False detection of nsldapssl32v30.dll

  • Thread starter Thread starter JEFF
  • Start date Start date
J

JEFF

The anti-spyware detect nsldapssl32v30.dll like Timbuktu
Pro.
Could you make a distinction between this two different
application?
Thanks
 
MS ASW (beta) tool recently installed (Win2K Fully Patched), finds some
interesting items on my PC.
nsldapssl32v30.dll - reported as Timbuktu: I have used this software a
couple of years ago. It has never been on this PC. However some simple
searching shows that this is a widely used DLL (ZenWorks, Cisco ACS, etc.)
written by Netscape whose latest version is nsldapssl32v50 (version 5.0).
The actual file in my case was probably installed with my Firefox browser as
the filename implies it is - NS (Netscape), LDAP (Lightweight Directory
Access Protocol), SSL (Secure Sockets Layer [Enabled version]), 32 bit,
version 3.0.

This is one example of the bigger problem Microsoft faces - writing
signatures that properly identify malicious uses of libraries like the one
mentioned above, as well as avoiding false positives for legitimate uses.
I've read many posts where false positives are the result of weak matching
rules - for example - a file by a particular name without looking at more
(qualifying) attributes such as the folder structure (this is a weak but
relatively low cost solution).
See (in this group) - False Positives: InstSrv and Winlog - Posted Jan. 13th
in microsoft.private.security.spyware.appcompat - Re: How do I dispute a
spware listing?, msantispyware and genius wireless kb false positive,
CAUTION: Identifies non-threats and deletes them.

On a good note at least users are given a choice on how to address the item
that is clearly understandable - Especially in BETA users should be paying
very close attention to all dialog boxes and ensure they understand them
before they act. In my case if you are unsure and there is not clear option
to back out - End the process (where possible).

BillBeau B.
 
Back
Top