Hi,

A friend lent me a copy of Symantec Ghost Solution Suite v2.5 to make an image of my PC. Now, I KNOW he owns the SW (I've actually seen the original CD) but he brought over his backup copy. He always makes a backup of his CDs, so I am certain it wasn't pirated.

Regardless, I ran the "right-click Spybot scan" in explorer over it and SpybotSD 1.6.0.30 with "last detection update" from 15 October 2008 reported that one file "gdiplus.dll" contained "Caishow" under the "Heuristics" section.

Symantec AV with defs dated 15 Oct 2008 rev 3 thinks the file is clean.

I uploaded it to VirusTotal & it scanned it & found nothing also. See http://www.virustotal.com/analisis/fbcd4040de4e4ecced3ec8acf24b893e

Then I uploaded it to http://www.kaspersky.com/scanforvirus which also found nothing. Of incidental strangedness is that I had to compress the file to upload to Kaspersky (1 MB filesize limit). So for the hell of it, I had the "right click in explorer" Spybot scan both a RAR & a ZIP of the file & the uncompressed DLL again. It still said the DLL had "Caishow" but it found NOTHING in the compressed ones. Weird?

Here's the other weird bit: I manually added the directory containing the file to SpyBot's settings/directories tab & ticked the "inc sub dirs" box. Then I ran a normal "check for probs" (and yes, under "file sets" I ticked "select all available checks") but it found NOTHING.

So I'm thinking it's maybe a false positive.

Would you like me to send you the file?

Cheers

BH :eek:

Forgot to add:

Windows XP SP3 + patches released as of today
Firefox 3.0.3

hello,

thank you for reporting this false positive.
Please email the gdiplus.dll file to detections@spybot.info with a reference to this thread so we can fix this heuristics false positive.

No problem - thanks for helping make SpyBot available to us..!

Let me know if the mail doesn't turn up. It was taking a long time to upload (900k) on my skinny link, although webmail said it was sent.

BTW, my friend brought over the original CD & another slightly older Norton original CD (System Works) and sbybot reported the same results with the GDIPLUS.DLL in them too. (the file was identical in all 3, checked via "fc /b").

Cheers

DuracelSeaweed :clown:


hello,

thank you for reporting this false positive.
Please email the gdiplus.dll file to detections@spybot.info with a reference to this thread so we can fix this heuristics false positive.

Heya,

I just ran the updater in Spybot & DL the latest defs + the optional "fixes various F/P" component. Then I ran the "right-click" scan over the suspected false positive file I mentioned in this thread 2 weeks ago and it is still coming up as "Caishow" under the heuristics section. :(

Let me know if you want me to resend the e-mail :)

Spybot ver: 1.6.0.30
Latest detection update: 29 October 2008

sorry about that, please resend your email, somehow I did not receive it and forgot about the issue :oops:

it might be best to zip or rar the file before sending since some mail servers tend to filter some files by extension.

please also make a reference to this thread.