Need User Feedback: Teatimer 1.6.6.32 False Positives

[Yodama]

There have been recent user reports on Teatimer producing false positves.
This began after the recent Teatimer Update to Teatimer version 1.6.6.32.

The threads that appear to be related to this issue will be merged into this thread on Monday 2009-03-30. If your case possibly matches this issue, do not start a new thread but append to this one.

These false positves do not appear to be signature based false positives, meaning that finding and fixing the issue is more difficult and requires user feedback.

If you have the Teatimer activated and you get a message similar to this one:
(detected file and the name in "identified as" are different in most cases)

please do the following:

* attach the detected file to an email to referencing this thread
* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
* also state if you rebooted the computer after the update and if there were any error messages
* please also tell us if the false positive is reoccurring on your computer

__________________
born in the shadow to die in the shadow, that is the fate of the shinobi

Spybot S&D Downloads

Please help us improving Spybot and download our distributed testing client.

 

[129260]

adobe flaggged as virtumonde by teatimer

* Operating System-Windows 7 beta (it was flagged in windows xp though also)
* Browser and Version-Internet Explorer 7, Firefox latest version
* Version of Spybot S&D and Date of the latest update: latest spybot and teatimer, latest update: March 11th 2009

Teatimer about says: version 1.6.2.0 system settings protector 1.6.6.32

* where did the false positive occur:

o Teatimer message when a program was executed

See screen shot for details.

This happened when installing the latest update for adobe reader that has come out recently. The options are the ones i selected when i took the screenshot, because i knew it was a FP. Those were not the default selections when the window popped up.

 

[Yodama]

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to detections@spybot.info with a reference to this thread.

 

[Yodama]

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to detections@spybot.info with a reference to this thread.

 

[129260]

I sent the email

as requested. Let me know if you need the file from the XP computer as well that flagged this false positive. The one I sent was the one from the windows 7 beta.

 

[Yodama]

Thank you for sending in the file, I have compared it to the one I got while installing Adobe Reader 9.1 on Windows XP. The AirShareInstaller.exe for Windows 7 Beta and Windows XP are identical.

However I have not been able to reproduce the false positive with the Teatimer.
I have also checked our detection database for Virtumonde rules which could be responsible for this detection, but did not find one.

This is really a strange case, could you please check if the false positive still occurs after a restart of the Teatimer?

 

[129260]

hmm thats odd...

Well, here is the thing. I only got it once while i was installing adobe as shown in the screen shot. I haven't repeatedly gotten it at all. Only that one time. This is weird though, because this is the second time I have gotten a false positive that you could not produce. Sorry for wasting your time.....I am very confused as to why this is happening. Maybe i should fully uninstall spybot and install again. Thanks for getting back to me.

 

[Yodama]

You need not apologize, we have to go after such false positives and it is good that you report them.
There may have been special circumstances that prevented the correct reading of the file properties. Since this happened after the Teatimer update this may be related.
It appears that a similar false positive occurred with unlockerassistant.
I will be going after this issue since such false positives can be very dangerous.

 

[metaed]

I installed Adobe Reader 9.1 today. (This was because of a security advisory for 9.0 reported by Secunia PSI.)

I received a security alert from TeaTimer similar to the one above, but for Cydoor. Here is the log entry:

3/17/2009 9:15:11 AM Encountered and terminated Cydoor in C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe!

This alert occurred once at the end of the Adobe Reader installation. It has not yet occurred again.

My operating system is Windows XP Home Edition SP3.

My browser is Google Chrome 1.0.154.48.

About TeaTimer gives 1.6.2.0, system settings protector 1.6.6.32. Info & License gives 1.6.2.46, latest detection update 3/11/2009.

Best wishes,

Edward

 

[Yodama]

hello,
thank you for reporting this issue.

I still have not been able to recreate the circumstances which provokes these false positives. Since Teatimer identifies the same AirShareInstaller.exe as Cydoor now it is very likely that Teatimer was not able to properly determine the file properties and went wrong.
Are you running other active protection software or other software in background which may scan and/or lock files on access? If that is the case we may have an incompatibility issue.

 

[129260]

hmm...

@yodama:

Thank you. I just thought that this is really odd behavior for teatimer. Also, maybe this might help, since you mentioned there is a possible issue with incompatibility with another program.

I run the following security programs:

Windows defender, spybot (of course), Avast!, and malware bytes. Although malware bytes is scan only and does not run unless the program is launched, i thought i would still mention it. I was not running any scans or anything during that time. Just installing the latest update for adobe.

@metaed:

It's interesting that you and I have this flagged by teatimer as something different. Like Yodama stated, it might be a compatibility issue. Can you check and see if you have the same security software that i have above listed?

 

[metaed]

These two other applications are also resident on my PC and scanning files for signatures.

Secunia PSI 1.0.0.3
Avast On-Access Scanner, part of Avast 4.8 Professional, build Feb2009 (4.8.1335)

 

[Yodama]

Thank you for your information on this.
Since both of you have Avast installed I will check on this first to see if there are any issues combined with Teatimer.
I will keep you updated on the results.

 

[Yodama]

Test with Avast and Teatimer is done and they do not appear to collide.

Looks like I have to continue checking on the other apps.

 

[129260]

ok.

I also forgot to mention that i had secunia psi installed as well, that is what offered me the update to adobe. I just noticed that the other user had that as well. I wonder if secunia psi is the root of the compatibility issue? I highly doubt it, but it might be worth a look...

Also, thanks Yodama for looking into this. Hopefully we can figure out what is going on here with teatimer.

 

[spy1]

I got a similar thing yesterday afternoon:

3/18/2009 11:35:07 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"") added in System Startup global entry!
3/18/2009 11:35:07 PM Encountered and terminated PestCapture in C:\WINDOWS\System32\msiexec.exe!

Pest Capture? Both log entries have identical times and it happened during the Adobe automatic update.

This is on a WinXP Pro system, SP3 - SpyBot 1.6.2.0, System Settings Protector 1.6.6.32

Sunbelt Personal Firewall, IDBlaster, MRUBlaster, KeyScrambler, NOD32, TH Guard all running resident. Pete

 

[spy1]

I forgot to mention that I have Secunia PSI running here, too. Pete

 

[Yodama]

thank you for the additional information.

I checked Secunia PSI. There is no indication that it is involved in the Teatimer issue. There appear to be no issues between Teatimer and Secunia PSI.

Maybe I have to look at this issue from a different angle.

 

[129260]

Any news?

any more updates Yodama on what is going on? Thanks

 

[Yodama]

I currently have no good news on this issue. Only a couple more similar reports.
These Teatimer false positives appear to be random. We may be needing a new version of Teatimer which gives us a bit more output, for instance the SBI ID.