Zemana False Positive Report Thread

Discussion in 'Zemana' started by Tornado, Jan 24, 2016.

  1. Tornado

    Tornado New Member

    Nov 22, 2015
    1,080
    3,722
    Undisclosed
    #1 Tornado, Jan 24, 2016
    Last edited: Feb 16, 2016
    Hello, please use this thread to report false positives instead of making a separate thread, also I will tag @iIda15 and @TwinHeadedEagle so the false positives can be fixed :)

    Please keep this thread so there aren't as many threads made simply for one false positive, although if you find it unnecessary then please delete it at your convenience :)
     
    Jrs30, robin, iIda15 and 7 others like this.
  2. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,823
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    A great idea but as far as i know i have only had one FP since i installed Zemana Antimalware. ;)
     
  3. LabZero

    LabZero Guest

    NirSoft WirelessNetView v1.68 is detected as malicious file (hack tool), on real time and contextual scanning.
    It's obviously an FP but, if I remember correctly, other AVs detected it as infected.

    View image Zemana detection
     
  4. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    Never had a false positive with Zemana Premium, guess I am lucky.
     
  5. Tornado

    Tornado New Member

    Nov 22, 2015
    1,080
    3,722
    Undisclosed
    @iIda15
     
    venustus and Der.Reisende like this.
  6. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    Doesnt sound like a False Positive to me, it is detected by the name "Hack Tool", I think Eset Nod32 detects NirSoft too as PUP.
     
    venustus, frogboy and Tornado like this.
  7. Soulweave

    Soulweave Moderator
    Staff Member Content Creator

    Jan 14, 2015
    1,360
    3,396
    Windows 10
    Kaspersky
    venustus, frogboy and Tornado like this.
  8. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    a variant of Win32/PSWTool.WirelessNetView.A potentially unsafe - NOD32
    Malwarebytes PUP.Optional.WirelessNetworkTool - Malwarebytes

    It is a PUP, each vendor has a different policy regarding this kind of "threat".

    IMO it is a safe app, but I see why some antivirus detect it as PUP.

    I think Marcos from ESET has explained in Wilders Security forum sometime ago why Nod32 detects it, i will try to find his post.
     
    OokamiCreed, venustus and Tornado like this.
  9. iIda15

    iIda15 New Member

    Aug 10, 2015
    115
    400
    Business Development Manager
    Bosnia and Herzegovina, Sarajevo
    Hello everyone,

    Regarding to "PUA:Win32/HackTool.Nirsoft", this is not a FP.

    We all love and use Nirsoft utilities but the bad guys also love them, and anyone without any programming knowledge can make a USB stick with a small bat script around Nirsoft password recovery tools by using their CLI interface so when the USB stick is inserted, it can export all the saved passwords and copy them back to the USB again.

    So advanced users like you can exclude them, and then the new users who never heard about the Nirsoft utilities can be protected from such attacks. In order to not hurt Nirsoft utilities as a Trojan, we detect them as a "PUA:Win32/HackTool.Nirsoft" but in future releases we can put an option for hack/research tools so when you check this option they will not get detected.

    Regards,

    Ida
     
    Spawn, Jack, Xtwillight and 7 others like this.
  10. illumination

    illumination Guest

    This pretty much sums it up, I would not think you would need to add another way to run tools that are deemed trusted. Once excluded they are exempt from future scans of realtime and detection correct?
     
    Xtwillight, Tornado, iIda15 and 2 others like this.
  11. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,823
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    Yes that is correct.
     
    Xtwillight, illumination and venustus like this.
  12. illumination

    illumination Guest

    That was a rhetorical question ;)

    In all seriousness, they could put forth some thought into just renaming exclusions to trusted list to make it more apparent.
     
    Xtwillight, iIda15 and frogboy like this.
  13. iIda15

    iIda15 New Member

    Aug 10, 2015
    115
    400
    Business Development Manager
    Bosnia and Herzegovina, Sarajevo
    #13 iIda15, Jan 25, 2016
    Last edited: Jan 25, 2016
    I second that :) even if it's a rhetorical question :) ;)

    -I didn't quite get what you mean, but it's different per user.
     
    Tornado and Rishi like this.
  14. illumination

    illumination Guest

    It really is not necessary, but a thought of changing the name from exclusions to trusted list and adding a disclaimer in that section stating that false positives or trusted applications can be placed here. This way it is more obvious even for users who are not quite advanced. Some tools as stated above are potentially unsafe "depending on how the users uses it" would need to be placed there to avoid further detection, False positives can be placed there until they have been reported and fixed.
     
    Xtwillight, iIda15 and Rishi like this.
  15. LabZero

    LabZero Guest

    Thanks ilda15 for the explanation, but, quoting the article by Nir Sofer about this topic, I would like to make some observations.

    Nir Sofer said that some antivirus classify absolutely legitimate software as infected and, about password recovery tools that people use to recover their lost passwords, it is true that these tool for passwords, like so many other utilities can be used by criminals, who have bad intentions, but the behavior of many antivirus it is rather selective: a tool that can be used by criminals is classified as malware, although almost all of its users using them with good intentions.
    But Nirsoft does not distribute malicious code from his web site and the tools do not contain malicious code: the evil one is done on a presumption of dangerousness and not on the actual use of the malicious code.
    Some antimalware vendors (such as Zemana) are more sensitive in the consideration of this issue and classify these tools as "hack tools", which is much better than classify them categorically as viruses or trojans, but prevents the user from using them, by simply removing or quarantining because many (average/basic) users do not know the difference between viruses, PUP, riskware, hack tool and when they receive such messages as "dangerous objects detected" , they continue to think that these tools are infected and don't use them.

    For this reason I still think that Nirsoft tools are false positive: a legitimate tool is recognized "positive" to antimalware test, although in reality it is a legitimate software that does not contain sort of malicious code.
     
    PVA_BR, frogboy, Butterfly and 3 others like this.
  16. Rishi

    Rishi Level 19
    Trusted

    Dec 3, 2015
    910
    8,149
    India
    Windows 10
    Webroot
    I think we have reached a point where user intervention becomes neccessary with FPs like nirsoft,instead of just classifying it as hacktool , maybe some feature which helps even the novice user take an informed decision,like md5 sum check from official source or something like a warning - are you sure you downloaded this tool from legitimate source?Riskware.xyz something, caution needed.Or a knowledgebase link shown for reference.
     
    frogboy, iIda15 and LabZero like this.
  17. instawin

    instawin New Member

    Jan 27, 2016
    1
    2
    NC, USA
    I do believe I have found a false positive (it may not seem like it at first though; hear me out please). VirusTotal report for the file. For some reason, 2 other AVs have seemed to have detected it as well..

    Zemana AntiMalware (I am using the free version if it matters) has labelled it as TrojanCryptor:Win32/Generic. I have done scans with Malwarebytes Anti-Malware and the AV I am currently using, yet neither have labelled it as malicious.

    It's a file related to a game called Toontown Rewritten. The file is named TTREngine.exe when you install the game (windows version). The game is not malicious (along with the people who make it).. you can find out more about their team here (a press interview) and their website. The game has a rather large community, so if it was malicious then many people would be infected.

    (Yes, I have downloaded the game and the file in question from their real website)
     
    silversurfer and Tornado like this.
  18. Tornado

    Tornado New Member

    Nov 22, 2015
    1,080
    3,722
    Undisclosed
    @iIda15
     
  19. iIda15

    iIda15 New Member

    Aug 10, 2015
    115
    400
    Business Development Manager
    Bosnia and Herzegovina, Sarajevo
    @Tornado , Ida has contacted the development team already :)

    I will keep you guys posted.
     
    Xtwillight, instawin and Tornado like this.
  20. iIda15

    iIda15 New Member

    Aug 10, 2015
    115
    400
    Business Development Manager
    Bosnia and Herzegovina, Sarajevo
    #20 iIda15, Jan 28, 2016
    Last edited: Jan 28, 2016
    -White listed.
     
    Xtwillight, instawin, Tornado and 3 others like this.
Loading...