KVR Audio

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 9:23 am

EDIT3

It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep

This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.

Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive

For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules

-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently

A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.

I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules

So I'm thinking it is a false positive, but I'd like some second opinions

If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?

http://www.kaspersky.co.uk/scanforvirus

I get the following;

CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg

Also if you have another anti-virus program installed, or know another online scanner, please report the results too.

cheers

spacedad · Post by **spacedad** » Fri May 07, 2010 10:34 am

http://virusscan.jotti.org/en-GB/scanre ... 8cf3f44f45
here's jotti's results...just 3 reports.

Majken · Post by **Majken** » Fri May 07, 2010 10:40 am

Anti-virus software causes more problems with computers than viruses ever have. CK's modules are very unlikely virus free, it's likely that there's some sort of pattern in them that some anti-virus software recognizes.

Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.

http://www.virustotal.com/

spacedad · Post by **spacedad** » Fri May 07, 2010 10:44 am

yes,it's bound to be a false positive ,i get them all the time with avira,bloody nuisance.

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 10:55 am

Thanks guys, here's the results from virustotal, only 3 out of 41 show the trojan, I'm calling false positive on those results

Code: Select all

Antivirus  	Version  	Last Update  	Result
a-squared	4.5.0.50	2010.05.07	-
AhnLab-V3	2010.05.07.00	2010.05.06	-
AntiVir	8.2.1.236	2010.05.07	TR/PSW.QQpass.ssg
Antiy-AVL	2.0.3.7	2010.05.07	Trojan/Win32.QQPass.gen
Authentium	5.2.0.5	2010.05.07	-
Avast	4.8.1351.0	2010.05.07	-
Avast5	5.0.332.0	2010.05.07	-
AVG	9.0.0.787	2010.05.07	-
BitDefender	7.2	2010.05.07	-
CAT-QuickHeal	10.00	2010.05.07	-
ClamAV	0.96.0.3-git	2010.05.07	-
Comodo	4786	2010.05.07	-
DrWeb	5.0.2.03300	2010.05.07	-
eSafe	7.0.17.0	2010.05.06	-
eTrust-Vet	35.2.7473	2010.05.07	-
F-Prot	4.5.1.85	2010.05.07	-
F-Secure	9.0.15370.0	2010.05.07	-
Fortinet	4.1.133.0	2010.05.07	-
GData	21	2010.05.07	-
Ikarus	T3.1.1.84.0	2010.05.07	-
Jiangmin	13.0.900	2010.05.07	-
Kaspersky	7.0.0.125	2010.05.07	Trojan-PSW.Win32.QQPass.ssg
McAfee	5.400.0.1158	2010.05.07	-
McAfee-GW-Edition	2010.1	2010.05.07	-
Microsoft	1.5703	2010.05.07	-
NOD32	5094	2010.05.07	-
Norman	6.04.12	2010.05.07	-
nProtect	2010-05-07.01	2010.05.07	-
Panda	10.0.2.7	2010.05.06	-
PCTools	7.0.3.5	2010.05.07	-
Prevx	3.0	2010.05.07	-
Rising	22.46.04.04	2010.05.07	-
Sophos	4.53.0	2010.05.07	-
Sunbelt	6274	2010.05.07	-
Symantec	20091.2.0.41	2010.05.07	-
TheHacker	6.5.2.0.277	2010.05.07	-
TrendMicro	9.120.0.1004	2010.05.07	-
TrendMicro-HouseCall	9.120.0.1004	2010.05.07	-
VBA32	3.12.12.4	2010.05.06	-
ViRobot	2010.5.7.2306	2010.05.07	-
VirusBuster	5.0.27.0	2010.05.06	-

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 11:00 am

I've sent the file to Kapersky and Avira false positive reporting service, waiting to hear their analysis...

D.H. Miltz · Post by **D.H. Miltz** » Fri May 07, 2010 11:17 am

I think you're probably right about the false positive, but in case it means anything, virustotal.com now shows five out 41 (the WARP.SEP file I uploaded this time was from my FMMF folder; results below).

The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.

Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).

An older/newer module thing? I don't know anything about it, but figure more information can't hurt.

Malwarebytes doesn't find anything in any of them.

File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 11:30 am

Thanks for that. I just scanned an older version of CK_Warp and got 0/41 too, so it seems related to the most recent version of CK_Warp

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 11:30 am

AHA! just got this back from Kapersky

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

osiris · Post by **osiris** » Fri May 07, 2010 1:48 pm

My Avira did the same thing with the old Exciter plugin. Said a .sep file had a trojan.

RunBeerRun · Post by **RunBeerRun** » Fri May 07, 2010 2:15 pm

W/Avast, the only virus hit I've had is Xoxos volts to scale.

de la Mancha · Post by **de la Mancha** » Fri May 07, 2010 2:39 pm

More confirmation that it is a false positive from Avira

Code: Select all

File ID 	 Filename 	 Size (Byte) 	Result
25696542 	 CK_Warp.sep 	 65.5 KB 	 FALSE POSITIVE


Please find a detailed report concerning each individual sample below:
 Filename 	Result
 CK_Warp.sep 	 FALSE POSITIVE

so good news

Thanks to everyone for your input

novaflash · Post by **novaflash** » Sat May 08, 2010 2:37 pm

thanks for the report dlm.

CK_Polyphony_Control detected as malware here since today (AVAST, report sent)

D.H. Miltz · Post by **D.H. Miltz** » Mon May 10, 2010 9:16 pm

Yesterday I was still getting alerts from Avira for three CK files from my FMMF folder. Submitted FP report, got back confirmation.

Filename Result
CK_HOST_BPM.SEP FALSE POSITIVE

The file 'CK_HOST_BPM.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Filename Result
CK_POLYPHONY_CONTROL.SEP FALSE POSITIVE

The file 'CK_POLYPHONY_CONTROL.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

Filename Result
CK_WARP.SEP FALSE POSITIVE

The file 'CK_WARP.SEP' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.7.84.

de la Mancha · Post by **de la Mancha** » Tue May 11, 2010 9:19 am

Thanks for that report, very helpful

I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.

I have updated the original post to summarise the situation

CK modules showing trojans on Kapersky & Avira - CONFIRMED false positives