PDA

View Full Version : Ad-Aware False Positive?

WDGC
12-20-2005, 10:10 AM
I just ran a scan with Ad-Aware and was quite surprised to find 1 critical object had been found. First time ever.



Name:Spyware.AdvancedKeyLogger
Category:Spyware
Object Type:Process
Size:-
Location:C:\Program Files\Sygate\SPF\tse.dll
Last Activity:20-12-2005 9:37:47 AM
Relevance:High
TAC index:10
Comment:(CSI MATCH)
Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots.



For further information one is directed to the "TAC page for Spyware.AdvancedKeyLogger" the URL of which is:

http://www.lavasoftnews.com/ms/display_main.php?tac=Spyware.AdvancedKeyLogger

however this page is somewhat less than enlightening.



A search with Google for Spyware.AdvancedKeyLogger only found 4 instances, with only 2 of possible relevance. One is a Lavasoft blog showing Spyware.AdvancedKeyLogger is part of the latest definitions and the other is a French forum [in French] possibly saying something about a false alert.

Lavasoft blog (http://www.lavasoftresearch.com/blog/)

Fausse alerte - Spyware AdvancedKeylogger (http://www.mainsoft.fr/Forums/ShowPost.aspx?PostID=104)


The supposed location of Spyware.AdvancedKeyLogger - C:\Program Files\Sygate\SPF\tse.dll - seems rather odd, as tse.dll is a legitimate component of C:\Program Files\Sygate\SPF. What happens to the firewall if Ad-Aware quarantines or deletes "Spyware.AdvancedKeyLogger"?

MS AntiSpyWare, Spybot SD and AVG didn't detect anything and what the "Last Activity:20-12-2005 9:37:47 AM" entailed is beyond me.

I find it hard to believe something undesirable is present, but not having any experience of "critical objects", I'd appreciate the views of others on this matter.

.
PrntRhd
12-20-2005, 10:24 AM
While waiting for one of the experts, it would not hurt to run the free Ewido malware scan:
http://www.ewido.net/en/
I am assuming you are running 2000/XP, I believe the scan also has to be done using IE.
WDGC
12-20-2005, 06:57 PM
... it would not hurt to run the free Ewido malware scan ...

I'm using XP Pro SP2 and IE is needed to run the scan.

The scan didn't find anything - not one item.

Should the approximately 5 MB download of the online scanner now be uninstalled, and if so, what is the best procedure to follow?

.
WDGC
12-23-2005, 08:55 AM
Since my last message I have sent the "1 New Critical Objects found" file - Location:C:\Program Files\Sygate\SPF\tse.dll - for online scanning at Virusscan and Virustotal.

Each reported tse.dll to be uninfected.

Ad-Aware continues to give the notification " Scan Complete, Summary: 1 New Critical Objects found", but I think this is almost certainly a false positive.

Virusscan (http://virusscan.jotti.org/)

Virustotal (http://www.virustotal.com/xhtml/index_en.html)

.
Budfred
12-23-2005, 09:12 AM
I would just set Ad-Aware to ignore that item...
WDGC
12-24-2005, 02:07 AM
Quite so. I also posted to an existing thread at CastleCops (http://castlecops.com/p682793-False_positive_Spyware_AdvancedKeyLogger.html#6827 93) where a couple of similar instances have been reported.

CastleCops have informed Lavasoft of the issue.

.
WDGC
12-25-2005, 08:14 PM
Further to my other posts, yesterday I started another of my - mothballed - computers. This machine, Xp Home Edit. SP2, has not been used since mid-July - 5 months.

I ran an Ad-Aware scan with the existing [old] definitions and nothing was found. I then applied all necessary MS updates from a CD, connected to the internet [dial-up], updated the A-V program, updated Ad-Aware [SE1R82 19.12.2005] and scanned the system with Ad-Aware.

The result was exactly the same as with the every-day-used machine:

Name:Spyware.AdvancedKeyLogger
Category:Spyware
Object Type:Process
Size:-
Location:C:\Program Files\Sygate\SPF\tse.dll
Last Activity:25-12-2005 1:53:46 AM
Relevance:High
TAC index:10
Comment:(CSI MATCH)
Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots.


Last Activity:25-12-2005 1:53:46 AM is interesting - the system hadn't been running for 5 months until 9:30:01 AM, 25/12/2005


[Event Viewer, System entry]


Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6005
Date: 25/12/2005
Time: 9:30:01 AM
User: N/A
Computer: WDGR
Description:
The Event log service was started.



I then subjected the system and tse.dll to the same tests and scans as reported before, with the same results - all clear.

The 2 computers referred to have never been connected or linked in any way. The Sygate installation on each is exactly the same - installed from the same CD to which I had written a copy of Sygate 5.5.2525 on 25/01/2004.

Whilst these results don't prove the Spyware.AdvancedKeyLogger detection is a false positive, I believe they further stregthen the evidence that such is the case.

.
WDGC
12-28-2005, 08:03 PM
Lavasoft acknowledged a false positive.

CastleCops thread (http://castlecops.com/postlite141976-.html)

Latest Ad Aware definitions, SE1R84 28.12.2005, don't detect Spyware.AdvancedKeyLogger.

Issue resolved.

.