using, yet neither have labelled it as malicious.

It's a file related to a game called Toontown Rewritten. The file is named TTREngine.exe when you install the game (windows version). The game is not malicious (along with the people who make it).. you can find out more about their team here (a press interview) and their website. The game has a rather large community, so if it was malicious then many people would be infected.

(Yes, I have downloaded the game and the file in question from their real website)

-White listed.