True Sword FP (I hope)

[SG1windowsxp]

--- Search result list ---
True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350

True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1

True Sword: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

(Pat)

[md usa spybot fan]

Pat:

I do not have that final say on if something is or is not a false positive because I do not deal with the detection rules. But from what I see this is not a false positive but rather a false hope on your part that it is not.

Read this from Symantec:

• TrueSword
  http://www.symantec.com/security_res...804-99&tabid=1

Quote from:

• The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites by Eric L. Howes
  http://www.spywarewarrior.com/rogue_anti-spyware.htm

True Sword securitystronghold.com ridiculous false positives work as goad to purchase [A: 1-3-06 / U: 1-3-06]

[MisterW]

md usa spybot fan is right: True Sword seems to be not a false positive and will not be removed from our detection.

Best regards
Markus

[bubba]

True Sword is not a false positive and will not be removed from our detection.

Hello Markus,

If We set aside the fact that TrueSword being installed would be a legitimate find in regards to a Rogue type program and only focus on the eSellerate registry entries....would eSellerate(an online Company of Digital River via the purchase of MindVision) by itself should or should not be flagged ?

Regards,
Bubba

[MisterW]

So if the program flags another usefull tool we have to find a way that it will only flag the bad parts of it!

I could not find any "good" software that uses the eSellerate keys but perhaps i am blind.
Which software do you mean is flagged by these entrys? Could you send me a link or some samples?

regards,
Markus

[bubba]

I could not find any "good" software that uses the eSellerate keys but perhaps i am blind.

I will not view it as you being blind ....I feel these eSellerate type entries only will be raising there head more so given Digital River only recently purchased MindVision\eSellerate....which means you may be seeing more of these eSellerate only entries

Which software do you mean is flagged by these entrys? Could you send me a link or some samples?

This is the first I have seen of this possible problem and it was brought to our attention by the thread starter above in this Wilders thread that was started yesterday. I suggested they create a thread @ your official Forum concerning this matter since I am not privy to you all's detection rules or criteria. Perhaps if the thread starter could post a complete log of the scan result that flagged the entries it would possibly eliminate True Sword as being part of the equation if eSellerate were the only entries found

Also....whether this was a true test or not....I deliberately added via a .reg file yesterday the below shown reg entries only and Spybot did flag the 3 entries as True Sword.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350]

[HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1]

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}]

I realize that might not be of much help but that's what I found and as time permits I have been looking further into this new eSellerate development as it relates to Digital River.

Digital River Buys eSellerate

Regards,
Bubba

[md usa spybot fan]

Just as a note:

I originally found the Symantec article that I referenced in my original post by the actual Spybot detections listed by SG1windowsxp, not the name of the detections (TrueSword).

If you go into the following Symantec article and click the "TECHNICAL DETAILS" tab, there is a complete listing of what Symantec thinks is added with TrueSword (including the three (3) detections that SG1windowsxp posted):

• TrueSword
  http://www.symantec.com/security_res...804-99&tabid=1

[bubba]

As an additional note in case the above mentioned Wilders link is not followed:

This poster has stated in the Wilders thread that they "buy lots of stuff online, and eSellerate is a vendor often used". That being the case....perhaps it will be important to know from this user if there was an eSellerate program such as eSellerate 2.5 purposely installed which could be the reason for the ESellerate registry entries ?

[bVolk]

I let Spybot S&D delete the three True Sword registry entries and next my Registry Compactor program started to throw errors. After restoring the deleted entries Registry Compactor runs smooth again.

I purchased Registry Compactor in 2004 from Rose City Software and the order was processed by the eSellerate e-commerce system.

[MisterW]

After bVolk gave me some information about a tool where the FP exists, I could check the problem and now I can confirm that there is a False Positive in the detection. It will be removed with the next update scheduled for the end of the week