CnsMin False Positive

[Cris McRae]

I'm using the latest 5751 signatures and I'm getting a
false positive on CnsMin. It's flagging registry keys
associated with Yahoo! Messenger 7.5. All but two of the
registry values clearly say "Yahoo!" or "YPager".

 

[Cris McRae]

Here are the registry keys it's detecting as related to "CnsMin":

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} ButtonText Yahoo!
Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} clsid
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} MenuText Yahoo!
Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Default Visible
YES
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Exec
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Icon
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe,105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} HotIcon
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe,105

 

[Bill Sanderson]

Thanks Chris--I'll pass this on.

--

Here are the registry keys it's detecting as related to "CnsMin":

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Extensions\CmdMapping {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} ButtonText
Yahoo! Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} clsid
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} MenuText Yahoo!
Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Default Visible
YES
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Exec
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} Icon
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe,105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} HotIcon
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe,105

 

[Bill Sanderson]

Did you mean 5751, or 5753?

 

[Bill Sanderson]

Chris - are you able to re-test ths issue with the 5755 definitions?

--

 

[Jason McKinnon]

Bill,

I also had this using 5751, and can confirm it has been corrected in 5755
(updated and finished scanning a few minutes ago).

Thanks,
Jason McKinnon

 

[Bill Sanderson]

Thanks very much!

--

Bill,

I also had this using 5751, and can confirm it has been corrected in 5755
(updated and finished scanning a few minutes ago).

Thanks,
Jason McKinnon

 

[Jazz]

Just wanted to reiterate Jason's comments, Bill.

After receiving the same 'false positive' as Chris,
Spyware Definition Version: 5755 (13/09/2005 13:57:02)
corrected the issue.

The 'culprit' Spyware Definition Version in question, I
believe, was 5753.

-=JAZZ=-

 

[Bill Sanderson]

Thanks!

--

Just wanted to reiterate Jason's comments, Bill.

After receiving the same 'false positive' as Chris,
Spyware Definition Version: 5755 (13/09/2005 13:57:02)
corrected the issue.

The 'culprit' Spyware Definition Version in question, I
believe, was 5753.

-=JAZZ=-