false positives: InstSrv and Winlog

[cpu-tech]

Nice appearance, lots of settings, hasn't yet found
anything that SpySubtract or SpybotSD missed.

It has two false positives for me, both of which are in
the directory that gets created when one purchases the
Microsoft Windows 2000 Professional Resource Kit and
installs the accompanying CD from the back of Microsoft'
own 1760+ page book.


InstSrv (Trojan)
-c:\program files\resource pro kit\instsrv.exe

Winlog (Trojan)
-c:\program files\resource pro kit \srvany.exe

True, those filenames are also found in Symantec's list of
viruses, but perhaps this program should look at the
directory name, or give a 'caution' flag instead of
damning Microsoft's own resource kit (vbg).

cpu-tech

 

[Donald Newcomb]

It has two false positives for me, both of which are in
the directory that gets created when one purchases the
Microsoft Windows 2000 Professional Resource Kit and
installs the accompanying CD from the back of Microsoft'
own 1760+ page book.

I ran auto-update last night and I no longer get these two false-positives.
(Or any others.)

 

[Bill Sanderson]

Thanks for the report!

I ran auto-update last night and I no longer get these two
false-positives.
(Or any others.)

 

[Donald Newcomb]

I ran auto-update last night and I no longer get these two false-positives.
(Or any others.)

My bad. My wife had stuck the two programs into quarantine. I took them out
and AntiSpyware Beta still picks up InstSrv. However, it also has a very
nice explanation of why it's not a false positive. Says it is part of the MS
Resource Kit but that it is also a prime target for hackers and they
recommend getting rid of it. So, it isn't a false positive at all.

 

[Bill Sanderson]

Glad you read the details. I don't know whether those descriptions have
changed since the first post in this thread--but there are some classes of
programs that are perfectly appropriate if installed on your system with
your knowledge, and dangerous if you did not know they were there. Or, they
may be subject to abuse, and thus risky to leave around if you are not
actively using them yourself.

I believe these descriptions are being tuned actively at the moment--and
want to remind us all to take a good look at both the default action
suggested for the "threat" and the descriptions, to get a clearer
understanding of why these apparently legitimate programs are being called
out.