False positive: Generic.Lineage.2259D555

Fahrenheit

Attached file was detected as Generic.Lineage.2259D555.

Please fix this false positive.

Password: infected

/applications/core/interface/file/attachment.php?id=36" data-fileid="36" rel="">SCANKRNL.RAR

vlad

The detection is generic; the file belongs either to WinAntiVirus (well-known adware/spyware), or to UNA Antivirus (probably a valid AV). The problem is I can't seem to locate any copy of UNA on the Interent to make sure; until I do, the detection stays.

rejzor

Vlad, check out the UNA guys at Malware Research. UNA is participating there too. Ask them about this file and maybe they can verify it wether it's their or not.

Niels

To see if it's not winantivirus related you can run this free tool if it doesn't detect anything then it's a part of UNA antvirus : http://www.majorgeeks.com/RogueRemover_d5360.html

vlad

@RejZoR: a link would be appreciated (there are waaay to many sites related to Malware Research to figure out which one you're talking about)

@Niels: the fact that an anti-virus product/virus removal tool does not detect it (no matter which one) is not a reliable method to determine whether it is clean or not. Further more, not being part of WinAntiVirus still doesn't mean it's ok. And because it's just a DLL, I need the whole package to figure out whether it's used for evil or not (all by itself, this particular DLL is pretty much harmless).

Besides, when working for a serious anti-virus company, lucky guessing based on other products' detections is hardly an option...

Niels

@Vlad : I can't follow because I thought that a removal tool always detect the variant why it was made for to delete. Then I have a question why do security companies made such removal tools? That was also the reason why I posted that link. It's a very good program to remove rogue software that you can't remove via the normal way. I was once infected and that tool was able to remove everything. But I agree with you. You know everything about viruses. I just wanted to help.

vlad

Sorry if my post seemed offensive; it wasn't meant to be.

A removal tool can only detect/disinfect those versions of a malware which its author has analysed. WinAntiVirus has a very large number of slightly-modified versions, and in addition to those a large number of "programs" with different names and files which are actually the same thing. It is therefore humanly impossible to track all of them and be able to tell for sure that a file does not belong to that family of malware.

I haven't implied in any way that the specific removal tool you suggested was bad, it may very well be a very good one (I haven't used any removal tools so far; I use a file manager, regedit and Process Explorer (and a few other miscellanous tools) to remove malware, and I tend not to get infected in the first place . It would be rather ironic if it happened, though... )

I hope I've cleared things up; in few words: it's possible to tell if a file does belong to a certain malware family, but it's a lot harder (if even possible) to tell about any file in the world that it doesn't.

Your help is very much appreciated, and I hope you don't feel otherwise.

Kind regards,

vlad

Niels

Hi Vlad

Your post wasn't offensive. Rogueremover can detect the latest version of winantivirus or winantispyware. The database is still growing. Here you can see what it can detect and remove : http://www.malwarebytes.org/rogueremover_d...ase_history.php

It's really trustfull because it is made by the same author who made Hijackthis,cws shredder and other wellknown malware spets. But he sold hijackthis and cwsshredder to another antivirusvendor.

I know that it's impossible to detect all variants. In the past I used too many different tools.

Thank you very much for your very clear reply.

Regards

Niels