Jump to content

Recommended Posts

Hello. I think these two detections are false positives.

Capture.thumb.JPG.0bd632c97341bb8fb6054f6baf708e6e.JPG

1) the file attached below and VT here: https://www.virustotal.com/gui/file/53fc9866b51dfbc0516436a1d6cc0789749f83fcd8ae84d6205595e7e20e1370/detection

It is file associate with CPU-Z app.

New Compressed (zipped) Folder.zip

2) The second is lightshot that I used in the past, and it is safe so why flagged as a threat now? I can't install lightshot app. Site VT here: https://app.prntscr.com/en/index.html

 

Edited by Mr.Wong

Share this post


Link to post
Share on other sites

The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers.

Share this post


Link to post
Share on other sites
7 hours ago, Marcos said:

The detection is correct, the said drivers are detected as a potentially unsafe application which is an optional detection and is disabled by default. CPU-Z had vulnerable drivers.

But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT.

What about the lightshot app from the web url detection? Is it a false positive?

Share this post


Link to post
Share on other sites
40 minutes ago, Mr.Wong said:

But VT on that CPU-Z file is clean, and even ESET confirmed clean on VT.

What about the lightshot app from the web url detection? Is it a false positive?

Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself.

Share this post


Link to post
Share on other sites

It's not a false positive:

setup-lightshot.exe\INNO\{tmp}\downloader.exe    Win32/Bundled.Toolbar.Yandex potentially unsafe application

Other files in the installer also show that there's a Yandex toolbar bundled:

elements-eula-tr.rtf         
yandex_browser_setup_ru.bmp  
downloader.exe               
browser-page-ru.rtf          
yandex_logo_en.bmp           
elements-eula-ru.rtf         
browser-elements-eula-tr.rtf
browser-page-tr.rtf          
setupupdater.exe             
yandex_logo_ru.bmp           
browser-elements-eula-ru.rtf
browser-eula-tr.rtf          
browser-eula-ru.rtf          
yandex_browser_setup_tr.bmp  

PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name.

As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference.

Share this post


Link to post
Share on other sites
1 hour ago, Rami said:

Lightshot installer has somekind of a toolbar that I never encountered , so you get a false positive only on the installer not on the application itself.

Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks?

 

1 hour ago, Marcos said:

It's not a false positive:

setup-lightshot.exe\INNO\{tmp}\downloader.exe    Win32/Bundled.Toolbar.Yandex potentially unsafe application

Other files in the installer also show that there's a Yandex toolbar bundled:

elements-eula-tr.rtf         
yandex_browser_setup_ru.bmp  
downloader.exe               
browser-page-ru.rtf          
yandex_logo_en.bmp           
elements-eula-ru.rtf         
browser-elements-eula-tr.rtf
browser-page-tr.rtf          
setupupdater.exe             
yandex_logo_ru.bmp           
browser-elements-eula-ru.rtf
browser-eula-tr.rtf          
browser-eula-ru.rtf          
yandex_browser_setup_tr.bmp  

PUsA detection is optional and is disabled by default. If one needs to use a particular application detected as PUsA, he or she should exclude it from detection by the detection name.

As for the CPU-Z driver, it's not detected at VT because VT doesn't use real-time protection but on-demand scanners to scan files. In this particular case it makes a difference.

May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks?

Share this post


Link to post
Share on other sites
15 hours ago, Mr.Wong said:

Weird. I never see any toolbar or bundle in the app. Is it try to stealth install them junks?

 

May I ask where you find those files you listed? I am curious though because I used this tool in the past for more than a year and just reinstalled it on my secondary machine with ESET as well and got flagged too, but I don't see any toolbar or bundle in the installer app. Is it try to stealth install them junks?

I believe that it's some kind of files still stuck in the Installer , I don't see the installer trying to install anything or even prompt you for that and after the installation is finished , you will scan your computer and then you will find nothing from lightshot. and ESET doesn't find any problem with the lightshot application itself.

Share this post


Link to post
Share on other sites

@Rami is correct. It's the installer that contains the PUA/PUP components.

Refer to this article for another like example of how crud is embedded in installers and a way to remove the crud from the installer: https://superuser.com/questions/1246402/remove-adware-from-installer-exe-before-installation .

I have often commented in other forums that there really is no such thing as "free" software. For many of these, you will indeed end up paying for the software via adware and the like.

Share this post


Link to post
Share on other sites

Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed.

If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software.

Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool.

Eset_LightShot.thumb.png.c3ec3890dbe4a690ac2d3ba71bfa3fc5.png

 

Share this post


Link to post
Share on other sites
18 hours ago, itman said:

Tip: When it comes to freeware, always opt for the "portable" version. As such, no software installation is performed.

If the freeware does not offer a "portable" version in the form of a zipped download, consider that "a big red flag" that something is suspicious about the software.

Note that LightShot is not offered in a portable version. Now the following I find hilarious. There is a web site that supposedly offers a portable version of LightShot here: https://karanpc.com/lightshot-free-download/ . When you select the DirectLink download, you are greeted with the below screenshot. If you proceed further, you are indeed a fool.

Eset_LightShot.thumb.png.c3ec3890dbe4a690ac2d3ba71bfa3fc5.png

 

And the scary thing is people will whitelist it

Share this post


Link to post
Share on other sites

Yes people will trust it and will whitelist it also :D

I believe it's better to take lightshot only from their official website.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...