Results 1 to 10 of 61

Thread: Teatimer 1.6.6.32 False Positives

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Exclamation adobe flaggged as virtumonde by teatimer

    * Operating System-Windows 7 beta (it was flagged in windows xp though also)
    * Browser and Version-Internet Explorer 7, Firefox latest version
    * Version of Spybot S&D and Date of the latest update: latest spybot and teatimer, latest update: March 11th 2009

    Teatimer about says: version 1.6.2.0 system settings protector 1.6.6.32

    * where did the false positive occur:

    o Teatimer message when a program was executed

    See screen shot for details.

    This happened when installing the latest update for adobe reader that has come out recently. The options are the ones i selected when i took the screenshot, because i knew it was a FP. Those were not the default selections when the window popped up.

    Last edited by 129260; 2009-03-14 at 18:44.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hi,

    thanks for reporting this false positive.

    However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
    To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
    Please email to detections@spybot.info with a reference to this thread.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Lightbulb I sent the email

    as requested. Let me know if you need the file from the XP computer as well that flagged this false positive. The one I sent was the one from the windows 7 beta.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Thank you for sending in the file, I have compared it to the one I got while installing Adobe Reader 9.1 on Windows XP. The AirShareInstaller.exe for Windows 7 Beta and Windows XP are identical.

    However I have not been able to reproduce the false positive with the Teatimer.
    I have also checked our detection database for Virtumonde rules which could be responsible for this detection, but did not find one.

    This is really a strange case, could you please check if the false positive still occurs after a restart of the Teatimer?
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Senior Member 129260's Avatar
    Join Date
    Sep 2007
    Location
    Somewhere in the USA
    Posts
    1,139

    Lightbulb hmm thats odd...

    Well, here is the thing. I only got it once while i was installing adobe as shown in the screen shot. I haven't repeatedly gotten it at all. Only that one time. This is weird though, because this is the second time I have gotten a false positive that you could not produce. Sorry for wasting your time.....I am very confused as to why this is happening. Maybe i should fully uninstall spybot and install again. Thanks for getting back to me.
    "I am learning just like everyone else"
    new members!
    Custom built PC. Windows 7 pro x64 16GB Ram
    AMD FX 8 core 8350 Black edition
    SABERTOOTH 990FX/GEN3 R2.0
    Asus HD 7870 2GB GDDR5

  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    You need not apologize, we have to go after such false positives and it is good that you report them.
    There may have been special circumstances that prevented the correct reading of the file properties. Since this happened after the Teatimer update this may be related.
    It appears that a similar false positive occurred with unlockerassistant.
    I will be going after this issue since such false positives can be very dangerous.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Junior Member metaed's Avatar
    Join Date
    Mar 2009
    Location
    Fort Worth, Texas
    Posts
    5

    Question

    I installed Adobe Reader 9.1 today. (This was because of a security advisory for 9.0 reported by Secunia PSI.)

    I received a security alert from TeaTimer similar to the one above, but for Cydoor. Here is the log entry:

    3/17/2009 9:15:11 AM Encountered and terminated Cydoor in C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe!

    This alert occurred once at the end of the Adobe Reader installation. It has not yet occurred again.

    My operating system is Windows XP Home Edition SP3.

    My browser is Google Chrome 1.0.154.48.

    About TeaTimer gives 1.6.2.0, system settings protector 1.6.6.32. Info & License gives 1.6.2.46, latest detection update 3/11/2009.

    Best wishes,

    Edward
    --
    Sometimes they fool you by walking upright.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •