Login / Register  0 items | $0.00 NewWhat is KVR? Submit News Advertise
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 1:23 am CK modules showing trojans on Kapersky & Avira - CONFIRMED false positives

EDIT3

It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep

This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.

Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive


For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules




-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently

A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.

I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules

So I'm thinking it is a false positive, but I'd like some second opinions

If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?

http://www.kaspersky.co.uk/scanforvirus

I get the following;

CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg


Also if you have another anti-virus program installed, or know another online scanner, please report the results too.


cheers
Last edited by de la Mancha on Mon May 17, 2010 4:38 am, edited 5 times in total.
User avatar
spacedad
KVRAF
 
4738 posts since 25 Apr, 2002, from the bogely factory

Postby spacedad; Fri May 07, 2010 2:34 am

http://virusscan.jotti.org/en-GB/scanre ... 8cf3f44f45
here's jotti's results...just 3 reports.
Majken
KVRian
 
1026 posts since 7 Apr, 2003, from Östersund

Postby Majken; Fri May 07, 2010 2:40 am

Anti-virus software causes more problems with computers than viruses ever have. CK's modules are very unlikely virus free, it's likely that there's some sort of pattern in them that some anti-virus software recognizes.

Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.

http://www.virustotal.com/
User avatar
spacedad
KVRAF
 
4738 posts since 25 Apr, 2002, from the bogely factory

Postby spacedad; Fri May 07, 2010 2:44 am

yes,it's bound to be a false positive ,i get them all the time with avira,bloody nuisance.
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 2:55 am

Thanks guys, here's the results from virustotal, only 3 out of 41 show the trojan, I'm calling false positive on those results

Code: Select all
Antivirus     Version     Last Update     Result
a-squared   4.5.0.50   2010.05.07   -
AhnLab-V3   2010.05.07.00   2010.05.06   -
AntiVir   8.2.1.236   2010.05.07   TR/PSW.QQpass.ssg
Antiy-AVL   2.0.3.7   2010.05.07   Trojan/Win32.QQPass.gen
Authentium   5.2.0.5   2010.05.07   -
Avast   4.8.1351.0   2010.05.07   -
Avast5   5.0.332.0   2010.05.07   -
AVG   9.0.0.787   2010.05.07   -
BitDefender   7.2   2010.05.07   -
CAT-QuickHeal   10.00   2010.05.07   -
ClamAV   0.96.0.3-git   2010.05.07   -
Comodo   4786   2010.05.07   -
DrWeb   5.0.2.03300   2010.05.07   -
eSafe   7.0.17.0   2010.05.06   -
eTrust-Vet   35.2.7473   2010.05.07   -
F-Prot   4.5.1.85   2010.05.07   -
F-Secure   9.0.15370.0   2010.05.07   -
Fortinet   4.1.133.0   2010.05.07   -
GData   21   2010.05.07   -
Ikarus   T3.1.1.84.0   2010.05.07   -
Jiangmin   13.0.900   2010.05.07   -
Kaspersky   7.0.0.125   2010.05.07   Trojan-PSW.Win32.QQPass.ssg
McAfee   5.400.0.1158   2010.05.07   -
McAfee-GW-Edition   2010.1   2010.05.07   -
Microsoft   1.5703   2010.05.07   -
NOD32   5094   2010.05.07   -
Norman   6.04.12   2010.05.07   -
nProtect   2010-05-07.01   2010.05.07   -
Panda   10.0.2.7   2010.05.06   -
PCTools   7.0.3.5   2010.05.07   -
Prevx   3.0   2010.05.07   -
Rising   22.46.04.04   2010.05.07   -
Sophos   4.53.0   2010.05.07   -
Sunbelt   6274   2010.05.07   -
Symantec   20091.2.0.41   2010.05.07   -
TheHacker   6.5.2.0.277   2010.05.07   -
TrendMicro   9.120.0.1004   2010.05.07   -
TrendMicro-HouseCall   9.120.0.1004   2010.05.07   -
VBA32   3.12.12.4   2010.05.06   -
ViRobot   2010.5.7.2306   2010.05.07   -
VirusBuster   5.0.27.0   2010.05.06   -
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 3:00 am

I've sent the file to Kapersky and Avira false positive reporting service, waiting to hear their analysis...
D.H. Miltz
D.H. MOD
 
11052 posts since 20 Jun, 2008

Postby D.H. Miltz; Fri May 07, 2010 3:17 am

I think you're probably right about the false positive, but in case it means anything, virustotal.com now shows five out 41 (the WARP.SEP file I uploaded this time was from my FMMF folder; results below).

The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.

Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).

An older/newer module thing? I don't know anything about it, but figure more information can't hurt.

Malwarebytes doesn't find anything in any of them.














File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 3:30 am

Thanks for that. I just scanned an older version of CK_Warp and got 0/41 too, so it seems related to the most recent version of CK_Warp
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 3:30 am

AHA! just got this back from Kapersky

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.
User avatar
osiris
KVRAF
 
7223 posts since 20 Nov, 2003, from Lost and Spaced

Postby osiris; Fri May 07, 2010 5:48 am

My Avira did the same thing with the old Exciter plugin. Said a .sep file had a trojan.
User avatar
RunBeerRun
KVRAF
 
7879 posts since 2 Aug, 2005, from Guitar Land, USA

Postby RunBeerRun; Fri May 07, 2010 6:15 am

W/Avast, the only virus hit I've had is Xoxos volts to scale.
The only site for experimental amp sim freeware & MIDI FX: http://runbeerrun.blogspot.com
https://m.youtube.com/channel/UCprNcvVH6aPTehLv8J5xokA -Youtube jams
User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Fri May 07, 2010 6:39 am

More confirmation that it is a false positive from Avira

Code: Select all
File ID     Filename     Size (Byte)    Result
25696542     CK_Warp.sep     65.5 KB     FALSE POSITIVE


Please find a detailed report concerning each individual sample below:
 Filename    Result
 CK_Warp.sep     FALSE POSITIVE


so good news :)

Thanks to everyone for your input :tu:
novaflash
KVRAF
 
2041 posts since 21 Nov, 2003, from Mars, Solar System

Postby novaflash; Sat May 08, 2010 6:37 am

thanks for the report dlm.

CK_Polyphony_Control detected as malware here since today (AVAST, report sent)
Image
D.H. Miltz
D.H. MOD
 
11052 posts since 20 Jun, 2008

Postby D.H. Miltz; Mon May 10, 2010 1:16 pm

Yesterday I was still getting alerts from Avira for three CK files from my FMMF folder. Submitted FP report, got back confirmation.

Filename Result
CK_HOST_BPM.SEP FALSE POSITIVE

The file 'CK_HOST_BPM.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Filename Result
CK_POLYPHONY_CONTROL.SEP FALSE POSITIVE

The file 'CK_POLYPHONY_CONTROL.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

Filename Result
CK_WARP.SEP FALSE POSITIVE

The file 'CK_WARP.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

User avatar
de la Mancha
KVRian
 
1307 posts since 4 Oct, 2005, from London, UK

Postby de la Mancha; Tue May 11, 2010 1:19 am

Thanks for that report, very helpful :tu:
I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.

I have updated the original post to summarise the situation
Next

Moderator: Moderators (Main)

Return to Modular Synthesis