False Positives - srvany.exe & instsrv.exe

garyinri

The following two modules are (once again) being detected as containing viruses/malware. A few months back, these were getting detected, then the detection of them as viruses/malware seemed to stop. They started getting detected again during the full and deep system scans I ran this past weekend (2 June). They were not detected in the scans run on the previous weekend (26 May).

The module names are srvany.exe and instsrv.exe. They are part of the Windows NT Resource Kit and are used to create user-defined services.

The Microsoft Knowledge Base page on these files can be found at http://support.microsoft.com/kb/137890.

Thank you.

garyinri

In my earlier post, I neglected to enter the names of the viruses/malware being detected on those modules. They are as follows:

srvany.exe Detected: Application.Srvany.Y

instsrv.exe Detected: Application.Instsrv.C

AndreiASM

Please upload the files with the password "infected". BD VR's will take a look at them and will remove detection if necesary.

Unknown

Always when you consider that you have a "clean" file on your hdd, and BitDefender sees it as a threat, UPLOAD it here.

No one can download it except our Virus Researchers.

Cd-MaN

Thank you for reporting the problem. The false alarms have been removed. Please update your signatures. If you have any further problems, don't hesitate to contact us (also please attach the files concerned, because it helps to get the matters resolved faster - the attached files can only be downloaded by members of the BD virus research team, so there is no possibility that they can spread).

Best regards.

garyinri

Cd-Man,

Sorry to be slow to respond to this. I understand that the false alarms have been removed, but am still supplying the files originally marked as infected for your reference.

password: infected

Thank you.

/applications/core/interface/file/attachment.php?id=176" data-fileid="176" rel="">files4bd.zip

garyinri

After not being detected for a couple of weeks, these two files are once again being flagged as viruses/malware. I have uploaded them in a previous post dated June 5th.

Thank you.

garyinri

Srvany.exe and instsrv.exe are still being detected as viruses/malware. Please see the zip file two posts above for the files which were uploaded on June 5.

Thank you.

Gary

Cd-MaN

FPs removed and should not re-appear.

garyinri

Instsrv.exe is no longer being detected.

However, as of 14 Jul 2007, srvany.exe is still being detected, but now as containing Application.Srvany.AK

It had previously been detected as Application.Srvany.Y (as recently as 7 Jul 2007).

ackker

I am getting a positive on this file too (17/9/07). I'm using Bitdefender Internet Security 2008.

I'm uploading the file for you to check. It is reporting an "Application.Instsrv.F" virus.

/applications/core/interface/file/attachment.php?id=641" data-fileid="641" rel="">instsrv.rar

Cd-MaN

@Ackker: FP removed.

@garyinri: Please supply the file in the attachment to make sure, but the file I found in our collection that we detect with the given name is a backdoor, which uses the Srvany utility to make itself run at startup. Detection remains.

Best regards.