CK modules showing trojans on Kapersky & Avira - CONFIRMED false positives

Modular Synth design and releases (Reaktor, SynthEdit, Tassman, etc.)
User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 1:23 am

EDIT3

It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep

This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.

Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive


For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules




-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently

A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.

I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules

So I'm thinking it is a false positive, but I'd like some second opinions

If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?

http://www.kaspersky.co.uk/scanforvirus

I get the following;

CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg


Also if you have another anti-virus program installed, or know another online scanner, please report the results too.


cheers
Last edited by de la Mancha on Mon May 17, 2010 4:38 am, edited 5 times in total.

User avatar
spacedad
KVRAF
4739 posts since 26 Apr, 2002 from the bogely factory

Post Fri May 07, 2010 2:34 am

http://virusscan.jotti.org/en-GB/scanre ... 8cf3f44f45
here's jotti's results...just 3 reports.

Majken
KVRian
1023 posts since 8 Apr, 2003 from Östersund

Post Fri May 07, 2010 2:40 am

Anti-virus software causes more problems with computers than viruses ever have. CK's modules are very unlikely virus free, it's likely that there's some sort of pattern in them that some anti-virus software recognizes.

Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.

http://www.virustotal.com/

User avatar
spacedad
KVRAF
4739 posts since 26 Apr, 2002 from the bogely factory

Post Fri May 07, 2010 2:44 am

yes,it's bound to be a false positive ,i get them all the time with avira,bloody nuisance.

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 2:55 am

Thanks guys, here's the results from virustotal, only 3 out of 41 show the trojan, I'm calling false positive on those results

Code: Select all

Antivirus  	Version  	Last Update  	Result
a-squared	4.5.0.50	2010.05.07	-
AhnLab-V3	2010.05.07.00	2010.05.06	-
AntiVir	8.2.1.236	2010.05.07	TR/PSW.QQpass.ssg
Antiy-AVL	2.0.3.7	2010.05.07	Trojan/Win32.QQPass.gen
Authentium	5.2.0.5	2010.05.07	-
Avast	4.8.1351.0	2010.05.07	-
Avast5	5.0.332.0	2010.05.07	-
AVG	9.0.0.787	2010.05.07	-
BitDefender	7.2	2010.05.07	-
CAT-QuickHeal	10.00	2010.05.07	-
ClamAV	0.96.0.3-git	2010.05.07	-
Comodo	4786	2010.05.07	-
DrWeb	5.0.2.03300	2010.05.07	-
eSafe	7.0.17.0	2010.05.06	-
eTrust-Vet	35.2.7473	2010.05.07	-
F-Prot	4.5.1.85	2010.05.07	-
F-Secure	9.0.15370.0	2010.05.07	-
Fortinet	4.1.133.0	2010.05.07	-
GData	21	2010.05.07	-
Ikarus	T3.1.1.84.0	2010.05.07	-
Jiangmin	13.0.900	2010.05.07	-
Kaspersky	7.0.0.125	2010.05.07	Trojan-PSW.Win32.QQPass.ssg
McAfee	5.400.0.1158	2010.05.07	-
McAfee-GW-Edition	2010.1	2010.05.07	-
Microsoft	1.5703	2010.05.07	-
NOD32	5094	2010.05.07	-
Norman	6.04.12	2010.05.07	-
nProtect	2010-05-07.01	2010.05.07	-
Panda	10.0.2.7	2010.05.06	-
PCTools	7.0.3.5	2010.05.07	-
Prevx	3.0	2010.05.07	-
Rising	22.46.04.04	2010.05.07	-
Sophos	4.53.0	2010.05.07	-
Sunbelt	6274	2010.05.07	-
Symantec	20091.2.0.41	2010.05.07	-
TheHacker	6.5.2.0.277	2010.05.07	-
TrendMicro	9.120.0.1004	2010.05.07	-
TrendMicro-HouseCall	9.120.0.1004	2010.05.07	-
VBA32	3.12.12.4	2010.05.06	-
ViRobot	2010.5.7.2306	2010.05.07	-
VirusBuster	5.0.27.0	2010.05.06	-

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 3:00 am

I've sent the file to Kapersky and Avira false positive reporting service, waiting to hear their analysis...

D.H. Miltz
D.H. MOD
11561 posts since 21 Jun, 2008

Post Fri May 07, 2010 3:17 am

I think you're probably right about the false positive, but in case it means anything, virustotal.com now shows five out 41 (the WARP.SEP file I uploaded this time was from my FMMF folder; results below).

The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.

Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).

An older/newer module thing? I don't know anything about it, but figure more information can't hurt.

Malwarebytes doesn't find anything in any of them.














File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 3:30 am

Thanks for that. I just scanned an older version of CK_Warp and got 0/41 too, so it seems related to the most recent version of CK_Warp

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 3:30 am

AHA! just got this back from Kapersky
Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

User avatar
osiris
KVRAF
7136 posts since 20 Nov, 2003 from Lost and Spaced

Post Fri May 07, 2010 5:48 am

My Avira did the same thing with the old Exciter plugin. Said a .sep file had a trojan.

User avatar
RunBeerRun
KVRAF
7894 posts since 2 Aug, 2005 from Guitar Land, USA

Post Fri May 07, 2010 6:15 am

W/Avast, the only virus hit I've had is Xoxos volts to scale.
The only site for experimental amp sim freeware & MIDI FX: http://runbeerrun.blogspot.com
https://m.youtube.com/channel/UCprNcvVH6aPTehLv8J5xokA -Youtube jams

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Fri May 07, 2010 6:39 am

More confirmation that it is a false positive from Avira

Code: Select all

File ID 	 Filename 	 Size (Byte) 	Result
25696542 	 CK_Warp.sep 	 65.5 KB 	 FALSE POSITIVE


Please find a detailed report concerning each individual sample below:
 Filename 	Result
 CK_Warp.sep 	 FALSE POSITIVE
so good news :)

Thanks to everyone for your input :tu:

novaflash
KVRAF
2041 posts since 22 Nov, 2003 from Mars, Solar System

Post Sat May 08, 2010 6:37 am

thanks for the report dlm.

CK_Polyphony_Control detected as malware here since today (AVAST, report sent)
Image

D.H. Miltz
D.H. MOD
11561 posts since 21 Jun, 2008

Post Mon May 10, 2010 1:16 pm

Yesterday I was still getting alerts from Avira for three CK files from my FMMF folder. Submitted FP report, got back confirmation.
Filename Result
CK_HOST_BPM.SEP FALSE POSITIVE

The file 'CK_HOST_BPM.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Filename Result
CK_POLYPHONY_CONTROL.SEP FALSE POSITIVE

The file 'CK_POLYPHONY_CONTROL.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

Filename Result
CK_WARP.SEP FALSE POSITIVE

The file 'CK_WARP.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

User avatar
de la Mancha
KVRian
1302 posts since 4 Oct, 2005 from London, UK

Post Tue May 11, 2010 1:19 am

Thanks for that report, very helpful :tu:
I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.

I have updated the original post to summarise the situation

Return to “Modular Synthesis”