Possible Norman AV False-Positive (Pidgen Portable)

Last post 07-09-2009 7:41 PM by washington678. 2 replies.

Page 1 of 1 (3 items)
	Sort Posts: Previous Next

05-12-2008 1:20 PM

Blue1978
Joined on 06-07-2007
Posts 1,062

Possible Norman AV False-Positive (Pidgen Portable)

Reply Contact

I may have found a false-positive with the portable version of "Pidgen" from http://portableapps.com. I have submitted the following trouble ticket for follow-up.

Ticket ID:

TK031307

Created On:

5/10/2008 7:02:06 PM

---------------------------------------------------------------------------------------------------------------------------------------------------------

Communication History

On 5/10/2008 7:02:08 PM you wrote:

While installing the Portable Application "Pidgen" from PortableApps.com, Blink alerted me with the following alert:

-------------------------------------------------
Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Virus found: Vundo.gen42
Item found: I:\PidginPortable\App\GTK\lib\gtk-2.0\2.10.0\engines\libthinice.dll
Action: Quarantine
Alert: Yes
Name: Vundo.gen42
Second Action: Log Only
Category: Trojan

Event ID: BLINK-ENG-202
Severity: Medium
Description: Blink has disinfected the system after malware was detected
Quarantine Location: 01C8B304-D4C6B9F6-0-Vundo.gen42
Action: Quarantined
Item Found: I:\PidginPortable\App\GTK\lib\gtk-2.0\2.10.0\engines\libthinice.dll
Alert: No
Name: Vundo.gen42
----------------------------------------------

This seems strange and would like to confirm whether or not it may be a false-positive or ligitament alert that I need to tell the portableapps.com website about.

I have included the Portable executable in the zip file "Pidgen.zip". The password to access it is "Blink".

Thanks in advance

On 5/12/2008 9:18:52 AM eEye Digital Security wrote:

Hello Jeffery,

I downloaded this file, and scanned it with the latest virus database, and it came back clean. Can you update your Blink and try to scan it again for the presence of this malware?

Thanks,
Dennis A.

On 5/12/2008 11:15:33 AM you wrote:

I tried that too, but the only way to get the alert is to install it on a USB device (as I was at the time). It triggers on one of the .dll files (libthinice.dll ) during the installation (or in this case the extraction process of the executable on to the USB device).

I will update this post as eEye provides me further details.

Filed under: malware, false positive, Norman AV

05-13-2008 1:43 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,062

Re: Possible Norman AV False-Positive (Pidgen Portable)

Reply Contact

Final Update

---------------------------------------------------------------------------------------------------------------------------------------------------------

On 5/12/2008 2:32:09 PM eEye Digital Security wrote:

Hello Jeffery,

I submitted the file to Norman for analysis. Please bear with me as I wait for a response.

Thanks,
Dennis A.

On 5/13/2008 8:26:44 AM eEye Digital Security wrote:

Hello Jeffery,

After submission to Norman, they have agreed this is indeed a False Positive and it will be removed.

Thanks,
Dennis A.

On 5/13/2008 1:42:45 PM you wrote:

Alright good to know, thanks for your help. You can close this now.

--------------------------------------------------------------------------------------------------------------------------------------------------------

07-09-2009 7:41 PM In reply to

washington678
Joined on 07-09-2009
Posts 2

Re: Possible Norman AV False-Positive (Pidgen Portable)

Reply Contact

Cheers and we look forward to your Forum Favourites selections!

pret auto

Page 1 of 1 (3 items)