TrendMicro Antispyware for the Web causing issues again - this time nuking the Windows Genuine Validation Tool

sandi — Sat, 11 Mar 2006 00:46:00 GMT

Important Update: http://msmvps.com/blogs/spywaresucks/archive/2006/03/15/86345.aspx

------------------------------------------------------------------------------

This could prove to be a very serious problem.

The Windows Genuine Advantage Validation Tool *must* be installed before many downloads are made available to users via Windows Update and the Download Centre.

Trend Micro Antispyware for the Web is detecting the Windows Genuine Advantage Validation Tool KB892130 CLSID as Adware_iSearch. Once the CLSID is deleted by TMAS, the user will be re-prompted to download KB892130 the next time he or she goes to Windows Update.

Check out this thread:
http://aumha.net/viewtopic.php?t=18492&postdays=0&postorder=asc&start=0

I'm going to pass this on to George and Andy at Trend... we need to make sure that SMB product is not being affected in the same way - I'm betting it is.

Generally the Corporate (SMB) version is updated very quickly when false positives like this are found. Those responsible for the consumer space, including online web scan are much slower to react. Trend's history of delay in fixing false positives in the consumer versions of Antispyware will be a big problem this time. Please guys, let's get this sorted damned fast.

Charles (aka Chasbox in the aumha.net forum) did very well to draw the connection between TMAS and the Windows Update problem he is seeing. I've confirmed the problem on several PCs.

Here is the alert.

The threat details:

The CLSID key being flagged:

The key you see is the *only* entry in the Ext folder, therefore must be the source of the alert.

DO NOT ALLOW THE TREND PROGRAMME TO DELETE THE CLSID

BTW, Trend Micro Antispyware on the Web seems to be broken in IE7, at least it is for me... had to fire up IE6 on another PC on my network to confirm the false positive. Its a bit hard to select 'Start Scan' when there's no scan button to click on... ;o)

------------------------------------------------------------------------------

Update - 12 March 06, 12.10am Perth, WA time (+0800): The false positive has, apparently, been fixed for the packaged product (pattern 3.31) since 10 March, but NOT the online scan. I know, because I tested the online scan 10 minutes ago.

This is a source of ongoing frustration to me. The packaged product is fixed quickly when a false positive, but the online scan can be left, at times, for months. I despair.

Spyware Sucks : Security, safety and privacy on the Internet, I ain't happy about this....., Internet Explorer 7

TrendMicro Antispyware for the Web causing issues again - this time nuking the Windows Genuine Validation Tool