Results 1 to 1 of 1
2016-03-21, 01:49 #1
- Join Date
- Dec 2009
- Cardiff, UK
- Thanked 589 Times in 490 Posts
Toolbar detections vs heuristics failures.
Just a quick look at some VirusTotal outputs based on Unlocker 1.9.2 by Cedric Collomb, scanned by MBAM Free and later by ADWCleaner. Prompted by the discussion here.
On the left side of the attachment we see the current direct download from the official site (http://www.emptyloop.com/unlocker/ <- risky, care needed) and on the right, the download from Majorgeeks (http://www.majorgeeks.com/files/details/unlocker.html <- marked there as Ad-Supported but currently appears 'clean' from my own testing). Below these we have the result from MBAM while the EmptyLoop Unlocker is in the process of being installed and the current state of the Unlocker installer, showing the options needed to avoid the toolbar payload. The current version of ADWCleaner found nothing relevant to the Unlocker install afterwards, though it did find some likely false positives previously undetected (reported, attached at the end).
The 'clean' Majorgeeks download could from a 'clean period' at EmptyLoop, or MGs (and possibly some other download sites) were sent a 'special' build of Unlocker. The current EmptyLoop web page does have some risky looking advertising downloads - if you do go there rather than to MGs for your Unlocker download, avoid the advert download links!
The left side VT results show 10 'correct' detections but note that Baidu's detection is the same as the clean version (so bad heuristics/untrustworthy), MBAM, DrWeb, ESET-NOD32 and Ikarus use reasonably informative results, the rest show a more cryptic result.
Assuming the right side results are all false positive, bad heuristics or historical data used to 'decide' (which is what my own research/tests seem to show), AegisLab, GData and Rising are not to be trusted as they failed to call the 'bad' Unlocker download but flagged the 'clean' one = fail plus FP (False Positive).
Not all the providers VT use are programmed/set to detect PUPs/PUAs, most are primarily antivirus, some are antimalware, some claim to be both (and sometimes more). Failing to detect a PUP does not necessarily mean they're bad/untrustworthy, some are excellent at what they're built to do.
*PUP/PUA: Potentially Unwanted Program/Potentially Unwanted Application.
Unlocker 1.9.2 installers:
From Emptyloop results.
From Majorgeeks results.
The Google Safe Browsing data used by Firefox/Chrome.
hpHosts database, part of Malwarebytes.
In my experience, McAfee's SiteAdvisor and their free SiteAdvisor software/browser plugin have been close to useless, way too outdated.
WOT results usually need studying in depth to be sure, all too often company spammers/shills have been busy there manipulating their own scores upwards, other spammers/shills work hard to demote better software by their competitors. Good reflection of what's been happening in this instance, though.
Moral: be cautious, use a 'good' antivirus, firewall and antimalware. Trust no-one, always check before downloading and especially before installing. Software writer's sites are usually safe to download from, otherwise try Majorgeeks first. Check again.
If you do get some toolbar or other browser-based adware, use MBAM and post the resulting log in your own topic here, or use it and remove everything, follow that up by using ADWCleaner and removing all suspicious objects then finish off with JRT.
ADWCleaner results (incidental to the main topic, probably FPs).
EDIT: ADWCleaner's 'finds' were indeed false positives, rapidly fixed.
Last edited by satrow; 2016-03-23 at 12:00.