Author Topic: ===> False Positives <===  (Read 353097 times)

0 Members and 2 Guests are viewing this topic.

Reply #30February 20, 2015, 08:47:20 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #30 on: February 20, 2015, 08:47:20 AM »
Hi nitrousable,

MBAE will be whitelisted as well.

Regards.

Reply #31February 21, 2015, 01:32:12 AM

Bacho

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #31 on: February 21, 2015, 01:32:12 AM »
Now that RK has been updated to 10.4, it is falsely closing out LogMeIn Rescue during the pre-scan. Would like this to be whitelisted please. Here's a picture of what was found in the pre-scan.

http://i.imgur.com/O0r9Ann.png

I will get the log from the report here in a little bit and edit this post. Just figured I'd make a preemptive strike.

I've noticed the same, here are the lines from the log report I captured, it would be awesome if LogMeIn could be whitelisted.

¤¤¤ Processes : 3 ¤¤¤
[Suspicious.Path] LMI_Rescue_srv.exe(1200) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(1608) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermThr]
[Suspicious.Path] lmi_rescue.exe(744) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LMIRescue_6c263ea2-6835-4ed5-ac51-dac642e23d70 ("C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 6c263ea2-6835-4ed5-ac51-dac642e23d70) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRescue_6c263ea2-6835-4ed5-ac51-dac642e23d70 ("C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 6c263ea2-6835-4ed5-ac51-dac642e23d70) -> Found

Reply #32February 21, 2015, 09:52:52 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: ===> False Positives <===
« Reply #32 on: February 21, 2015, 09:52:52 AM »
Hello

Thanks for the feedback.
Any chance to get the full path for this?

Quote
C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe

Especially the part: LOGMEI~1

Reply #33February 23, 2015, 05:16:51 PM

prummells

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #33 on: February 23, 2015, 05:16:51 PM »
Hello RogueKiller,

Would the following please be added to the whitelist?

¤¤¤ Processes : 1 ¤¤¤
[ZeroAccess] SBAMSvc.exe(4072) -- C:\PROGRA~2\ADVANC~1\managedav\SBAMSvc.exe[7] -> Killed [TermProc]

SBAMSvc.exe is part of a product called MAX RemoteManagement and the Antivirus is called Managed Antivirus.

The location of SBAMSvc.exe can be in a few different File Path Names depending on the method used to install the Advanced Monitoring Agent:

C:Program Files\Advanced Monitoring Agent\managedav\SBAMSvc.exe
C:Program Files\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe
C:Program Files(x86)\Advanced Monitoring Agent\managedav\SBAMSvc.exe
C:Program Files(x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe

Thank you

Reply #34February 23, 2015, 05:24:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #34 on: February 23, 2015, 05:24:33 PM »
Hi prummells,

Welcome to Adlice.com Forum!
Thanks for you contribution. Managed Antivirus will be whitelisted in the next version of RogueKiller.

Regards.

Reply #35February 23, 2015, 06:48:21 PM

Bacho

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #35 on: February 23, 2015, 06:48:21 PM »
Hello

Thanks for the feedback.
Any chance to get the full path for this?

Quote
C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe

Especially the part: LOGMEI~1

Sorry about that, the full path is:

C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_src.exe
C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe

Thanks.

Reply #36February 23, 2015, 07:11:40 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #36 on: February 23, 2015, 07:11:40 PM »
Hi Bacho,

Thanks for your contribution.
In its current version, RogueKiller should no longer reports LogMeIn Rescue anymore.

Regards.

Reply #37February 24, 2015, 01:10:53 AM

greysmouth

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
    • Facebook
Re: ===> False Positives <===
« Reply #37 on: February 24, 2015, 01:10:53 AM »
Hello guys. Please take a look to my files attached. Something's wrong with RK 10.4.2 or my laptop is getting insane? In few words the application seems to be into a loop, asking every time I launch it if I want to update it. My best regards, greysmouth BO IT.

Reply #38February 24, 2015, 12:28:16 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #38 on: February 24, 2015, 12:28:16 PM »
Hi greysmouth,

RogueKiller 10.4.3 is out.
Could you please retry with this version ?

Regards.

Reply #39February 27, 2015, 02:55:27 PM

mist63

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #39 on: February 27, 2015, 02:55:27 PM »
Hi,
I think there is something wrong when Symantec Endpoint Protection is installed:

[Suspicious.Path] (SVC) BHDrvx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys[7] -> [NoKill]
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys[7] -> [NoKill]

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150225.012\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVEX15.SYS) -> Non sélectionné

 full scan attached

Reply #40February 27, 2015, 03:02:46 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #40 on: February 27, 2015, 03:02:46 PM »
Hi mist63,

Thanks for your contribution.
Symantec Endpoint Protection will be whitelisted in RogueKiller's next release.

Regards.

Reply #41February 27, 2015, 04:33:00 PM

greysmouth

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
    • Facebook
Re: ===> False Positives <===
« Reply #41 on: February 27, 2015, 04:33:00 PM »
Hi greysmouth,

RogueKiller 10.4.3 is out.
Could you please retry with this version ?

Regards.
Hello. That's fine!
Regards, greysmouth BO IT.

Reply #42March 01, 2015, 10:36:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #42 on: March 01, 2015, 10:36:58 PM »
Hi greysmouth,

Thanks for letting us know.

Regards.

Reply #43March 02, 2015, 03:32:48 AM

ryderjj89

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #43 on: March 02, 2015, 03:32:48 AM »
As of the latest version 10.4.3, its still killing logmein rescue during the pre-scan. I will try to get more info if I can.

Reply #44March 02, 2015, 06:43:38 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #44 on: March 02, 2015, 06:43:38 PM »
Hi ryderjj89,

RogueKiller 10.5.0 is out.
Could you please retry with this version ?

Regards.