CK modules showing trojans on Kapersky & Avira - CONFIRMED false positives
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
EDIT3
It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep
This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.
Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive
For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules
-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently
A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.
I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules
So I'm thinking it is a false positive, but I'd like some second opinions
If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?
http://www.kaspersky.co.uk/scanforvirus
I get the following;
CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg
Also if you have another anti-virus program installed, or know another online scanner, please report the results too.
cheers
It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep
This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.
Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive
For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules
-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently
A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.
I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules
So I'm thinking it is a false positive, but I'd like some second opinions
If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?
http://www.kaspersky.co.uk/scanforvirus
I get the following;
CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg
Also if you have another anti-virus program installed, or know another online scanner, please report the results too.
cheers
Last edited by de la Mancha on Mon May 17, 2010 12:38 pm, edited 5 times in total.
- KVRAF
- 4760 posts since 26 Apr, 2002 from the bogely factory
http://virusscan.jotti.org/en-GB/scanre ... 8cf3f44f45
here's jotti's results...just 3 reports.
here's jotti's results...just 3 reports.
-
- KVRian
- 1023 posts since 8 Apr, 2003 from Östersund
Anti-virus software causes more problems with computers than viruses ever have. CK's modules are very unlikely virus free, it's likely that there's some sort of pattern in them that some anti-virus software recognizes.
Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.
http://www.virustotal.com/
Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.
http://www.virustotal.com/
- KVRAF
- 4760 posts since 26 Apr, 2002 from the bogely factory
yes,it's bound to be a false positive ,i get them all the time with avira,bloody nuisance.
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
Thanks guys, here's the results from virustotal, only 3 out of 41 show the trojan, I'm calling false positive on those results
Code: Select all
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass.gen
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 -
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 -
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
I've sent the file to Kapersky and Avira false positive reporting service, waiting to hear their analysis...
-
- D.H. MOD
- 16411 posts since 21 Jun, 2008
I think you're probably right about the false positive, but in case it means anything, virustotal.com now shows five out 41 (the WARP.SEP file I uploaded this time was from my FMMF folder; results below).
The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.
Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).
An older/newer module thing? I don't know anything about it, but figure more information can't hurt.
Malwarebytes doesn't find anything in any of them.
File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -
The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.
Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).
An older/newer module thing? I don't know anything about it, but figure more information can't hurt.
Malwarebytes doesn't find anything in any of them.
File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -
No longer a moderator.
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
Thanks for that. I just scanned an older version of CK_Warp and got 0/41 too, so it seems related to the most recent version of CK_Warp
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
AHA! just got this back from Kapersky
Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.
- KVRAF
- 10528 posts since 20 Nov, 2003 from Lost and Spaced
My Avira did the same thing with the old Exciter plugin. Said a .sep file had a trojan.
- KVRAF
- 8406 posts since 2 Aug, 2005 from Guitar Land, USA
W/Avast, the only virus hit I've had is Xoxos volts to scale.
The only site for experimental amp sim freeware & MIDI FX: http://runbeerrun.blogspot.com
https://m.youtube.com/channel/UCprNcvVH6aPTehLv8J5xokA -Youtube jams
https://m.youtube.com/channel/UCprNcvVH6aPTehLv8J5xokA -Youtube jams
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
More confirmation that it is a false positive from Avira
so good news
Thanks to everyone for your input
Code: Select all
File ID Filename Size (Byte) Result
25696542 CK_Warp.sep 65.5 KB FALSE POSITIVE
Please find a detailed report concerning each individual sample below:
Filename Result
CK_Warp.sep FALSE POSITIVE
Thanks to everyone for your input
-
- KVRAF
- 2041 posts since 22 Nov, 2003 from Mars, Solar System
-
- D.H. MOD
- 16411 posts since 21 Jun, 2008
Yesterday I was still getting alerts from Avira for three CK files from my FMMF folder. Submitted FP report, got back confirmation.
Filename Result
CK_HOST_BPM.SEP FALSE POSITIVE
The file 'CK_HOST_BPM.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
Filename Result
CK_POLYPHONY_CONTROL.SEP FALSE POSITIVE
The file 'CK_POLYPHONY_CONTROL.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.
Filename Result
CK_WARP.SEP FALSE POSITIVE
The file 'CK_WARP.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.
No longer a moderator.
- KVRian
- Topic Starter
- 1302 posts since 4 Oct, 2005 from London, UK
Thanks for that report, very helpful
I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.
I have updated the original post to summarise the situation
I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.
I have updated the original post to summarise the situation