Can hooks generate false positives in AV software and p[rivacy keyboards?

Post Reply
Universal344
Posts: 30
Joined: Mon Aug 11, 2008 3:32 pm

Can hooks generate false positives in AV software and p[rivacy keyboards?

Post by Universal344 » Thu Sep 04, 2008 12:11 am

I was recently researching whether or not Rocketdock was safe and some people reported that it had a keylogger. One person stated that ZA antivirus found a keylogger and another said their privacy keyboard blocked one of the programs modules. Apparently Rocketdock makes use of hooks, could these generate false positives in an AV program or privacy keyboard?

Thanks!

lordpake
Posts: 321
Joined: Tue Apr 15, 2008 5:57 pm

I myself haven't used

Post by lordpake » Thu Sep 04, 2008 5:48 am

I myself haven't used Privacy Keyboard, or any ZA products for a long time now. I however do use Kaspersky Internet Security, and it does alert, depending on the game in my case, about keylogger detection.

This is part of KIS's Proactive Defence, which is intended to alert about the presence of unknown malware based on its behaviour, and in this case, it does bring some false positive detections.

If I'm not mistaken, ZA AV is from Kaspersky :) So it would be interesting to know whether this is legit detection, or a Proactive Detection.

"Men make good pets."

Universal344
Posts: 30
Joined: Mon Aug 11, 2008 3:32 pm

My guess is its a false positive

Post by Universal344 » Thu Sep 04, 2008 11:45 am

The program that was reported by ZA AV and the privacy keyboard to have a keylogger was Rocketdock. And than those couple of incidents I haven't read anything else about it being malicious. In fact everything else I've read (reviews and user comments) says its a fantastic product and works perfectly. And I did a lot of research on this.

The future is open.

Linux.

lordpake
Posts: 321
Joined: Tue Apr 15, 2008 5:57 pm

Heh :) Yeah it'd seem that

Post by lordpake » Thu Sep 04, 2008 4:13 pm

Heh :) Yeah it'd seem that those two are isolated false positives.

If in doubt, you can always upload executables to several online services that scan them against multiple engines. Do note, that several engines again produce false positives, for example when scanning UPX packed files. So for example detections like unknown/heuristic/heurgeneric etc. that do not give specific detections may very well be false positives.

http://www.virustotal.com/
http://virusscan.jotti.org/
http://virscan.org/

It never hurts to ask in computer security forums, such as here, CastleCops etc. opinions from more experienced people :)

"Men make good pets."

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests