You are here

VirusScan On-Access Scan Messages

13 posts / 0 new
Last post
amarsh
Offline
Last seen: 13 years 7 months ago
Joined: 2007-01-11 09:45
VirusScan On-Access Scan Messages

Worked fine on Wednesday at work. This morning, I ran the program and got:

VirusScan Alert!
Date and Time: ...
Pathname: C:\Documents and Settings\ACMarsh\Local Settings\Temp\nsj126.tmp\registry.dll
Detected As: Generfic StartPage.r
State: Deleted

Any ideas why this is happening?

John T. Haller
John T. Haller's picture
Online
Last seen: 39 min 19 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Simple Answer

1. Your antivirus client is having an issue and throwing a false positive
2. You didn't follow the instructions at the top of the support page that tell you to verify this with another antivirus client before posting here.

Sometimes, the impossible can become possible, if you're awesome!

amarsh
Offline
Last seen: 13 years 7 months ago
Joined: 2007-01-11 09:45
Portability

Sorry for not double checking... when I launch ClamWin Portable I get a similar error. I guess my real question is if the application is portable, why does launching it either access or create the file C:\Documents and Settings\ACMarsh\Local Settings\Temp\nsj126.tmp\registry.dll?

Thanks!

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
Has to back up local

Has to back up local settings, copy portable settings into place, then when you close the portable version it restores your local settings for that app.

The developer formerly known as ZGitRDun8705

rab040ma
Offline
Last seen: 5 months 1 day ago
Joined: 2007-08-27 13:35
Most programs create temporary files.

Most programs create temporary files. It is generally faster (and harmless) to put temporary files in the OS-designated temporary files folder, especially if you clean them up when you are done (though not every program is good about cleaning up).

One could put the temporary files on the USB storage device, but that can be slow, and especially on Flash devices, very slow. Since there can be a lot of temporary file activity, having the temporary file on a Flash device can reduce its expected life. It could be worth it, however, if you need to keep temporary files off the host computer's hard drive.

MC

Richardk
Offline
Last seen: 17 years 1 month ago
Joined: 2006-11-11 17:36
Revert the McAfee .DAT back to 5149

I just used the SuperDAT for 5149 (sdat5149.exe) along with the -f commandline option to force the use of the files in the SuperDAT to revert from 5150 back to 5149. No more Virus Alerts everytime you start or shutdown FirefoxPortable. Hopefully McAfee will get this fixed in the next DAT update.

Richardk
Offline
Last seen: 17 years 1 month ago
Joined: 2006-11-11 17:36
.DAT 5151 fixes this false positive

Today's .DAT (5151) no longer flags/removes registry.dll

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Thanks

I would like to thank the OP for this information.

Personally I think it is appropriate to bring "false positives" to the attention of the group for the app in question.

Please note that I am distinguishing between:
"Help, XYZ found a virus on my machine!!!!!!"
and
"I would like to report what I believe is a False Positive found in Portable App ABCportable so that you may be aware and prepared".

As a result of todays postings [this one and https://portableapps.com/node/9834 ] I am going to tell McAfee VirusScan to exclude files called "registry.dll" from on access scans before I update [as opposed to not updating, which I consider too risky]. Doing this might involve some risk as well I realize, but I am willing to take that chance as I think it is unlikely McAfee will update over the weekend.
[Note that according to http://virusscan.jotti.org/ AND http://www.virustotal.com/ AVG Antivirus is detecting a virus as well]

Personally I think PA.com should be appreciative of these False Positive Alerts and proactive in establishing a quick and effective means of communicating with the larger, established Antimalware companies rather than rely on the end user to know what to do and how.

e.g.
"Hi this is Sam from Portable Apps.com AGAIN. You product is producing a FP in attached file "abcdef.dll" . Please look into this and update your definitions according. Thanks as always, Sam, your contact here at PortableApps.com As always, if you have questions or concerns feel free to contact me at our prearranged contact number/address."

I think this would expedite the process greatly and be of benefit to all involved. After all, who looks bad if I try to run FFP on someones machine and the first thing they see is their Antivirus protection go off, first me, than FFP.

Can you just hear it?,
"No, really your Norton/AVG/McAfee is wrong! I downloaded this free version of Firefox from a site you never heard of, but it's safe, really it is, trust me."

In the same situation I would rip that flash drive out of my computer so fast that my usb port would break and I would never let that person near it again Sad

So, again I thank the OP and If anyone has quick access to the AntiVirus companies in question could you please notify them.

Tim
//I am gonna get so flamed for this Sad aren't I? //

Things have got to get better, they can't get worse, or can they?

rab040ma
Offline
Last seen: 5 months 1 day ago
Joined: 2007-08-27 13:35
Reporting false positives

Personally I think PA.com should be appreciative of these False Positive Alerts and proactive in establishing a quick and effective means of communicating with the larger, established Antimalware companies rather than rely on the end user to know what to do and how.

Well, having a bunch of Virus Alerts! show up in the support forums can be alarming to novices, even if they are false and not PA's fault.

Perhaps there could be a forum just for Virus reports, to keep them out of the Support forums... Maybe someone could keep a tally in an AV Provider hall of shame to show which is throwing the most false positives on Nullsoft components or other common and harmless files -- give them an incentive to be more careful.

I still think it would be good on AV reports to include an MD5sum or confirm that the code signature is intact, so we can be sure we're all talking about the same file.

MC

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Agreed

MC,

I think you are correct, a forum for reporting FPs would be a good idea. I think the check sum idea is a good idea as well for established users [Though in fact we are always talking about the same file Smile ]

It is unlikely that "novices" will be using a check sum app [or even know what we're talking about].

Tim

Things have got to get better, they can't get worse, or can they?

awake
Offline
Last seen: 15 years 5 months ago
Joined: 2007-08-14 23:24
I thought it was fake

I started getting the same messages Friday and thought I was crazy for a second...

I even backed up my bookmarks, removed the firefox version i had and reinstalled the latest version but McAfee still comes up with a virus alert...

It's doing the same darn thing for thunderbird also...

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Not much you can do for now

None of these steps will help.
The problem is with the file "registry.dll" which is created by every launch of FFP [and apparently other PA's programs as well.

Until McAfee and the AVG remove this detection from their database the only thing you can do is tell your AV program to not scan/ignore files called "registry.dll"

Unfortunately you can't give a path to the file as differently named directory is created each time you launch the program.

By excluding all occurrences of "registry.dll" this should stop the detection for all PA's that create that file.

Warning, it is possible that there could be a "registry.dll" out there that is NOT from PA.com and therefore not safe. If you take these measures no file with this name will be scanned. There is a risk in doing this. Use your best judgment.

{EDIT: Lurking_Biohazard recommends turning off Heuristic scanning as another option. Again, use your best judgement.}

Tim

Things have got to get better, they can't get worse, or can they?

stabnore
Offline
Last seen: 16 years 11 months ago
Joined: 2007-08-03 17:57
False Pos

I recognized this as a false positive almost immediately but the problem is my workplace uses McAfee and I can't use a file that they recognize as a virus.

I can just see it now "Oh, It's OK guys it's not a real virus I know what I am doing." My IT department won't let me get away with that.

So that creates a problem where I can't use the portable product at work and I can just use the full version of Firefox at home. I have not tried installing the full version of Firefox on a work computer so I don't know if the problem existed there or not.

Log in or register to post comments