Solved

Tired with FALSE POSITIVES!!


Userlevel 4
The speed at which a false positive is white-listed is great, but common whats going on here? it seems like WSA flags every file in the universe as a virus until someone specifically asks for it to be white-listed, I reported like 4 FPs this week

now this is the 4th: http://dlcdnet.asus.com/pub/ASUS/nb/Apps_for_Win8.1/LiveUpdate/LiveUpdate_Win81_64_VER327.zip  The zip itself is not the virus, once you install the Live updater, when it runs, that gets flagged as a virus!

for the love of good it's an ASUS updater!

seriously considering to switch solutions as I can't deal with so many FPs and I thought Panda Cloud AV was bad! this is horrible!
icon

Best answer by RetiredTripleHelix 10 March 2014, 00:45

View original

32 replies

Userlevel 7
Hi MaXimus
 
How are you?
 
I am intrigued by what you are reporting as I barely get an FP from WSA...so just wondering what your Heuristics settings are (I assume that you know where to find them in Advances Settings...;)) as I believe that there have been posts previously about more FPs with the higher settings, i.e., Maximum...I am currently running on "Enhanced Heuristics base on the behaviour, origin, etc....
 
May be a dead end/bum steer...but always worth trying to rule out the obvious.
 
Cheers
 
 
Baldrick
Userlevel 7
Badge +52
Hi MaXimus

Just I checked this file and archive, Webroot doesn't define in it a virus


 



 


 
Either way, you might want to submit a Trouble Ticket
 
Thank you
Best regard, Petr.
Userlevel 4
hi guys, all WSA settings are at default I didn't touch a thing.
 
Strange how you got no FP from it as soon as the live updater launched, WSA stopped it and said it was a virus I wish  I took a screenshot.the program? that's when the virus is detected when it runs not the actual installer
 
Petrovic, did you actually run
 
I also did submit a ticket :(
 
been getting FPs all week long of keygens which are reported safe by Kaspersky, Bitdefender, NOD32, and the big sharks so support whitelisted them but the amount of FPs I am experiencing is beyond acceptable 😞
Userlevel 7
Badge +52
MaXimus

You can disable the detection of PUA
 


 
 
 Keygen software distributions may be infected with malware
Regardless, in most cases it's illegal. (Use keygen)
 
Userlevel 4
thanks for the reply but I would rather not, I would rather the problem is solved from its roots. What if I did try to run an actual PUP one day I want to be warned. Just don't want these FPs man
Userlevel 7
Hi Petr
 
It might be that but I do not think so as I have mine checked on both Win7 64bit & Win8.1 32bit systems and I barely get anything detected by scans let alone the sort of FPs that MaXimus is advising he is seeing.
 
MaXimus, at the risk of it sounding cliched, have yo tried the good ol' "uninstall, reboot, install fresh downloaded version & reboot" four step?  May be worth a try in case there is something not quite right with your current installation?
 
May be worth a punt as it does not take long at all?
 
Regards
 
 
Baldrick
Userlevel 7
Badge +52
MaXimus
You can always ask for help in support
&
Read more:
https:///t5/Tips-and-Tricks-KB/How-to-Remove-Potentially-Unwanted-Applications/ta-p/40744
Userlevel 4
Hi Mr. Baldrick, I have the latest WSA clean installed after disabling Windows Defender. It's a fresh win 8.1 installation with the latest drivers and a fresh clean install of the latest WSA so that's not the issue here
 
did you actually run the udpater and hit the update button? it won't find anything, just try that see what WSA says
Userlevel 7
Badge +52
@MaXimus wrote:
did you actually run the udpater and hit the update button? it won't find anything, just try that see what WSA says




 
Everything works
Userlevel 7
Badge +56
This what I get with your link?
 
Daniel
 

Userlevel 7
Hi MaXimus
 
I appreciate that you have a new install but what I was wondering when these FPs (the 4 a day that you are unfortunately getting) started?  Has this always been the case or have they started since the last install of WSA, etc.
 
I will check again on my Win8.1 system but as I have it set to do auto updates they are usually installed before I even get sight of them.  But given the info you have provided I will double check.
 
Cheers
 
 
Baldrick
Userlevel 7
Badge +52
@ wrote:
This what I get with your link?
 
Daniel
 
Correct link
http://dlcdnet.asus.com/pub/ASUS/nb/Apps_for_Win8.1/LiveUpdate/LiveUpdate_Win81_64_VER327.zip
Userlevel 4
that's why you were not able to run the program
 
here's a screeny i just took on another clean installation of WSA / Windows 8.1 formatted
 
http://tinypic.com/r/mil8c1/8
 
and
 
http://tinypic.com/r/vsdp3r/8
 
 Virus Total Link of the actual EXE not the installer EXE: https://www.virustotal.com/en/file/8e45b0ddb9b218de2a07b1e913e78ee95ed44d86b7ad937576c5143fbc39e7b3/analysis/
 
clean by ALL AVs (webroot not mentioned)
 
When I had webroot on I couldn't even upload the file to virus Total IE kept crashing until I shut down WSA then I was able to upload the file!
 
 
Userlevel 7
Badge +52
@MaXimus wrote:
I also did submit a ticket 
 
The program is intended only for asus and I can not fully test it
I think in the near future support will solve your issue
 
Userlevel 4
I just showed you the screnshots above and the virus total link, how will support help me? if they can't even install the program?

and what in the world makes WSA mark it as a virus or PUP to start off with? that's my point, the FPs in WSA are beyond imagination. I'm tired of submitting support tickets I've submitted like 4 this week.

Might as well go back to my NOD32 and enjoy a FP free life
Userlevel 7
Badge +56
No detection here and I have mine set to the Max! And marked Good! Strange! Can you do another clean reinstall of WSA and make sure you don't import your old settings make sure you have Keycode and Reboot after Uninstall and after reinstall.
 
Some legitimate files are not included in this log
[g] c:usersdanieldownloadsliveupdate_win81_64_ver327.zip/setup.exe [MD5: 17C5C943A0D3F047AC571843543330A5] [Flags: 00001000.4473]
[g] c:usersdanieldownloadssetup.exe [MD5: 17C5C943A0D3F047AC571843543330A5] [Flags: 00001000.4473]
 
 
 

Userlevel 7
Badge +52
@MaXimus wrote:
I just showed you the screnshots above and the virus total link, how will support help me? if they can't even install the program?

and what in the world makes WSA mark it as a virus or PUP to start off with? that's my point, the FPs in WSA are beyond imagination. I'm tired of submitting support tickets I've submitted like 4 this week.

Might as well go back to my NOD32 and enjoy a FP free life


@ wrote:
"
We have a set guidelines on what we can mark as bad and we follow them to the button.We mark a large number of PUA`s every day in fact I marked about 75 thousand bad yesterday.

A large amount of the tickets I see about customers having an issue about PUA is that they installed it themselves by clicking a number of accept dialogue boxes. If a program tells you what it does (and isnt malicous) and gives you the option to uninstall cleanly it wont probably wont be marked bad (thats not set in stone of course!).

In the links you posted the first one isnt really PUA they are talking about malware (password stealers etc) which we of course we block. The grayware def again is a little vague they talk about Dialers (which we block), Adware which there a varying types of some we block some we dont (it varies for each program).

What people forget is that "free" programs often use advertising in order for the creater to make some money. Its extremely common on mobile applications but for some reason when its on a PC platform people get really annoyed 😃 Toolbars are a pet hate of mine, if I had my way I`d mark them all bad but to be honest the majority of them will tell you what they do before the install! My rule of thumb is to avoid them all."

https:///t5/Tips-and-Tricks/Webroot-s-position-on-PUA/m-p/40404#M448
Userlevel 4
@ Triple Helix, I never save or import my settings. I've said that it's a pure clean installation and the problem is not with the installer since you and I can run it, the problem is when the ASUS updater program itself starts.

It's fine, let this one go, I seriously have no time to be dealing with such issues on a daily basis. Gonna install NOD32 and get this headache over with
Userlevel 7
Badge +56
Can you scan the files and save a scan log and post the lines like I did? I ran the installer and no detection so there is a problem on your end.
 
Thanks,
 
Daniel
Userlevel 7
That's weird... I haven't experienced any false positives for a long time.
Even on my new laptop, which is full of applications and add-ons from Samsung, after a few scans WSA classified almost all of them as [g].
So far there is not even necessary to do whitelisting.
 
 
Mike
Userlevel 4
@ Triple Helix:

[g] c:program files (x86)asusasus live updatealvupdt.dll [MD5: ED14568B51A1B0FB4B9EE7B49A64CB5F] [Flags: 00000000.2439]

[g] c:program files (x86)asusasus live updatecheckmetro.dll [MD5: 056095A6359318395A36AA47365F849E] [Flags: 00000000.2438]

[e] c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D] [Flags: 00080100.2445]

Mon 2014-03-10 03:18:39.0248 Infection detected: c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D] [3/00080000] [W32.Malware.Gen]

Mon 2014-03-10 03:18:39.0248 File blocked in realtime: c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes] [524288/00000003] [W32.Malware.Gen]

Mon 2014-03-10 03:18:39.0248 Determination flags modified: c:program files (x86)asusasus live updateupdatechecker.exe - MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes, Flags: 00000020

Mon 2014-03-10 03:20:54.0008 Determination flags modified: c:program files (x86)asusasus live updateupdatechecker.exe - MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes, Flags: 00000100

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 3 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 4 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 5 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 8 (2443)

Mon 2014-03-10 03:57:52.0910 Determination flags modified: c:program files (x86)asusasus live updateliveupdate.exe - MD5: 63B5DFA2469652174598BAA69A0646DF, Size: 3202840 bytes, Flags: 00008000
Userlevel 7
Hi MaXimus
 
Can appreciate how you are feeling especially with us saying we are not seeing the same as you (and that is very real for you) but as Daniel says there must be something somewhere that is causing this...so I would suggest one last try...and go  for the scan of the .exe and then posting if there is anything that seems untoward, or even PM'ing the scan log to us so that we an have a look discretely. ;) if that does not cause you a problem?
 
Would hate to lose you back to NOD32 . :(
 
EDIT:  Just seen that you have... I am behind the curve tonight...it is just frenetic.  :S
 
Regards
 
 
Baldrick
Userlevel 4
yup, no one experiences what I did because the issue is not with the installer, it's when you actually run the updater
Userlevel 7
Hi MaXimus
 
Have checked on the MD5s for the updatechecker.exe, and found a couple of site reporting it as "Trojan downloader activity" and that the file is not digitally signed.
 
File sizes match too!
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
[e] = OVERRIDDEN TO IGNORE
 
As I don't have ASUS I can't run the full installer to find out about that file that you have over ridden to ignore, Did you get it installed in any case? And you should contact support and ask what's going on with this installer it could be a simple thing of Whitelisting that Overridden file detection.

 
Daniel

 

Reply