No software is perfect in this world and so is the SpyDllRemover. I am writing this post here to clear some of the misconceptions about SpyDllRemover. Many times people complain that SpyDllRemover is showing false positive or listing the legitimate DLL as malicious.

SpyDLLRemover uses heuristic approach for deducing the type of threats unlike other anti-virus/anti-spy software which rely on predefined signatures. As a result SpyDLLRemover can detect new as well as old threats based on its generic detection technique.

On scanning, SpyDllRemover shows 3 different type of threats…

• Dangerous  (shown in Red color)
• Suspicious (shown in Brown color)
• Analysis   (shown in Yellow color)

Dangerous threats may be hidden Rootkits and suspicious entries indicates possibility of malicious DLL. However there are some DLLs which SpyDLLRemover is not able to classify and they are marked as ‘analysis type’. This kind of DLLs are put for the manual analysis of user. By default SpyDLLRemover shows only 2 type of (dangerous/suspicious) threats.

Being heuristic approach based software, its always possible to have false positives in the above 2 categories. But many people saw some legitimate DLL being listed during full scan under the ‘Analysis type’ section and complained that SpyDllRemover is showing legitimate DLL as spywares

The fact is that those DLLs (may be legitimate or malicious) were not being judged by SpyDllRemover and presented to user for further analysis rather than putting user in the dark. User can then use ‘check online’ option to verify authenticity of such DLLs online.

So next time when you see good DLLs being listed in yellow flavor, please do not think it as false positive. It just means that you have to use your brain to complete the analysis.

.

This entry was posted on Sunday, February 7th, 2010 at 11:03 am and is filed under Rootkit Analysis, Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.