Jump to content

Recommended Posts

It seems the updated hips, or something since the last update has found an infection.....false positive maybe?

 

Detected (2)    
10/11/2010 8:31:36 PM    Detected    Trojan program Backdoor.Win32.Poison.cacn    C:\Windows\INSTALLER\9ea04.msi    High    
10/11/2010 8:31:36 PM    Detected    Trojan program Backdoor.Win32.Poison.cacn    C:\Windows\INSTALLER\9ea04.msi//Data1.cab//ff_samplerate.dll    High

 

Does anyone else see this in Win 7 Ultimate x64?

Oops, this is part of Win7codecs file, I have Shark007 codec package installed as well, seems it deleted an item yesterday.

 

9/11/2010 7:08:01 AM    Deleted    Trojan program Backdoor.Win32.Poison.cacn    C:\Program Files (x86)\Win7codecs\filters\ff_samplerate.dll    High

 

Note: Why does "move to quarantine" just provide a popup to open a file? Why can't it move the detections as it suggests? Or prompt to say 'nothing needs to be quarantined, already processed' or some such alert?

 

Guess I need to test more. :)

Edited by norwegian

Share this post


Link to post
It seems the updated hips, or something since the last update has found an infection.....false positive maybe?

...

9/11/2010 7:08:01 AM    Deleted    Trojan program Backdoor.Win32.Poison.cacn    C:\Program Files (x86)\Win7codecs\filters\ff_samplerate.dll    High

 

Note: Why does "move to quarantine" just provide a popup to open a file? Why can't it move the detections as it suggests? Or prompt to say 'nothing needs to be quarantined, already processed' or some such alert?

 

Guess I need to test more. :)

That is related to signatures created by the VirusLab, not related to HIPS. Send it to the lab as you would with any FPs (http://support.kaspersky.com/virlab/helpdesk.html - select False-Alarm).

 

"Move to Quarantine" (in the Quarantine Report) is by design - so you can browse the file you want to move to quarantine. Of little use IMO now we can move files with more ease to Quarantine via the context menu.

Share this post


Link to post

 

Can the good members clear up something for me.

 

Dawgg repied to a post of mine regarding detections that maybe the team can explain thier methodology.

 

That is related to signatures created by the VirusLab, not related to HIPS. Send it to the lab as you would with any FPs (http://support.kaspersky.com/virlab/helpdesk.html - select False-Alarm).

 

Link t my post - http://forum.kaspersky.com/index.php?showt...t&p=1524065

 

First, I understand via the standard update servers this would be worth sending to the labs as a false positive.

But, as I was set to the test servers, the databases are different?

This alert was only via the/ap folder and I have never seen at any other time this detection.

"Out of date databases" is a regular occurrence with test folders, we have all seen these posts from curious testers. :)

HIPS may not be involved, it was a comment on the time frame of the updates, maybe I need to work my comments differently. :)

 

 

 

Is there a policy with updates on a test server v's those on the standard servers?

 

Share this post


Link to post

The signatures used in the test servers are the same as the release servers. The only difference is that they are not updated as frequently on the test servers (hence the "database out of date" message you sometimes get when using test servers), so new signatures will take longer to arrive on test servers and FPs will take longer to repair on test servers.

Regardless of the server you are on, you should send signature FPs to the lab.

 

On the other hand, emulator detections may be seen on test servers before they are seen on public servers (due to testing of newer releases).

Emulator FPs while updating on the test servers may also be on the standard servers or only test servers. I would suggest checking it with normal updates and if it is still detected, send it to the lab; if it is no longer detected, PM the FP file to the KL staff leading the forum testing informing them the FP is related to the test emulator only.

Share this post


Link to post

Thanks. :)

 

I have found this detection has been noted now with a freshly installed beta using the standard update servers.

It will be emailled to the labs.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.