Page 1 of 7 12345 ... LastLast
Results 1 to 10 of 61

Thread: Teatimer 1.6.6.32 False Positives

  1. #1
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    There have been recent user reports on Teatimer producing false positves.
    This began after the recent Teatimer Update to Teatimer version 1.6.6.32.

    The threads that appear to be related to this issue will be merged into this thread on Monday 2009-03-30. If your case possibly matches this issue, do not start a new thread but append to this one.

    These false positves do not appear to be signature based false positives, meaning that finding and fixing the issue is more difficult and requires user feedback.

    If you have the Teatimer activated and you get a message similar to this one:
    (detected file and the name in "identified as" are different in most cases)




    please do the following:

    * attach the detected file to an email to referencing this thread
    * include the resident log to your email
    * also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
    * state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
    * also state if you rebooted the computer after the update and if there were any error messages
    * please also tell us if the false positive is reoccurring on your computer

    __________________
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improving Spybot and download our distributed testing client.
    Last edited by MisterW; 2009-03-30 at 16:37.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  2. #2
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Exclamation adobe flaggged as virtumonde by teatimer

    * Operating System-Windows 7 beta (it was flagged in windows xp though also)
    * Browser and Version-Internet Explorer 7, Firefox latest version
    * Version of Spybot S&D and Date of the latest update: latest spybot and teatimer, latest update: March 11th 2009

    Teatimer about says: version 1.6.2.0 system settings protector 1.6.6.32

    * where did the false positive occur:

    o Teatimer message when a program was executed

    See screen shot for details.

    This happened when installing the latest update for adobe reader that has come out recently. The options are the ones i selected when i took the screenshot, because i knew it was a FP. Those were not the default selections when the window popped up.

    Last edited by 129260; 2009-03-14 at 17:44.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  3. #3
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hi,

    thanks for reporting this false positive.

    However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
    To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
    Please email to detections@spybot.info with a reference to this thread.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hi,

    thanks for reporting this false positive.

    However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
    To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
    Please email to detections@spybot.info with a reference to this thread.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Lightbulb I sent the email

    as requested. Let me know if you need the file from the XP computer as well that flagged this false positive. The one I sent was the one from the windows 7 beta.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Thank you for sending in the file, I have compared it to the one I got while installing Adobe Reader 9.1 on Windows XP. The AirShareInstaller.exe for Windows 7 Beta and Windows XP are identical.

    However I have not been able to reproduce the false positive with the Teatimer.
    I have also checked our detection database for Virtumonde rules which could be responsible for this detection, but did not find one.

    This is really a strange case, could you please check if the false positive still occurs after a restart of the Teatimer?
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Lightbulb hmm thats odd...

    Well, here is the thing. I only got it once while i was installing adobe as shown in the screen shot. I haven't repeatedly gotten it at all. Only that one time. This is weird though, because this is the second time I have gotten a false positive that you could not produce. Sorry for wasting your time.....I am very confused as to why this is happening. Maybe i should fully uninstall spybot and install again. Thanks for getting back to me.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  8. #8
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    You need not apologize, we have to go after such false positives and it is good that you report them.
    There may have been special circumstances that prevented the correct reading of the file properties. Since this happened after the Teatimer update this may be related.
    It appears that a similar false positive occurred with unlockerassistant.
    I will be going after this issue since such false positives can be very dangerous.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  9. #9
    Junior Member metaed's Avatar
    Join Date
    Mar 2009
    Location
    Fort Worth, Texas
    Posts
    5

    Question

    I installed Adobe Reader 9.1 today. (This was because of a security advisory for 9.0 reported by Secunia PSI.)

    I received a security alert from TeaTimer similar to the one above, but for Cydoor. Here is the log entry:

    3/17/2009 9:15:11 AM Encountered and terminated Cydoor in C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe!

    This alert occurred once at the end of the Adobe Reader installation. It has not yet occurred again.

    My operating system is Windows XP Home Edition SP3.

    My browser is Google Chrome 1.0.154.48.

    About TeaTimer gives 1.6.2.0, system settings protector 1.6.6.32. Info & License gives 1.6.2.46, latest detection update 3/11/2009.

    Best wishes,

    Edward
    --
    Sometimes they fool you by walking upright.

  10. #10
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,
    thank you for reporting this issue.

    I still have not been able to recreate the circumstances which provokes these false positives. Since Teatimer identifies the same AirShareInstaller.exe as Cydoor now it is very likely that Teatimer was not able to properly determine the file properties and went wrong.
    Are you running other active protection software or other software in background which may scan and/or lock files on access? If that is the case we may have an incompatibility issue.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •