Saturday, 30 March 2013

False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse

This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have noticed, but I got an email from my reader Matt who apparently has been been having some problems with malicious software lately. He said, that TDSSKiller (the tool I like a lot and usually recommend to my readers) is actually a Trojan horse. Obviously, this can't be true, so I though maybe he downloaded an infected TDSSKiller variant from some naughty site, so that would explain everything. He then quickly replied to me that he downloaded TDSSKiller from Kaspersky's site and that's clearly not the case. Comodo antivirus blocked the file when Matt executed it. I had to see it for myself, so I downloaded TDSSKiller on my computer and then uploaded it to VirusTotal. Surprise, surprise, it's indeed a Trojan with detection ratio: 2/46. Since I was too lazy to install Comodo and Ikarus, I decided to use Hitman Pro. It uses Ikarus antivirus engine, so it should detect TDSSKiller. Yep, we have a false positive here. Matt was right.

Tdsskiller.exe was detected as Trojan.Crypt by Ikarus antivirus. Comodo detected it as Packed.Win32.MUPX.Gen. Software packaging issues or something like that I guess.

However, I can assure you guys that TDSSKiller is a genuine and safe utility. It's a false positive and it's just a matter of time when the issue will be resolved. So, don't worry. The funny think is, though, tdsskiller.exe has a valid certificate, just like it should be, signed by COMODO.

Yeah, COMODO, the one that detects it as Packed.Win32.MUPX.Gen a the moment. Well, what can I say, this is not the first time when antivirus companies are flagging each others tools as dangerous :) Unfortunately, such things happen from time to time.

No comments:

Post a Comment