Need User Feedback: Teatimer 1.6.6.32 False Positives

[Yodama]

There have been recent user reports on Teatimer producing false positves.
This began after the recent Teatimer Update to Teatimer version 1.6.6.32.

The threads that appear to be related to this issue will be merged into this thread on Monday 2009-03-30. If your case possibly matches this issue, do not start a new thread but append to this one.

These false positves do not appear to be signature based false positives, meaning that finding and fixing the issue is more difficult and requires user feedback.

If you have the Teatimer activated and you get a message similar to this one:
(detected file and the name in "identified as" are different in most cases)




please do the following:

* attach the detected file to an email to referencing this thread
* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
* also state if you rebooted the computer after the update and if there were any error messages
* please also tell us if the false positive is reoccurring on your computer

__________________
born in the shadow to die in the shadow, that is the fate of the shinobi

Spybot S&D Downloads

Please help us improving Spybot and download our distributed testing client.

[129260]

* Operating System-Windows 7 beta (it was flagged in windows xp though also)
* Browser and Version-Internet Explorer 7, Firefox latest version
* Version of Spybot S&D and Date of the latest update: latest spybot and teatimer, latest update: March 11th 2009

Teatimer about says: version 1.6.2.0 system settings protector 1.6.6.32

* where did the false positive occur:

o Teatimer message when a program was executed

See screen shot for details.

This happened when installing the latest update for adobe reader that has come out recently. The options are the ones i selected when i took the screenshot, because i knew it was a FP. Those were not the default selections when the window popped up.

[Yodama]

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to with a reference to this thread.

[Yodama]

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to with a reference to this thread.

[129260]

as requested. Let me know if you need the file from the XP computer as well that flagged this false positive. The one I sent was the one from the windows 7 beta.

[Yodama]

Thank you for sending in the file, I have compared it to the one I got while installing Adobe Reader 9.1 on Windows XP. The AirShareInstaller.exe for Windows 7 Beta and Windows XP are identical.

However I have not been able to reproduce the false positive with the Teatimer.
I have also checked our detection database for Virtumonde rules which could be responsible for this detection, but did not find one.

This is really a strange case, could you please check if the false positive still occurs after a restart of the Teatimer?

[129260]

Well, here is the thing. I only got it once while i was installing adobe as shown in the screen shot. I haven't repeatedly gotten it at all. Only that one time. This is weird though, because this is the second time I have gotten a false positive that you could not produce. Sorry for wasting your time.....I am very confused as to why this is happening. Maybe i should fully uninstall spybot and install again. Thanks for getting back to me.

[Yodama]

You need not apologize, we have to go after such false positives and it is good that you report them.
There may have been special circumstances that prevented the correct reading of the file properties. Since this happened after the Teatimer update this may be related.
It appears that a similar false positive occurred with unlockerassistant.
I will be going after this issue since such false positives can be very dangerous.

[metaed]

I installed Adobe Reader 9.1 today. (This was because of a security advisory for 9.0 reported by Secunia PSI.)

I received a security alert from TeaTimer similar to the one above, but for Cydoor. Here is the log entry:

3/17/2009 9:15:11 AM Encountered and terminated Cydoor in C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe!

This alert occurred once at the end of the Adobe Reader installation. It has not yet occurred again.

My operating system is Windows XP Home Edition SP3.

My browser is Google Chrome 1.0.154.48.

About TeaTimer gives 1.6.2.0, system settings protector 1.6.6.32. Info & License gives 1.6.2.46, latest detection update 3/11/2009.

Best wishes,

Edward

[Yodama]

hello,
thank you for reporting this issue.

I still have not been able to recreate the circumstances which provokes these false positives. Since Teatimer identifies the same AirShareInstaller.exe as Cydoor now it is very likely that Teatimer was not able to properly determine the file properties and went wrong.
Are you running other active protection software or other software in background which may scan and/or lock files on access? If that is the case we may have an incompatibility issue.