False Positive - Win32Hacktool.ToolEvld, total nonsense Options

[LS CalamityJane]

There are many such utility tools that are detected as a potential "Hacktool" by most security products. There is no way for a scanner to know if such a utility that overides default system security is for a malicious purpose (by a virus or remote attacker) or if it was installed on purpose by the user. That is simply to alert the user to the existence on the system. If you did install this on purpose, then you would want to put that detection on your ignore list.

That particular utility does override the SP2 limitation on open TCP connections. However, if that is good thing for you and you are aware of it - then it certainly wasn't installed unknowingly by a malware.

If you were to scan that file with a number of Antivirus programs you would get similar results:

Complete scanning result of "EvID4226Patch.exe", received in VirusTotal at 09.14.2006, 14:58:30 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.14.2006 no virus found
Authentium 4.93.8 09.13.2006 no virus found
Avast 4.7.844.0 09.13.2006 no virus found
AVG 386 09.13.2006 Potentially harmful program HackTool.AB
BitDefender 7.2 09.14.2006 Application.Tool.Evid.G
CAT-QuickHeal 8.00 09.13.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.14.2006 no virus found
eTrust-InoculateIT 23.72.124 09.14.2006 no virus found
eTrust-Vet 30.3.3077 09.14.2006 no virus found
DrWeb 4.33 09.14.2006 no virus found
Ewido 4.0 09.14.2006 Not-A-Virus.Hacktool.EvID
Fortinet 2.82.0.0 09.13.2006 Evid
F-Prot 3.16f 09.13.2006 no virus found
F-Prot4 4.2.1.29 09.13.2006 no virus found
Ikarus 0.2.65.0 09.13.2006 no virus found
Kaspersky 4.0.2.24 09.14.2006 no virus found
McAfee 4851 09.13.2006 potentially unwanted program Tool-Evid
Microsoft 1.1560 09.14.2006 no virus found
NOD32v2 1.1755 09.14.2006 Win32/Tool.EvID4226
Norman 5.80.02 09.14.2006 no virus found
Panda 9.0.0.4 09.14.2006 HackTool/EvID
Sophos 4.09.0 09.14.2006 no virus found
Symantec 8.0 09.14.2006 no virus found
TheHacker 5.9.8.211 09.14.2006 no virus found
UNA 1.83 09.13.2006 no virus found
VBA32 3.11.1 09.13.2006 no virus found
VirusBuster 4.3.7:9 09.13.2006 no virus found

[Mastertech]

The Event ID 4226 Patcher is a simple tool to adjust the half-open connection limit for TCP/IP in XP.

http://www.lvllord.de/

Name:Win32.Hacktool.ToolEvId
Category:Misc
Object Type:File
Size:2817230 Bytes
Location:C:\WebSites\Optimize XP.zip
Last Activity:9-14-2006 10:13:55 AM
Relevance:Low
TAC index:3
Comment:Object "EvID4226Patch.exe" found in this archive.
Description:Win32.Hacktool.ToolEvId is a tool that allows to change the amount of simultanious half-open connections allowed by XP. Could potentially harm the system and even result in boot failure.

Yeah boot failure my ######. Who makes this stuff up? Please explain how this utility resulted in a boot failure.

Come on this program is not malicious and should not be detected by Adaware as a "Hack Tool". This is absurd. Please remove this false positive.

Also the associated Prefetch (.pf) trace file (EVID4226PATCH.EXE-2BFB30D2.pf) is being detected as Malware, total nonsense. Prefetch (.pf) trace files are non executable and contain no malicious code.

[Mastertech]

It is still a false positive and not malicious. No malware installs or uses this tool and it has been out for over a year. There is no reason for Adaware to detect it. Spybot even made this mistake and removed it.

[LS CalamityJane]

Hmmmm, small problem with our Board dates today, in that some posts are incorrectly dated Sep 6th instead of the 17th. Hopefully we'll get that fixed soon so it doesn't appear that I answered your question before it was asked

Well, it does detect that file because it is in the database to do so as I explained earlier, due to the nature of the tool because it changes the default security settings of XP SP2. So that is not a false detection.

If you are the vendor (author) of the program and think that this detection is incorrectly identified or should not be included as such then you can use the Vendor Help Desk for information and to file a request for review:
http://www.lavasoftresearch.com/helpdesk

If you are a user and you know that you have this tool installed on purpose, then you are encouraged to use the *ignore* button so the program will not alert on it in future scans. Ad-Aware does not remove this automatically - it is up to the user to determine if this item should be installed or not.

I have many tools that I use for malware removal that are identified as "hack tools" because in the wrong hands they could used maliciously. Things like process-killers, etc. will do that. I may need to use a process killer to get rid of a nasty, but a process killer installed by a remote attacker for the purpose of killing security programs, that is a bad use. That is why they say Hacktool and not virus, worm or spyware, etc.

[Mastertech]

Obviously it is in your database that is why it is being reported! This program needs to be run manually and has it's own website: http://www.lvllord.de/ It is a definite false positive.

This program is used by people to uncap the TCP/IP incomplete outbound connection limit for P2P programs.

There is no reason for Adaware to detect this. Adaware should stick to identifying malware and malicious programs that do malicious things. My computer comes with Regedit which can be used as a hack tool. In the wrong hand Regedit can be used maliciously. Next you are going to identify sysinternals process explorer as a hack tool. The current identification is misleading and people will think they are infected with something, it needs to be removed.

Now why all of a sudden is this program which has been out for over a year and well known being detected by Adware now? Ridiculous.

[LS CalamityJane]

Hi Mastertech,

Many times these types of tools are being id'd by Security Scanners and not just Ad-Aware as you can see in the scan results above. I have explained why it is detected and the difference is that Ad-Aware gives you the choice to place an item that you do not wish for it to detect by placing the item on *ignore*. It does not remove it automatically.

[Mastertech]

That list is largely inconclusive and the other AV makers are well aware of this common tool as are other programs like Spybot and specifically do not flag this utility. The current Adaware detection is flaging it as if the tool was placed there maliciously. If Adaware is unable to determine this then it should not be flaging it at all. People will remove it thinking they are infected with something. This is irresponsible on Adaware's part and incredibly misleading if someone downloaded it manually. It is also stating that this tool "Could potentially harm the system and even result in boot failure". Please explain and document how this can occur, otherwise Adaware is spreading blatant misinformation.

[LS CalamityJane]

That is why I also gave you the links to the Vendor helpdesk, if a report needs to be filed:
http://www.lavasoftsupport.com/index.php?s...ost&p=17101

And you, as a user, can make the choice to ignore the detection

Please use one of those avenues. I have answered your question and provided the links you need. That is the most the forum can do for you here.

[Mastertech]

So you cannot report false positives? What is the point of this forum then? And why is my first post #2?