Help - Search - Members - Calendar
Full Version: False positives: Streamer p2p radio and cwebpage.dll
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
Iain_
May 29 2009, 06:29 PM
Two false positives for you.

Firstly, the installer for my Streamer p2p radio app, 'installstreamer.exe', reports Win32.TrojanDownloader.Agent
Only Adaware has this false positive, virustotal shows no positives. Kasperski shares this false positive because I'm told it uses the adaware engine to scan for adware. The file is 2+ years old, and is digitally signed, so has not changed during this time.


Secondly, open source/public domain library 'cwebpage.dll' reports Win32.Adware.NewWeb

This file is actually an open source library allowing html pages to be displayed in win32 windows, using internet explorer's libraries and COM interface, and is really handy if you don't want to get involved in COM coding.
The project homepage is here: http://www.codeproject.com/KB/COM/cwebpage.aspx

This file is probably flagged as spyware because it was once used in a spyware package, but that does not make the file itself malicious, it is still just a library to embed html in win32 windows. All the files in the spyware package were obviously labeled as malicious without proper (or any?) verification being done. And then all the virus check companies then just apparently copied each others databases, again without any verification.
Virustotal currently shows 23 out of 40 tests reporting false positive for this file. Not good.

When I first spotted this I reported it to Avast, who removed it. I didn't report it to the other companies, too many of them. I fixed the problem by using an earlier build, which is almost identical apart from a small area at the end of the file, and which does not have a false positive.

The amount of just plain wrong 'information' provided by 'what is this file' sites (like threatexpert for example) is appaling, and shows you cannot trust these automated file analysis sites at all, about anything.
www.greatis.com has this unhelpfull wrong information about it:
Cwebpage.dll is an adware program Adware.Shorty.
Cwebpage.dll is a Browser Helper Object.
Cwebpage.dll monitors user Internet activity.
All wrong, and all checkable. And there are more sites like this.


Could you put Adaware on virustotal please, it is a very useful site for checking spurious 'your installer is a trojan' claims from my (sometimes idiot) users, without having to go through the virus checker install/update/scan/uninstall cycle myself.


Cheers,
Iain

LS Pekka
May 30 2009, 12:10 AM
Hi Iain_!

Thanks for posting!

We will re-analyze the files you uploaded and if they turn out to be false positives they will be removed from detection as of the next definition file update.

Regards,

LS Pekka

Lavasoft Malware Labs
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.