Trend Antispyware - another false positive?

See update 16 July 2005

This time it is “Windows Registry : SOFTWARE\Classes\AppID\bho.dll”, detected as 'adgoblin' by Trend:
(Associated CLSID 59AEAD8A-6822-4794-AF2E-8CC27312E26E)

On my system, that CLSID is associated with TechSmith's SnagIt product as its BHO AppID.

12 July:   I have an update on Trend Micro's false positive for AdGoblin when Camtasia's SnagIt product is installed.  I've been having an email conversation with the Lead Developer at Camtasia, and he confirms that the CLSID is theirs, and that this detection is a false positive.  I can also confirm that allowing Trend to 'clean' the key from the Registry will not cause problems for the SnagIT toolbar in Internet Explorer, provided that the SnagIt toolbar has been enabled in Internet Explorer at least once. Also, Camtasia believe that allowing Trend to 'clean' this false positive will not break SnagIt's uninstall routine (my concern was that the IE toolbar would be left behind).  Camtasia will complete further testing and advise if any problems may be experienced.

Now, all we have to do is get Trend to fix the false positive .... time is passing.  I've been running the product for a few weeks now, but none of the reported false positives have been fixed.

A file called BHO.DLL has been used in the past by malware, but the file does not exist on this PC, nor does it exist on any other PC on whicht the registry entry has been detected.  Generally if BHO.DLL is on the system, RSP.DLL and WINSTART.EXE will also appear, and entries will appear in the HOSTS file.  Also, the PC would be troubled by pop-up advertisements.

I recommend that the bho.dll detection be ignored - do not 'remove' the 'threat' - to do so may break Snagit's integration with other applications and the right click context menu ... 

PC-Cillin (installed as part of Trend's Internet Security 2005 product) and Trend Antivirus SMB also misdetect adgoblin, and directs me to this page:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_LINST.A

Published Wed, Jun 29 2005 22:14 by sandi

Comments

# Trend Antispyware - update on false positives and other issues

Saturday, July 16, 2005 6:39 AM by TrackBack