Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Trend Antispyware – another false positive?

June 29th 2005 in Uncategorized

See update 16 July 2005

This time it is “Windows Registry : SOFTWARE\Classes\AppID\bho.dll”, detected as ‘adgoblin’ by Trend:
(Associated CLSID 59AEAD8A-6822-4794-AF2E-8CC27312E26E)

On my system, that CLSID is associated with TechSmith’s SnagIt product as its BHO AppID.

12 July:   I have an update on Trend Micro’s false positive for AdGoblin when Camtasia’s SnagIt product is installed.  I’ve been having an email conversation with the Lead Developer at Camtasia, and he confirms that the CLSID is theirs, and that this detection is a false positive.  I can also confirm that allowing Trend to ‘clean’ the key from the Registry will not cause problems for the SnagIT toolbar in Internet Explorer, provided that the SnagIt toolbar has been enabled in Internet Explorer at least once. Also, Camtasia believe that allowing Trend to ‘clean’ this false positive will not break SnagIt’s uninstall routine (my concern was that the IE toolbar would be left behind).  Camtasia will complete further testing and advise if any problems may be experienced.

Now, all we have to do is get Trend to fix the false positive …. time is passing.  I’ve been running the product for a few weeks now, but none of the reported false positives have been fixed.

A file called BHO.DLL has been used in the past by malware, but the file does not exist on this PC, nor does it exist on any other PC on whicht the registry entry has been detected.  Generally if BHO.DLL is on the system, RSP.DLL and WINSTART.EXE will also appear, and entries will appear in the HOSTS file.  Also, the PC would be troubled by pop-up advertisements.

I recommend that the bho.dll detection be ignored – do not ‘remove’ the ‘threat’ – to do so may break Snagit’s integration with other applications and the right click context menu … 

PC-Cillin (installed as part of Trend’s Internet Security 2005 product) and Trend Antivirus SMB also misdetect adgoblin, and directs me to this page:

Comments are closed.

Microsoft has released a public *BETA* of a utility called the “Shared Computer Toolkit”:http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
This is a very cool tool that can be installed on Windows XP SP2 systems by those who want to lock down their PCs but don’t know how, and don’t have a tame IT Department to help them out.
We have an amazing […]

Previous Entry

The Longhorn RSS team have started their own blog – the best place to keep up to speed on the latest public information about this new ability in IE.

Next Entry