PDA

View Full Version : Zeno false positive



Fermat
2006-07-02, 12:22
I'm getting teatimer popups saying "s & D has encountered & terminated a process that is listed as malicious software" .... "Identified as Zeno".

The files are mcafee.com\vso\mcmnhdlr.exe and ...com\agent\McDash.exe.
As far as I can see, they haven't changed since 2005. And every anti-malware & av program I've run against them is happy.

Installed new S & D definitions & beta definitions yesterday (01 July). Popups began last night (UK) with scheduled McAfee virus scan.

Switched off teatimer, until new definitions arrive. (but WinPatrol's Scottie is guarding my Startup, so I feel reasonably safe)

Mike

Fermat
2006-07-02, 13:37
I've just learnt how to allow those mcafee tasks in teatimer. Haven't had to go there before, so I didn't know about it. Wonderful feature. S & D has gone up even higher in my estimation. So teatimer is back in action.

Yodama
2006-07-03, 09:50
thanks for reporting,
it is false positive in the beta detections and will be removed with the next update scheduled for the end of the week.
this false positive also detects qttask.exe as zeno, so do not be alarmed if qttask gets detected by the teatimer.

bishoper
2006-07-03, 12:24
2006-07-03 05:10:09 Encountered and terminated Zeno in C:\WINDOWS\system32\nvsvc32.exe! from the log.

Jon Graef
2006-07-03, 15:03
Setacm.exe is for setting the speed of the maxtor Hard disks read heads, to make the seek quiet (but slower). I ran the file but got the warning...Zeno.
File link included.

http://maxtor.custhelp.com/cgi-bin/maxtor.cfg/php/enduser/maxtor_EULA.phph?setacm.exe

Thanks Jon Graef

Yodama
2006-07-03, 15:16
hi, please tell us which detection rules you are using and where the warning occured: as scanresult or teatimer popup.

biko4710
2006-07-03, 15:48
Hi,

using latest beta detection rules (update: 1.7.06) teatimer creates following popups:

Encountered and terminated Zeno in C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
-> Lenovo/IBM ThinkVantage Access Connection 4.12

Encountered and terminated Zeno in D:\Microsoft ActiveSync\CEAppMgr.exe!
-> Microsoft ActiveSync 3.8.0, Application Manager

cu, biko

CrazyBunch
2006-07-04, 01:04
Zeno detection is corrupt as it seems to trigger on all sorts of perfectly correct software. To the list above I can add:

* Encountered and terminated Zeno in C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE!

...which is HP StatusClient to monitor printer status

* Encountered and terminated Zeno in C:\Program Files\Dantz\Retrospect\Retrospect.exe!

...which is Backup software by DANTZ

Re/F

wuschel
2006-07-04, 19:54
Hi,
Updated to detection-updates 01-07-2006 (incl. beta), teatimer found :

"Encountered and terminated Zeno in C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe",

..., which is a legitimit file of "Acronis True Image"- backupsoftware.
Disabled the "ZENO"-detection in the "beta.sbi"-checklist.

CU, Wuschel

Fermat
2006-07-04, 21:06
thanks for reporting,
it is false positive in the beta detections and will be removed with the next update scheduled for the end of the week.


Thanks for the info Yodama

genjen
2006-07-04, 22:47
2006-07-03 05:10:09 Encountered and terminated Zeno in C:\WINDOWS\system32\nvsvc32.exe! from the log.


yeah my teatimer also went nuts over that file and there is no way im gonna give up my nvidia software

suirauqa
2006-07-06, 04:07
Hi! I am new to this forum, though I have been a long time user of Spybot Search and Destroy. I am posting in this thread since it talks about false positives. Similar to experiences of others here, today I got a zeno notice for this program - C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrsrv.exe - this is the Sony Ericsson File manager for SE phones.

To answer Yodama's question, this came up as a seperate pop-up notice (not the regular teatimer pop up), asking me to either terminate the process (and delete the file) or allow (not recommended) or set the option as notification at every event. Even after I allowed the file, on checking the resident list, it said that teatimer terminated zeno in so-and-so process... (which may be why the software could not detect my phone!!).

I understand that the team would correct this bug in the next beta, but meanwhile, can someone tell me if there is a way to selectively allow this program not to be detected by teatimer?

md usa spybot fan
2006-07-06, 07:20
suirauqa:

As the pop-up dialog indicates, detected processes are always terminated the first time they are encountered:


Spybot - Search & Destroy has encountered and terminated a process that is listed as part of a malicious software.
If you checked "Allow this process to run (NOT RECOMMENDED)" under "If Spybot - Search & Destroy encounters this process again", the process should be allowed to run the next time it is encountered by TeaTimer.

If that is not working you could delete the following file which would eliminate the Beta detections until the next update:
C:\Program Files\Spybot - Search & Destroy\Includes\Beta.sbi

GreenEyedLady
2006-07-12, 06:00
And yet another false positive in the beta detections - SeaMonkey 1.0.2 (released 01 Jun 2006, update to the browser that replaces no-longer-supported Mozilla) is flagged as Zeno. Kept getting the "kill" popup (over a hundred times) during install, no matter how many times I checked "allow" and "remember this", finally had to kill TeaTimer to do the install correctly, then restart TeaTimer (this time it stopped after only 1 popup where I checked "allow" and "remember").

This is new behavior, I still have the previous installation as well, SeaMonkey 1.0.1 does not get this FP. Detection update is 2006-07-01

md usa spybot fan
2006-07-12, 07:01
GreenEyedLady:

I believe that the problem was corrected with the update of 2006-07-07. Please update and see if that is true.

GreenEyedLady
2006-07-15, 00:34
GreenEyedLady:

I believe that the problem was corrected with the update of 2006-07-07. Please update and see if that is true.

It's been quite a while since any update server has been reachable, just hangs forever with the search animation, same thing happens consistently across multiple systems repeatedly. However, today I finally got through from one of them and did the 7-14 update - it does NOT correct the problem for SeaMonkey.

Buster
2006-07-17, 08:18
@ GreenEyedLady,

does this problem still persist after you restarted teatimer? I just tried to reproduce this fp with the seamonkey installer, but teatimer did not flag any file as zeno.:scratch: