False Positives Or Nearly-impossible Infection?

Chai

Hi All,

After reading the latest PC World survey, I decided to give BitDefender Internet Security 2008 (henceforth BDIS) a try. But I am very suspicious and believe BDIS has detected and deleted three false positives. The odds of there being spyware are extremely slim when you consider that it's a brand new and solitary hard drive with a fresh Windows install.

After installing nothing more than Windows XP Pro SP2, my drivers, updating Windows and installing the latest Firefox version and a few extensions, I downloaded and installed the 30 day trial of BDIS, which asked me to run a quick scan after installation and I decided to go ahead. It detected and deleted one file, C:\WINDOWS\system32\Tools\Restart.exe, reported to contain Spyware.Destart.A. I thought this very unlikely, but figured I could later undo any changes made by BDIS later on.

I continued installing the latest versions of Mozilla Thunderbird (email app), Spybot Search and Destroy (which made a system restore point and scanned but detected nothing but a single cookie), Quicktime, Adobe Reader, RealPlayer, FlashPlayer, Shockwave and Office 2007 Student Edition. I mention these in case there are some known issues with one or more of these programs. I left my computer on overnight to run a scheduled full scan, which detected and deleted two more files, both in the C:\System Volume Information folder, one reported to be infected with the same Spyware.Destart.A and the other with Spyware.Tool.Reboot.E.

Is BDIS making false positives?

Thank you.

alexcrist

Hello Chai,

By default, the folder Tools doesn't exist in Windows XP.

So the choices are these:

1) either some application that you use (maybe an application that belongs to your computer's native software... the software that is made by the vendor, and which provides special functions regarding the computer's functions) uses a tool that is suspect of being infected

2) either it was really a Spyware, that entered your computer before you managed to install/enable a firewall. There are certain worms that break into your computer right from the moment you install the network card (which could happen even in the process of Windows installation), so you can get infected before you even actually finish installing Windows. That is why it is highly recommended that you install Windows with the network cable unplugged.

So, to prevent further situations like this one, please set BD to ask for user's attention instead of taking an automated action. And next time you have doubts about a file, put it in an archive (ZIP, RAR...) protected by the password infected, attach it on this forum (on the Malware section) and, after it will be studied, you'll get a 100% accurate response (and detection will be removed, if necessary).

Cris.

Chai

Hi Cris,

Thanks for the info.

How do you get BD to ask for user's attention? I clicked Custom Level to examine the behavior settings of Antivirus, and it was set to first "Disinfect file" and second "Move file to Quarantine" under "Action to take when an infected file is found", yet it deleted them anyway. Do I need to set first and second actions to "Deny Access and Continue" to get it to ask for permission?

I examined the Tools folder and it appears to have been put there by my motherboard driver setup CD along with a few utilities such as a registry cleaner. The two files deleted in the System Volume Information folder are in a folder beginning with the name "_restore(" followed by a long series of capital letters and numbers, one in a folder "RP2" and the other in "RP6", indicating to me that they are system restore points, I guess.

alexcrist

The realtime protection doesn't have the option to ask for user's choice (unfortunately). This option only exists for On Demand scans.

So my suggestion is this:

- for Realtime protection, select: Disinfect and Deny access and continue

- for On Demand: No action (for all actions), which, in fact, means Ask.

When the Realtime protection finds a virus, it will alert you and will block all access to the infected file. Then you can make a manual scan and choose the appropriate action.

Cris.

Chai

I didn't realize there were separate settings for on demand and real time scans, but figured out how to set the on demand scans, thanks!