Jump to content

False positives?


Mr.Wong

Recommended Posts

Hello. I think these two detections are false positives.

Capture.thumb.JPG.0bd632c97341bb8fb6054f6baf708e6e.JPG

1) the file attached below and VT here: https://www.virustotal.com/gui/file/53fc9866b51dfbc0516436a1d6cc0789749f83fcd8ae84d6205595e7e20e1370/detection

It is file associate with CPU-Z app.

New Compressed (zipped) Folder.zip

2) The second is lightshot that I used in the past, and it is safe so why flagged as a threat now? I can't install lightshot app. Site VT here: https://app.prntscr.com/en/index.html

 

Edited by Mr.Wong
Link to comment
Share on other sites

  • Administrators

The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers.

Link to comment
Share on other sites

7 hours ago, Marcos said:

The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers.

But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT.

What about the lightshot app from the web url detection? Is it a false positive?

Link to comment
Share on other sites

  • Most Valued Members
40 minutes ago, Mr.Wong said:

But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT.

What about the lightshot app from the web url detection? Is it a false positive?

Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself.

Link to comment
Share on other sites

  • Administrators

It's not a false positive:

setup-lightshot.exe\INNO\{tmp}\downloader.exe    Win32/Bundled.Toolbar.Yandex potentially unsafe application

Other files in the installer also show that there's a Yandex toolbar bundled:

elements-eula-tr.rtf         
yandex_browser_setup_ru.bmp  
downloader.exe               
browser-page-ru.rtf          
yandex_logo_en.bmp           
elements-eula-ru.rtf         
browser-elements-eula-tr.rtf
browser-page-tr.rtf          
setupupdater.exe             
yandex_logo_ru.bmp           
browser-elements-eula-ru.rtf
browser-eula-tr.rtf          
browser-eula-ru.rtf          
yandex_browser_setup_tr.bmp  

PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name.

As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference.

Link to comment
Share on other sites

1 hour ago, Rami said:

Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself.

Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks?

 

1 hour ago, Marcos said:

It's not a false positive:

setup-lightshot.exe\INNO\{tmp}\downloader.exe    Win32/Bundled.Toolbar.Yandex potentially unsafe application

Other files in the installer also show that there's a Yandex toolbar bundled:

elements-eula-tr.rtf         
yandex_browser_setup_ru.bmp  
downloader.exe               
browser-page-ru.rtf          
yandex_logo_en.bmp           
elements-eula-ru.rtf         
browser-elements-eula-tr.rtf
browser-page-tr.rtf          
setupupdater.exe             
yandex_logo_ru.bmp           
browser-elements-eula-ru.rtf
browser-eula-tr.rtf          
browser-eula-ru.rtf          
yandex_browser_setup_tr.bmp  

PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name.

As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference.

May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks?

Link to comment
Share on other sites

  • Most Valued Members
15 hours ago, Mr.Wong said:

Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks?

 

May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks?

I believe that it's some kind of files still stuck in the Installer , I don't see the installer trying to install anything or even prompt you for that and after the installation is finished , you will scan your computer and then you will find nothing from lightshot. and ESET doesn't find any problem with the lightshot application itself.

Link to comment
Share on other sites

@Rami is correct. It's the installer that contains the PUA/PUP components.

Refer to this article for another like example of how crud is embedded in installers and a way to remove the crud from the installer: https://superuser.com/questions/1246402/remove-adware-from-installer-exe-before-installation .

I have often commented in other forums that there really is no such thing as "free" software. For many of these, you will indeed end up paying for the software via adware and the like.

Link to comment
Share on other sites

Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed.

If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software.

Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool.

Eset_LightShot.thumb.png.c3ec3890dbe4a690ac2d3ba71bfa3fc5.png

 

Link to comment
Share on other sites

  • Most Valued Members
18 hours ago, itman said:

Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed.

If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software.

Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool.

Eset_LightShot.thumb.png.c3ec3890dbe4a690ac2d3ba71bfa3fc5.png

 

And the scary thing is people will whitelist it

Link to comment
Share on other sites

  • Most Valued Members

Yes people will trust it and will whitelist it also :D

I believe it's better to take lightshot only from their official website.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...