sb user
2017-05-16, 09:59
After years of using SpyBot for monthly scans I now came across the first false positive detection.
I went back to the definitions of around April 15th to confirm. With those no false positive was found.
So, with the current definitions (date of definitions: about May 10th - there are different dates for different types of threats but the Trojans definitions are from May 10th: 2017-05-10 Includes\Trojans-C.sbi) there's a problem of false positive:
Win32.VB.grl: [SBI $8AADDBCA] Library (File, nothing done)
C:\Windows\System32\vbzip10.dll
Properties.size=147456
Properties.md5=5B25690CC2E55A6D4BC965068A7BA1EF
Properties.filedate=944727588
Properties.filedatetext=1999-12-09 10:19:48
This is on W7 64bit, using Spybot - Search & Destroy version 2.4.40.131 DLL (build: 20140425).
As can be seen by the date of the file it has been on the system probably since installation of W7. It has never ever been detected as worm or trojan before by SpyBot or any other av scanner.
But the strange thing is: The only software with which I can even "see" these files (there's another one called vbuzip10.dll, which is not detected as ahrmful with latest definitions) is with safer-networking software, i.e. SpyBot File Scanner and FileAlyzer. These file are not "there" if I use Windows Explorer or any other file manager (e.g. mucommander, Q-Dir) - or Windows command prompt for that matter. And yes, I know how to "show hidden files" in Windows (Explorer)!!! I see all the (previously) hidden files and folder, but not those two files... unless I use e.g. FileAlyzer. So, I can't let any other av software check those files specifically because they don't "see" them and general checks don't find any problem.
Btw.: If I check "submit" in the "Virus Total" tab of FileAlyzer nothing happens...
Strangely enough I can upload them to Virus Total using a browser, i.e. the browser file selection context window can "see" those files - even with hidden files not set to be seen in Windows Explorer...
Result: 0/59 av scanners find that file to be harmful. But the analysis seems to be from May 1st, so before the date of SpyBots last definitons update.
https://www.virustotal.com/de/file/cbe2e53f8602fe9b24583f366edf0f29f888efaef6ca9c03ed7c89b2c2bce263/analysis/
There were compromised versions of that file around, as McAfee website states, but that was back in 2010...
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=322346#none
https://www.mcafee.com/threat-intelligence/malware/default.aspx?id=283502
And your forum search finds that file in threads all back from around 2007 and 2008...
So, to me it seems that this is a deifinite false positive detection by SpyBot with it's latest definitions update from about May 10th.
The scan was done on May 13th and the "check" scan with the mid-April definitions and again the May 10th definitions on May 14th. Today, there ar no new definitions to be found by SpyBot Update.
That's why I registered and wrote this post.
Thanks for looking into this problem.
Mike
I went back to the definitions of around April 15th to confirm. With those no false positive was found.
So, with the current definitions (date of definitions: about May 10th - there are different dates for different types of threats but the Trojans definitions are from May 10th: 2017-05-10 Includes\Trojans-C.sbi) there's a problem of false positive:
Win32.VB.grl: [SBI $8AADDBCA] Library (File, nothing done)
C:\Windows\System32\vbzip10.dll
Properties.size=147456
Properties.md5=5B25690CC2E55A6D4BC965068A7BA1EF
Properties.filedate=944727588
Properties.filedatetext=1999-12-09 10:19:48
This is on W7 64bit, using Spybot - Search & Destroy version 2.4.40.131 DLL (build: 20140425).
As can be seen by the date of the file it has been on the system probably since installation of W7. It has never ever been detected as worm or trojan before by SpyBot or any other av scanner.
But the strange thing is: The only software with which I can even "see" these files (there's another one called vbuzip10.dll, which is not detected as ahrmful with latest definitions) is with safer-networking software, i.e. SpyBot File Scanner and FileAlyzer. These file are not "there" if I use Windows Explorer or any other file manager (e.g. mucommander, Q-Dir) - or Windows command prompt for that matter. And yes, I know how to "show hidden files" in Windows (Explorer)!!! I see all the (previously) hidden files and folder, but not those two files... unless I use e.g. FileAlyzer. So, I can't let any other av software check those files specifically because they don't "see" them and general checks don't find any problem.
Btw.: If I check "submit" in the "Virus Total" tab of FileAlyzer nothing happens...
Strangely enough I can upload them to Virus Total using a browser, i.e. the browser file selection context window can "see" those files - even with hidden files not set to be seen in Windows Explorer...
Result: 0/59 av scanners find that file to be harmful. But the analysis seems to be from May 1st, so before the date of SpyBots last definitons update.
https://www.virustotal.com/de/file/cbe2e53f8602fe9b24583f366edf0f29f888efaef6ca9c03ed7c89b2c2bce263/analysis/
There were compromised versions of that file around, as McAfee website states, but that was back in 2010...
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=322346#none
https://www.mcafee.com/threat-intelligence/malware/default.aspx?id=283502
And your forum search finds that file in threads all back from around 2007 and 2008...
So, to me it seems that this is a deifinite false positive detection by SpyBot with it's latest definitions update from about May 10th.
The scan was done on May 13th and the "check" scan with the mid-April definitions and again the May 10th definitions on May 14th. Today, there ar no new definitions to be found by SpyBot Update.
That's why I registered and wrote this post.
Thanks for looking into this problem.
Mike