False positive with JPEGVideo prog

[Dorian]

The JPEGVideo prog installs to a folder called "NDW" -
this triggers the Needware alert...

This is a false positive..

A work around is to uninstall and change the install
folder removing the NDW reference.

 

[Bill Sanderson]

Thanks--can you cite a URL or other reference for where to find this
JPEGVideo program? Does it come with some particular hardware?

I'm not succeeding at replicating this by trying to create empty ndw or NDW
folders in various places--can you give me a step-by-step to reproduce this?

 

[AndyManchesta]

Hey Bill

I think it will be this URL as they make a reference to
this detection on the site

http://www.ndrw.co.uk/free/faq.htm#Virus Warnings

Andy

 

[Bill Sanderson]

Thanks Andy--that's something I can pass on!

 

[Bill Sanderson]

This is pretty ugly--Microsoft Antispyware id's each of the files installed
as JPEGVIDEO as the named threat. This is interesting--at this point, the
only thing I can see in favor of it being a false positive is the apparent
background and reliability of the publisher, which I don't know enough
about--and the fact that no antivirus I've tested it
with--virusscan.jotti.org, or my own, ID's the executable as bad.

I suspect they are correct about the reason for the detection--and I'm
interested in the mechanisms that would let a false positive like this
propagate through, presumably, more than one antispyware application.

At any rate, I will both report this as a possible false positive, and use
the form at the website to suggest to the publisher that they work directly
with Microsoft to fix this detection of their product.

 

[AndyManchesta]

I'm not aware of the background of this company or but
its strange if the Antivirus/Antispy app's are just
detecting the name "NDW" for a file or folder and showing
it as "NeededWare", Ive just installed this on myown
system and it seems genuine and uninstalled without
problems and definitely not from Neededware.

NeededWare enters a registy entry in the HKLM software
folder called "wserv" and this wasnt present, it also
enters a random named file in system32 and then a
registry run command to match the name and this didnt
exist either. Neededware doesnt enter a folder in program
files called "NDW" but does use a entry in the
Windows 'Downloaded Program Files' Folder
called "NeededWareURL/ndw.cab" so I suspect this is
causing the False Positive.

Andy

 

[Bill Sanderson]

It's strange. It'd be interesting to trace how the false positive got
started, and how it has progressed--unless this really began somehow with
Giant and has been confined to their and successor products.

 

[Tom Emmelot]

Hello Bill,

this is not the first time that this program came up in this list.
I install the program without any remarks of any program, pccillin
2006/Venus spytrap/msas!
So old definitions i think!

Regards >*< TOM >*<

 

[Tom Emmelot]

Hello Bill,

when I start the program the second time MSAS want to block it!
So false positive it is!
But about 1 month ago i mention that already.

Regards >*< TOM >*<

 

[Bill Sanderson]

Thanks, Tom--I've sent lots of information in--so I expect it to be fixed.
--

 

[Bill Sanderson]

I can report that this one is not yet fixed, in the 5761 definitions.

 

[Bill Sanderson]

Dorian - I'm pleased to report that I've had a note from the developer of
your app, and re-tested using current definitions. This was fixed in
definition set 5759, according to the information he provided. At any rate,
it is definitely fixed in 5763.

 

[Bill Sanderson]

But IS fixed in 5763!

--

I can report that this one is not yet fixed, in the 5761 definitions.

 

[Dave M]

Thanks for the follow-up Bill. I've had it sitting in temp for a while
waiting on the word...

 

[Bill Sanderson]

I was real pleased that the developer thought to let me know. I think the
5759 was probably a miscommunication--that was the def version that had the
false positive in it. I believe it was fixed in 5763.
--