NewBlueFX - anybody's AV claim it's a Trojan?

Himanshu wrote on 12/9/2008, 7:46 PM

Microsoft Forefront Client Security says that NewBlueFX contains a trojan - anyone else seeing that with any other AV software? I've written to NewBlueFX support about what FCS says is installed:

TrojanDropper/Renos.N

with this additional information:

Category:
Trojan Dropper

Description:
This program is dangerous and installs other programs.

Advice:
Remove this software immediately.

Programs that may compromise your privacy or damage your computer were detected. You can still access the file without removing the threat, although this is not recommended. To do so, select "Always Allow" as the action and click the "Apply Actions" button. If this option is not available, log on as an administrator or ask an administrator for help.

Detected by:
Definition file

Resources:
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue VideoFX MSP

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Halovision

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Cartoonr for Vegas

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Cartoonr for Studio

uninstall:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue VideoFX MSP

uninstall:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Halovision

uninstall:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Cartoonr for Vegas

uninstall:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NewBlue Cartoonr for Studio

file:
D:\Program Files\NewBlue\VideoFX MSP\Uninstal.exe

file:
D:\Program Files\NewBlue\Halovision\Uninstal.exe

file:
D:\Program Files\NewBlue\Free Effects for Vegas\Uninstal.exe

file:
D:\Program Files\NewBlue\Free Effects for Studio\Uninstal.exe

View more information about this item online:

http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanDropper%3aWin32%2fRenos.N&threatid=2147616474

Comments

Himanshu wrote on 12/9/2008, 7:50 PM

Please ignore - I saw this issue in the log file, but I just checked MS's web site and they seem to have updated information as of today 2008-Dec-9:

On 19th November a signature for TrojanDropper:Win32/Renos.N started detecting particular uninstall files. This incorrect detection affects users of all Microsoft Antivirus solutions, including MSRT (Malicious Software Removal Tool) December 2008 (version 2.5.2419.0). On 9th December Microsoft released a new signature that addresses the issue. Signature versions 1.49.299.0 and higher include this fix, as does the latest version of MSRT December 2008 (version 2.5.2423.0).

So apparently a signature file needs to be downloaded. I'll wait till the windows update is downloaded and check again.

jabloomf1230 wrote on 12/10/2008, 7:11 AM

I'd say it's a false alarm. I have NewBlueFX installed on one of my machines running Vista x64 and Avast A/V and it doesn't show any malware issues.