Mr.Wong 2 Posted October 20, 2019 Posted October 20, 2019 (edited) Hello. I think these two detections are false positives. 1) the file attached below and VT here: https://www.virustotal.com/gui/file/53fc9866b51dfbc0516436a1d6cc0789749f83fcd8ae84d6205595e7e20e1370/detection It is file associate with CPU-Z app. New Compressed (zipped) Folder.zip 2) The second is lightshot that I used in the past, and it is safe so why flagged as a threat now? I can't install lightshot app. Site VT here: https://app.prntscr.com/en/index.html Edited October 20, 2019 by Mr.Wong
Administrators Marcos 5,450 Posted October 20, 2019 Administrators Posted October 20, 2019 The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers.
Mr.Wong 2 Posted October 20, 2019 Author Posted October 20, 2019 7 hours ago, Marcos said: The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers. But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT. What about the lightshot app from the web url detection? Is it a false positive?
Most Valued Members Nightowl 206 Posted October 20, 2019 Most Valued Members Posted October 20, 2019 40 minutes ago, Mr.Wong said: But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT. What about the lightshot app from the web url detection? Is it a false positive? Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself.
Administrators Marcos 5,450 Posted October 20, 2019 Administrators Posted October 20, 2019 It's not a false positive: setup-lightshot.exe\INNO\{tmp}\downloader.exe Win32/Bundled.Toolbar.Yandex potentially unsafe application Other files in the installer also show that there's a Yandex toolbar bundled: elements-eula-tr.rtf yandex_browser_setup_ru.bmp downloader.exe browser-page-ru.rtf yandex_logo_en.bmp elements-eula-ru.rtf browser-elements-eula-tr.rtf browser-page-tr.rtf setupupdater.exe yandex_logo_ru.bmp browser-elements-eula-ru.rtf browser-eula-tr.rtf browser-eula-ru.rtf yandex_browser_setup_tr.bmp PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name. As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference.
Mr.Wong 2 Posted October 20, 2019 Author Posted October 20, 2019 1 hour ago, Rami said: Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself. Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks? 1 hour ago, Marcos said: It's not a false positive: setup-lightshot.exe\INNO\{tmp}\downloader.exe Win32/Bundled.Toolbar.Yandex potentially unsafe application Other files in the installer also show that there's a Yandex toolbar bundled: elements-eula-tr.rtf yandex_browser_setup_ru.bmp downloader.exe browser-page-ru.rtf yandex_logo_en.bmp elements-eula-ru.rtf browser-elements-eula-tr.rtf browser-page-tr.rtf setupupdater.exe yandex_logo_ru.bmp browser-elements-eula-ru.rtf browser-eula-tr.rtf browser-eula-ru.rtf yandex_browser_setup_tr.bmp PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name. As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference. May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks?
Most Valued Members Nightowl 206 Posted October 21, 2019 Most Valued Members Posted October 21, 2019 15 hours ago, Mr.Wong said: Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks? May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks? I believe that it's some kind of files still stuck in the Installer , I don't see the installer trying to install anything or even prompt you for that and after the installation is finished , you will scan your computer and then you will find nothing from lightshot. and ESET doesn't find any problem with the lightshot application itself.
itman 1,801 Posted October 21, 2019 Posted October 21, 2019 @Rami is correct. It's the installer that contains the PUA/PUP components. Refer to this article for another like example of how crud is embedded in installers and a way to remove the crud from the installer: https://superuser.com/questions/1246402/remove-adware-from-installer-exe-before-installation . I have often commented in other forums that there really is no such thing as "free" software. For many of these, you will indeed end up paying for the software via adware and the like.
itman 1,801 Posted October 21, 2019 Posted October 21, 2019 As far as CPU-Z goes, download the zip version from here: https://www.cpuid.com/softwares/cpu-z.html . It is in essence the portable version and installs no drivers. It will run with Eset not detecting anything.
itman 1,801 Posted October 21, 2019 Posted October 21, 2019 22 hours ago, Mr.Wong said: Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks? https://malwaretips.com/blogs/remove-yandex-ru-search/
itman 1,801 Posted October 21, 2019 Posted October 21, 2019 Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed. If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software. Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool. peteyt 1
Most Valued Members peteyt 396 Posted October 22, 2019 Most Valued Members Posted October 22, 2019 18 hours ago, itman said: Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed. If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software. Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool. And the scary thing is people will whitelist it
Most Valued Members Nightowl 206 Posted October 23, 2019 Most Valued Members Posted October 23, 2019 Yes people will trust it and will whitelist it also I believe it's better to take lightshot only from their official website.
Recommended Posts