False heuristics hit on Symantec file?

**joffenb** · 2009-02-02, 04:13

Had situation on Grandson's machine earlier today with spybot showing virtumonde on nppbho.dll. File was in C:\ProgFiles\Syman..Shared\coshared\browser\1.0\ directory with 2006 date and same date on parent directory. Properties showed signature from Symantec same as the other files in the directory along with same dates.

Right clicking the file in explorer and selecting the "check with Spybot" resulted in a negative on malware and a positive on heuristics.

I am assuming this is a false hit - but... two questions...

1. Any way to disable heuristics? help file did not even contain the word.

2. Would like to confirm the file is clean.

p.s. Disabling the file resulted in a machine that took over 20 mins to boot and 10-20 seconds between key/mouse strokes. Finally got it reactivated after 2 hours of waiting. This is the first false hit that resulted in a problem I have ever had with Spybot in more than a few years working on many computers. The Main "check for problems" screen gave no indication that it was only a heuristics hit and I came very close to toasting the O/S believing the file was malware.

**Yodama** · 2009-02-02, 08:20

hello,

this sounds like a false positive, please email the file nppbho.dll to detections@spybot.info for analysis and make a reference to this thread in your email.

The heuristics scan is part of the single file scanner (right click scan) which is separate from the normal scan with Spybot S&D.

**joffenb** · 2009-02-02, 16:49

Sorry, meant 1st Question...

The main scanner had two hits, one for a BHO and the other for the CLSID itself of 1EA86710-7264-4D0F... and called it malware. (only wrote down enough of the CLSID to find it.) The single file scanner identified it as only heuristics. For the main scanner to ID the file referenced in the registry, it either doesn't check the file and just reports the two registry entries, or it uses heuristics and reports it as malware. Would appreciate knowing which it is to better utilize Spybot in the future. Spybot traditionally came up with less than many other malware scanners, but was very good as to false positives. (This is the first one I have seen.)

p.s. Will be tonight before I can send the file (CST).

**joffenb** · 2009-02-03, 01:51

Just uploaded files...

**Yodama** · 2009-02-03, 08:20

Received your files and identified the rules responsible for these false positives.

The default scan with Spybot S&D is more accurate and recommended over the single file scanner. Especially the heuristics part of the single file scanner is prone to false positives.
You can use the single file scanner to quickly determine if a file is suspicious or not, further analysis of the file is recommended it produced a hit with the heuristics part only.
In this case however the false positive affected both scanners.

**Rouke** · 2009-02-05, 03:40

@Yodama:
I wasn't aware of the ways to upload fp/s A year back, but A file that is/was regularly used in EA-games was seen as An F/P quite often with S&D 1.4 & earlier versions of 1.5.. (Now it isn't..)

And yes I'm pretty sure it was an f/p (The CD-file was also recognised..)

Luckily the current set of tools & people helping out is A very good basis to build upon.
Hopefully f/p's are A thing of the past with the current runalayser + sddt + s&d 2.0 system..

Thread: False heuristics hit on Symantec file?

Thread Tools

Display

False heuristics hit on Symantec file?

2nd Question

Posting Permissions