Adware.cpush detection

I received what appears to be yet another false positive in Symantec Antivrius. Adware.cpush was detected in c:\program files\filezilla\uninstall.exe.
Filezilla is a ftp/sftp program from Mozilla. This has been on my computer for a while, so I tend to believe it is a false positive. I’ll update this thread if I see anything from Symantec on this subject.
update 7/16 12:20pm:
Symantec sent ouf the following email
—–Original Message—–
From: [email protected] [mailto:[email protected]]
Sent: Monday, July 16, 2007 12:13 PM
Subject: LiveUpdate posting to correct False Positive
The July 16, 2007 LiveUpdate posting will correct a false positive detection
on some installers or tools created using the Nullsoft Scriptable Install
System (NSIS). This FP caused such files to be incorrectly detected as
Adware.CPush. This FP was first introduced in
RapidRelease definitions build number 70817 (version 07/14/2007 revision 32)
and in the 07/15/2007 revision 2 LiveUpdate and Intelligent Updater
definitions. It was corrected in RapidRelease definitions build number 70822
(version 07/15/2007 revision 4).
Today’s LiveUpdate and Intelligent Updater definitions will also correct
this FP. These definitions will have the version 07/16/2007 revision 21.
Current ETA for posting is 10:30AM PDT. An additional message will be sent
approximately 30 minutes before the LiveUpdate virus definitions are
available for download.

14 Comments

  1. Hmmm. I just got a notification of the same Adware.cpush today. On my PC, Norton said it was in secondlife/uninstall.exe
    I wonder if there’s something about uninstall.exe files that Norton misreads? Or is it possible that someone has figured out an exploit that works within uninstall.exe files?

  2. The same happened on my system today, one day after you posted about this issue. Either the latest Symantec definitions are a little buggy, or CPush has been updated to hijack Filezilla’s uninstaller…

  3. It’d be great if you kept us updated, Roger. My client install of SAV Corporate 10.1.5 is reporting this as well, and I haven’t found a way to set it to ignore the executable.

  4. I received the same notification this morning. I’ve been using Filezilla for at least a couple years on multiple PCs and this is the first I’ve heard of this. I’m interested in what you find from Symantec.

  5. I, too, received the same message today and suspect it to be a mistake because FileZilla’s been installed for a while.

  6. I haven’t seen anything from Symantec, but it looks like rapid release defs version 7/16 rev 5 fix this problem. It didn’t automatically restore the files from quarantine though.

  7. I just had this result turn up but it was associated with WINAMP.. which I’d had installed on my computer for years. I cannot find any info on WINAMP having spyware–so I believe its false positive too. Even better–its on my work PC so I got hammered for putting spyware on (and its not).

  8. Donna’s Security Flash is reporting the same detection on RogueRemover by Malwarebytes.org.
    I’ve updated my original post with an email I got from Symantec a moment ago. They report the problem is fixed in the rapid release defs and they will be updating live update late today.

  9. We had this issue with Apache Tomcat 1.6. The temporary solution if you don’t want to pull down the rapid release definitions is to ignore the detection of adware.cpush by adding it to the global risk exclusions.

Comments are closed.