oreans32 (oreans32.sys) False Positive

**PeterSfa** · 2007-01-24, 13:44

I geting a False Positive on the registrykey for Oreans. (Hupigon)

When I investigated it with google, at first its looked like a backdoor. But then I realized that the oreans32.sys located in the system32\drivers folder and mentioned in the report from spybot is a legitime process.

Ok, it is not legitime in the way that I have authorized the installation or been able to choose, and it was a pain in the *** to get rid of. I succeded with the removal tough.

It is also known that some backdoors can use this driver to help hide and protect itself. But in this case it was one of my softwarevendors who tried to protect his software. I was forced to enable the oreans32.sys again.

I feel it to be wrong if spybot reacts and reports on the existens of this this registrykey and file. Despite its ability to protect spywares.

I think that spybot should only report if it also finds other known spyware registrykeys or processes.

Any other coments on this?

**Buster** · 2007-01-24, 14:55

I would like to take a look at your bug report. To create a bug report lese run Spybot-S&D, let it scan and then go to "Tools --> View Report". Tick on all of the 10 checkboxes (leave "Do not report disabled or known legitimate items" unchecked) you can find there and click on "View Report". Now choose "Export" and save the file to your desktop. Please attach this file to your next post. Thanks in advance!

**PeterSfa** · 2007-01-24, 16:06

The report as requesed (zipped file)

I erlier did have the chinese Yahoo assistent badware and cleaned it in safe mode with spybot.

/Best regards

**jaska915** · 2007-01-24, 20:38

I can confirm this false alert, S&D found same "oreans32/Hupigon" from my machine today, however this one belongs to game named "Prey". Part of game's copy protection if I understand correctly.

**Buster** · 2007-01-25, 15:48

Please send an email to detections(at)spybot.info and attach the oreans32.sys file located at C:\WINDOWS\system32\drivers\ for further analysis. Thanks!

**jaska915** · 2007-01-25, 16:33

Emailed file in question.

Although I already verified file's legitimaty by removing oreans32.sys, Prey no longer starts. Also reinstalling Prey makes oreans32.sys reappear in \system32\drivers folder.

**jaska915** · 2007-01-25, 19:06

Originally Posted by jaska915

Emailed file in question.

Although I already verified file's legitimaty by removing oreans32.sys, Prey no longer starts. Also reinstalling Prey makes oreans32.sys reappear in \system32\drivers folder.

Almost forgot... service named "oreans32" with driver "C:\Windows\system32\drivers\oreans32.sys" can be found in "Non-Plug and Play Drivers" section of Device Manager. Disabling this service will result in Prey not starting.

**Buster** · 2007-01-26, 07:37

Thanks for sending the file. We will remove the detection for oreans32.sys in today´s update. Sorry for any inconvenience.

Thread: oreans32 (oreans32.sys) False Positive

Thread Tools

Display

oreans32 (oreans32.sys) False Positive

Posting Permissions