Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: False Positives

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
NormanS False Positives
Member 4th Aug, 2010 22:46
Ranking: 2
Posts: 17
User Since: 18th Jan, 2009
System Score: N/A
Location: US
Today, October 4th, 2010, Secunia PSI reported three false positives:
1. Microsoft.NET Framework 2.x
2. Microsoft.NET Framework 3.x
3. Microsoft Windows XP Professional

The first two are false because Microsoft.NET is not installed at all. (I removed it a long time ago.)

The last one is false, since Microsoft Update does not report that my computer needs a Windows XP security update. Perhaps, the explanation is that the version of XP installed on this PC is Media Edition, not Professional.

I hope that Secunia corrects these false positives so that they will not reappear in the future.

--
NormanS

taffy078 RE: False Positives
Contributor 4th Aug, 2010 22:53
Score: 408
Posts: 1,340
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi NormanS.

It may be that the scan has picked up some old dross. Can you tell us

what file(s) Secunia has picked up as vulnerable? Here's how:

1 Go to the main Secunia PSI window & click on ‘Advanced’ if it’s underlined in blue. (Don't be put off by the name "Advanced"! It's easy to follow/use.)

2 Click on “+” to highlight & expand it.

3 Click on “Technical Details” (in Toolbox”)

4 This will give you the installation path of the vulnerable file. If you copy & paste it in your next reply here, we’ll be able to help.

Hoping this helps.


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+3
-1
NormanS RE: False Positives
Member 5th Aug, 2010 03:06
Score: 2
Posts: 17
User Since: 18th Jan 2009
System Score: N/A
Location: US
Hi Taffy078,

Thank you for your prompt and apt suggestion.

The advanced section listing Insecure programs lists the following programs:

Adobe Shockwave Player 11.x Version 11.5.6.606 (NPAPI)

Installation path: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
Extra Information: Uninstall versions prior to 11.5.0.600, restart the system, and install the suggested version. [Although this is not part of my stated problem, I intend to carry out the recommendation]

Microsoft .NET Framework 2.x

Installation path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_wp.exe [This must be a left-over from having removed Microsoft.NET using Add/Remove Programs. NS]

Microsoft .NET Framework 3.x

Installation path: C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [This too must be a left-over from having removed Microsoft.NET using Add/Remove Programs. It probably got installed by Microsoft Update. NS]

Microsoft Windows XP Professional

Installation path: N/A

Symantec Norton AntiVirus 2006

Installation path: E:\I386\APPS\APP22849\src\NAV\External\NORTON\APP\ navapsvc.exe [This is on an HP Recovery drive; the file may have been added by my son before he gave me this computer; I do not use Norton; I use NOD32. I don't know what to do with this discovery.]

Regards,
NormanS



--
NormanS
Was this reply relevant?
+0
-0
taffy078 RE: False Positives
Contributor 5th Aug, 2010 08:09
Score: 408
Posts: 1,340
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 5th Aug, 2010 10:11
Hi NormanS.

Thanks for the info. My role on this query has been that of a "triage" - you now need an expert to help you. They'll be here soon. Take care.

EDIT - I downloaded the MS update on Tuesday on my desktop (XP). I've just done my laptop (Win7) and there are issues, including similar to yours. So I'll have to spend some time on that now! Murphy's Law!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+2
-1
Anthony Wells RE: False Positives
Expert Contributor 6th Aug, 2010 13:55
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 6th Aug, 2010 14:08
Hello NormanS ,

Seems like you got left behind in all the chatter :(( I have given you a lot of info below , just try one unit at a time . No rush , ask if anything is not clear enough .

1)Adobe Shockwave Player up to date version is 11.5.7.609 for NPAPI and ActiveX

Use this link and then click on the "get Adobe Shockwave Player" link (on right side of webpage) , download and run the installer and this will update your version(s) :-

http://www.adobe.com/

2)When I removed .NET from my PC using "add/remove" it left behind files in C:\WINDOWS\Microsoft.NET\... (This was not a problem for me as I did a reinstall - I was having problems with an M$ .Net patch - surprise , surprise) .

There should be updates for your files from M$ , but some posters have said they do not download correctly . If the PSI no longer displays .NET then this could/might also (?) explain why XP is showing as "insecure"

Cleaning up after .Net is a problem . If you scroll down to Maurice Joyce's post in this thread , you will get lots of help :-

http://secunia.com/community/forum/thread/show/424...

Lower down he links to Raymondblog and that has advice on Aaron Stebner's Clean Up Tool for .Net . Could be useful for you if you go for the full kill .

3)Is your XP still showing as "insecure . Any M$ downloads must be followed by a reboot and full scan , check no further M$ updates , reboot and (full) rescan .

4)Your "E" drive as a recovery/back up and \I386\ files are not available to the "bad guys" so you are doubly safe .

As the folder/file is in a back up system and is therefore not accessible to the "bad guys" , you can set an "ignore rule" for the particular programme by clicking on the "ignore program" icon in the "toolbox" and agreeing the proposed rule ; it will be displayed at the bottom of the "settings" tab page . The programme is still scanned by the PSI but the result of the programme scan is not displayed to you .

If your "recovery" drive is all back up with no active files you can set a rule at the bottom of the "settings" tab page so that none of the scan result for the drive is displayed ; for example : give the "rule name" any name you like and for the "rule" , if it is your "E" drive , you would make the rule E:\

All the "E" drive is scanned but no results would be displayed ; if you then add a folder name after the E:\ , then only that folder or any sub-folder will be not be displayed and so on .


Let us know how you get on , one step at a time .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
NormanS RE: False Positives
Member 6th Aug, 2010 17:44
Score: 2
Posts: 17
User Since: 18th Jan 2009
System Score: N/A
Location: US
Hi Anthony,

TOTAL SUCCESS! No more false positives; no more real positives either, at least not after re-running Secunia a few minutes ago.

I got rid of the false positives associated with .NET Framework using Stebner's cleanup tool. Then I rebooted and ran a Microsoft update, which, on this occasion, no longer insisted on .NET Framework updates and did reveal the need for a Windows XP update.

With your help, the other issues were a piece of cake.

Still, I think Secunia may have a minor bug: It indicated that I had to update Windows XP Professional, but my OS is Windows XP Media Center.

In any event, thank you, Taffy078, and everyone else at Secunia.



--
NormanS
Was this reply relevant?
+1
-0
Anthony Wells RE: False Positives
Expert Contributor 6th Aug, 2010 18:08
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello NormanS ,

Thank you for bringing us up to date ; it's nice when a cunning plan comes together :))

The PSI does on occasion mix up the variety of XP which it records ; it may right itself it may not .

If not and it concerns you , then you might until Monday next (Secunia do not work on the PSI at weekends) to see if they pick up this thread ; again , if not , you can tell them of your error/bug by email to support@secunia.com

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

taffy078

RE: False Positives
[+]
This reply has been minimised due to a negative Relevancy Score.
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 03:33
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
@ Anthony; I am not 100% (maybe 97%), but AFAIK Media Center is XP Pro with some goodies added*. XP Home is not the same duck, so is detected as different. Will research if requested.


Carry on;

Fred

*And, of course, a new name.

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+2
-0
NormanS RE: False Positives
Member 7th Aug, 2010 03:58
Score: 2
Posts: 17
User Since: 18th Jan 2009
System Score: N/A
Location: US
Hi Fred and Anthony,

An interesting discussion over Windows XP Pro Vs. Windows XP Media Center appears at http://forums.cnet.com/5208-6142_102-0.html?thread... One of the entries makes it clear that the Media Center version is Pro +. Who'd have guessed? That would explain why Secunia listed XP Pro as the update in question as it probably applied to both. Still, not knowing what I now know, the reference to Pro while I had the Media Center version was confusing to me.

--
NormanS
Was this reply relevant?
+0
-0
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 04:43
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi NormanS;

I was thinking that Media Center had embellishments to the Media Player for playing DVD's and an infrared remote control (sold separately, I bet). My laptop with Pro has HP Quickplay which (surprise, surprise) is Quicktime.

Anyhow, good to hear you're unconfused and OK.


Regards;

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
Anthony Wells RE: False Positives
Expert Contributor 7th Aug, 2010 12:25
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Aug, 2010 12:33
Hello again ,

FWIW this is what WIKI says on XP , scroll down for Media Centre :-

http://en.wikipedia.org/wiki/Windows_XP_editions

After a (very) quick "scan" it seems that the base is Pro and/or Pro + ; if memory serves there are also 32 & 64 bit variations/complications . All much too "techie" for me .

QUOTE : "Media Center Edition retains most of the features included in Windows XP Professional as it is simply an addon to Professional, installed when provided with a valid MCE product key during setup."UNQUOTE

You may want to ask Secunia if/how/when/whether they differentiate : eg : they refer to my Internet Security Suite as the A/V Pro version ; doesn't bother me , so I've never raised it with them .

Busy now , enjoy your "purple" weekend .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 16:11
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
So.......

You know I had to read the Cnet thread & Wiki article in their entirety. Reads like ancient history now. :( Maybe I do need to try 7!

Anyhow, the two agree (except a couple of posters on Cnet) that MC is an add on to Pro. Certain features of Pro are disabled, notably the ability to join a domain. This is of no consequence to a home user, at least almost never. Wiki says one value changed in the registry (arghhh!) will turn this back on.

There was a MS remote!!! In 2005 they released their own (built by someone else, to be sure), my memory hasn't completely left yet!

Thanks guys for letting me relive & rejoice!


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
newpost RE: False Positives
Member 7th Aug, 2010 16:30
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Last edited on 7th Aug, 2010 16:32
Hi Scunia-Team,

PSI shows a false positive for this Update:
http://secunia.com/advisories/40647/
Microsoft Windows Shell Shortcut Parsing Vulnerability

I have to say that this update is installed and PSI has from time to time some false positives that are not solved by you for a long time. That is bad. And so your statistic is also bad.

P.S.: Newer Post should appear above and not on the bottom. It is not so nice. Please try to change it. Thank you in advance.
Was this reply relevant?
+0
-0
Anthony Wells RE: False Positives
Expert Contributor 7th Aug, 2010 17:19
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Aug, 2010 17:25
Hello @newpost ,

You are Hijacking @NormanS's post which is also very not nice .

Your problem has nothing visibly to do with the OP's problem .

As this tread is almost finished anyway and the OP is likely to close it any time , I suggest you create your own thread and repost there - see the list under Forum in the left hand column of this page . Take my advice and avoid the "vulnerabilities" thread and most definitely do not post directly to/under the SA you refer to .

Secunia do not work on the PSI on weekends so the S(e)cunia-Team will not be back before Monday ; in the meantime there are plenty of volunteer Forum helpers to look at your problems and deal with your supposed "false positives" , if you post full details as @NormanS did in response to @taffy' suggestion (read thruogh all of this thread ).

See you in your own thread :)

Take care

Anthony

PS : The new posts last mean that you have to read through and , hopefully , understand what is posted - saves jumping in on the wrong thread - especially when the title of the thread is too general or misleading :eg : what most people call "false positives" are not ; the PSI has very few "real FP's .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 17:49
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi newpost;

Welcome to the Secunia forum.

Thanks for you interest in a possible false positive. Most are found to be remnants or backup/archives. We would be happy to look into this further. You need to start a new thread to have this checked into.

Unless a poster is marked as a "Secunia Official", they are a volunteer and as such cannot direct Secunia to make changes. Secunia is very open to new ideas & suggestions. To my knowledge, Secunia has been prompt at correcting false positives.

We prefer to view posts in order of first to last. This is a problem solving forum. As such, we want the problem at the top. This is done so it's easier to search though threads to see if a current problem has already been solved. If the first post (presenting the problem) were on the bottom, you would be required to scroll through the entire thread to see it. I am sorry if this is a bother to you, but it works for us.


Regards;

Fred

p.s. @Ant, sorry, couldn't help myself. :)

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-1
newpost RE: False Positives
Member 7th Aug, 2010 18:02
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Sorry, I'm not familiar with this forum yet. I wanted only to send a e-mail to the support team but there is no e-mail address for it.
Was this reply relevant?
+0
-0
Anthony Wells RE: False Positives
Expert Contributor 7th Aug, 2010 18:25
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Aug, 2010 18:28
As you see @newpost , Fred is the worst hijacker/pirate of them all and he'll walk the plank one day :)).

If you send an email to support@secunia.com , almost inevitably they will tell you to come to the Forum and look for the answer or post your problem here ; unless it is a technical point where your system and problem requires a rule change . They also read most threads on a daily basis (during the week) and will jump in if they think it is useful .

Like I said , repost your problems (with more detail , please) here in your own thread and someone will sort the problem for you .

Take care

Antony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 18:30
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi newpost;

No need to apologize, those of us who've been around awhile are still getting used to all the new posters. That's a good problem though, it means more people interested in security.

Start a new thread* (see below, if help's needed). In the PSI forum, I would suggest the header topic be "False positive? http://secunia.com/advisories/40647/ ". Simply state your observation. Someone, such as my self, will come along to help sort it out. Monday, Secunia may join in if the problem eludes us. If required Secunia will request that you contact them by e-mail.

Let's get off this thread before NormanS catches us!


Fred

p.s. *In case you need this:
=======
For help 'fixing' a specific problem, start a new thread. Click on "Create Thread", on the left. You can also click on the "Create new thread" button, at the top of the list of threads (directly under the search box).

To ask a question about a particular program, select "Programs" forum. To ask about PSI, select "PSI" forum, etc.

In the "Topic" box, use something descriptive like "Adobe Reader download fails", this will get help faster.
=======

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-1
thedillpickl RE: False Positives
Contributor 7th Aug, 2010 18:34
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
on 7th Aug, 2010 18:25, Anthony Wells wrote:
As you see @newpost , Fred is the worst hijacker/pirate of them all and he'll walk the plank one day :)). ...

Thanks!?! I think.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-1

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer