TT Livescan Updates + More

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The databases for TT Livescan 2011 are still being updated, however,
the next incarnation of TT Livescan will simply be called TT Livescan
+.  The next version will implement 13 unique databases for detecting
malware.  The collective database size is approximately 14GB with over
120 million definitions.

On an unrelated note, I am currently in the process of developing a
file/media organizer app.  The search results are (for the most part)
limited by hardware latency.  Anyone interested in testing Metalog
Media Organizer before its scheduled release shortly before the middle
of December, contact me at info@tot-ltd.org or idbeholda@gmail.com.

Enjoy.

http://www.tot-ltd.org

Re: TT Livescan Updates + More

info at tot-ltd dot org or idbeholda at gmail dot com

Look like usenet is being a doodiebritches again.

Re: TT Livescan Updates + More

521f01614f38@f29g2000yqa.googlegroups.com:

Quoted text here. Click to load it

Don't get me wrong idbeholda, I appreciate you coming to this group and
presenting freeware as an author. The program has a lot of promise and
obviously is looking for the right things. I hope my comments help toward
program improvements.

And, please continue to keep us at BearWare updated. You are most welcome
here.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

Quoted text here. Click to load it

If it's not too much to ask, send me a copy of the files that
generated false positives.  Also, what version of windows are you
running?

Re: TT Livescan Updates + More

On 11/28/2011 5:21 PM, idbeholda wrote:
Quoted text here. Click to load it

I posted the list here! I'm running Vista on this machine.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

Quoted text here. Click to load it

"If it's not too much to ask, send me a copy of the files that
generated false positives.  Also, what version of windows are you
running? "

I asked if it was possible for you to send me the files.  A text list
of the files does me no good.  The reason I say that, is I've got most
of the hashes for windows vista system files included in the whitelist
portion of the database.  Perhaps the results you got was the result
of some odd fluke.  I won't know without actually having samples of
the files in question.

Re: TT Livescan Updates + More

On 11/28/2011 8:42 PM, idbeholda wrote:
Quoted text here. Click to load it

OK, I'll collect them tonight and send them to ya or likely email you a
link to a zip file I'll put on my website.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

@news.sunsite.dk:

Quoted text here. Click to load it

I sent you via your gmail a link to the zip file that contained the well
known files like notepad.exe, 7zip.exe, etc. which your program alerted to
as malware. None of these are malware, and if you have a white list as you
say you do, why isn't at the least notepad.exe on it and why is your
program alerting on one of the most common Windows programs as malware?

I'm just sayin....

--
Bear Bottoms http://bearware.info
Moderated alternative to alt.comp.freeware:
AltCompFreeware-subscribe@yahoogroups.com

Re: TT Livescan Updates + More


Quoted text here. Click to load it

You can NOT whitelist based solely on a name such as;  calc.exe and notepad.exe!

I have seen *numerous* examples named that way to obfuscate their malicious
intent.  Often
using the legitimate utility icon.  But, Microsoft does not UPX pack its
executables so
there is the first clue it is malicious.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: TT Livescan Updates + More

On 11/29/2011 6:05 PM, David H. Lipman wrote:
Quoted text here. Click to load it
Fine-I didn't define parameters or intend to in my example-there is a
point...my question stands as to why notepad.exe (which I know is a
legitimate Windows file) is alerted on.

I'm just sayin...


--
Bear
http://bearware.info

Re: TT Livescan Updates + More


Quoted text here. Click to load it

You wrote it yourself...
"Sorry to say the results were a lot of false positives..."

That is why "...why notepad.exe ... is alerted on."

That is assuming it is the legitimate OS copy.  I have stated why the name
"notepad.exe"
can NOT be whitelisted.
Even if you presume to whitelist the legitimate "notepad.exe" in it normal OS
location,
the file could become trojanized.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: TT Livescan Updates + More

To clarify the problem to this, I don't whitelist based solely on
filenames alone, which is silly.  The blacklist and whitelist  focus
around hash values, which can potentially create a problem if there is
a hash collision.  This is why at the time of this post there are
technically 11 databases, however only 8 are currently implemented at
this point in time, which are the following:

Malware Blacklist Database - MD5 based
(http://www.tot-ltd.org/blacklist/0-F/0000-FFFF )

System Whitelist Database - MD5 based
(http://www.tot-ltd.org/whitelist/0-F/0000-FFFF )

Default Malware Install Path Database - Self-explanatory, checked
against both black and whitelist.
(http://www.tot-ltd.org/installation.db )

Default Trojan Port List - Checks active ports and programs against a
port list
(http://www.tot-ltd.org/ports /)

API Based Heuristics - Self-explanatory
(http://www.tot-ltd.org/API )

User Definable Heuristics - Antiquated method of heuristics, but still
used for general purpose, non-api related heuristics
Downloaded from http://www.tot-ltd.org/heuristics.dat

Parental Control Scan Database -
Included in installation as offensive.dat

Executable Packer Database - Contains several thousand headers for
different executable packers
http://www.tot-ltd.org/packer.db

Usually, when/if a false positive comes up, it's usually a piece of
malware that implements (sometimes modified) components from third
party applications or a non-system critical file that would usually be
listed as greyware.  MW.GEN is a sign that I use in the blacklist
database for definitions from google's malware blacklist.  I also use
ClamAV.net's database, in addition to any other site that makes
searchable copies of their databases online.  I do not discriminate
when it comes to information harvesting, but I generally try to do my
best to verify that the information that I collect is indeed viable
via cross-referencing hashes, and checking directly against my own
personal malware archive.  This is how I maintain the blacklist.

The whitelist consists solely of hashes used from http://www.nsrl.nist.gov /
, and known, clean install discs for various flavors of windows.  A
similar method is implemented to the one illustrated above.  Why the
application components in question tested positive?  I can't tell you
right offhand.  It could be any number of reasons.  What I can say, is
that perhaps we have two different versions of notepad.  I'm running
Windows XP 32 bit, which may differ from your version of notepad on
Vista, depending on if you run 32 or 64-bit.  All I can tell you at
this point is that I know the version of notepad that's on my system
doesn't throw any flags, nor have any of the other systems that I've
tested it on, including one install of Vista 32bit.  The reason I
don't have every commercial application whitelisted is because I
simply don't have the time, resources, or hard drive space to do that
with at this point in time, even with 1TB of space at hand.

Honestly, I won't know until I take a good look at them and know for
sure.  However, given the fact that I already work a primary job
nearly 40 hours a week, do a lot of paid freelance work (add ~20+
hours/week for that), in addition to helping raise a family, it might
take me a day or two until the problem (if there is one to be found)
can be fixed.  Nevermind the fact that I don't even make money off of
this project at all.  Ironically, the server averages around 300000
hits per month.  A full 2/3 of the traffic is almost entirely centered
around either the database entries themselves, or downloading of the
free version of the malware scanner, or any of the other projects that
are up and running.  I can also post screenshots to prove these
claims, if there is any question of legitimacy.   The only reason I
mention this last part is to illustrate exactly what kind of time
schedule I have to work with, and the sheer volume of traffic volume
that is processed on an almost daily basis.

I'm not saying that the false positive claims are legit or a hoax.  I
won't know for sure, but if there is an issue within the database
itself that needs resolved, I'll do my best to have it done within
24-48 hours.  I don't have anyone hired to do this stuff, I do it on
my own.  I only ask that you be patient.

Sincerely,
Erick

http://www.tot-ltd.org

Re: TT Livescan Updates + More

4bd38acc6a45@j15g2000yqm.googlegroups.com:

Quoted text here. Click to load it
http://www.nsrl.nist.gov /
Quoted text here. Click to load it

As a former developer of an antimalware program, I know perfectly well the
time table conditions. You're doing a good job. Keep at it.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: TT Livescan Updates + More

It would appear the files that BB sent me are clean, so I'll go ahead
and add them to the whitelist database.    However, due to the nature
of the whitelist database update (adding in hashes for windows-based
drivers as well), the update will take place over the course of the
next few days, and hopefully be completed by sunday.

aacd9b8e5e5e369c3518b86486cfc9d4
2d1c72072fec74fb0eca850ef8f9f93e
f3a37421dbd1aaa36558c97572c91c5a
3a93d3f85cdd2e5ebae705eab5dfd255
0f726644c5a8ca0f94a184ce917c66d4
4fb3d48e16b8f44f163b4cb749ac9a4f
8bdb45faf996428e39922f2da5718298
daf60e13e96ecb67f0edaa89c6b01b8d
7924bcce665ac92fc04cd45a46fe3e3d
ae70ae6f0760793d4893c3735eec7292
582f3a0ba61d8f0d50c66b592808b6d6
6701ddaf68bede6bbeea9d514d73a35b
329c3a58d5b5070a2a17c16c097fce4a
d6abc3c44e97beeea534e33e93ae97b4
0e135526e9785d085bcd9aede6fbcbf9

Sorry for any inconvenience.
http://www.tot-ltd.org

Re: TT Livescan Updates + More


Quoted text here. Click to load it

This is not BearWare.  These are news groups where one is on freeware and the
other two
are anti malware groups.

idbeholda has been posting for a few years now and has *always been welcome* and
doesn't
need your specific welcome message or your branding.
idbeholda made numerous posts over the years concerning his anti malware
utility.  Very
consistently over the past ~2.5 years.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: TT Livescan Updates + More

On 11/28/2011 7:10 PM, David H. Lipman wrote:
Quoted text here. Click to load it
David, you do know you are responding to a forger right?

--
Bear
http://bearware.info

Re: TT Livescan Updates + More


Quoted text here. Click to load it

Busted FORGER! You will not usurp me. And you don't have a web site.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

On 11/27/2011 9:09 PM, idbeholda wrote:
Quoted text here. Click to load it

Unzips to it's own folder and appears totally portable.

On first run of scanner.exe:
http://bearware.info/screenshots/20111128-17m-50kb.jpg

After about a minute:
http://bearware.info/screenshots/20111128-m9g-52kb.jpg

First attempt to run the program:
http://bearware.info/screenshots/20111128-q2s-52kb.jpg

Tried running scanner.exe again as adminsitrater - no go - but I was
running as administrator anyway.

So, I sidelined it and may look into it later....maybe.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

On 11/28/2011 4:27 AM, Bear Bottoms wrote:
Quoted text here. Click to load it
Still initializing.....I might just shut it down! No way to minimize it
that I can see...

Wow...it's doing all kinds of strange things...

I had to shut it down via the task manager. I restarted it and this time
it showed a scan progress bar and finally this screen:

http://bearware.info/screenshots/20111128-m6u-65kb.jpg

I selected no to clam av and it shows it is still initializing. Tried to
bring it from the background via the tray icon seems to destroy it and
the tray icon disappears. The only way to get rid of it is via the task
manager. I think I'll pass on this one for a while.

--
Bear
http://bearware.info

Re: TT Livescan Updates + More

On 11/28/2011 5:00 AM, Bear Bottoms wrote:
Quoted text here. Click to load it
Well, I shut it down via task manager...but ran it again. After a quick
initialization this time (progress bar at the bottom was the only
indication) I clicked scan. Nothing happened...impatient I guess, so I
stopped it with the task manager...LOL...but it didn't go away...it
started scanning with a new entry in the task manager

http://bearware.info/screenshots/20111128-l95-46kb.jpg

Been running 10 minutes and it's at 3%. It's already alerted though I'm
pretty sure that's a false positive. I'll let it run and get back to
ya...(maybe later this afternoon)

http://bearware.info/screenshots/20111128-n58-57kb.jpg
--
Bear
http://bearware.info

Site Timeline