False positives / Missing detections thread

I'm doing it now! Thx for this super fast answer =)

EDiT: Sorry, didn't know I had to add a password!

2nd EDit: Done =D

 

Thank you for the log... however, I still think that the file is malicious It is referenced by a registry HKLM\...\run entry named "WinSys2" and pointing to a file named C:\Windows\System32\startup.exe

Could you send us the file itself in a rar archive with a password to report@prevxresearch.com so we can analyze the file itself to make sure it is really malicious?

 

Of course, I'm on it!

EDIT: Done!

 

Thank you for the file - we've analyzed it and indeed it is a FP, but a strange one! Thank you for your patience, if you run another scan it should be fixed now.

 

Thanks alot! It is now a clean file, this is what I call cooperation!

 

Hi Joe,
I been using 'Hard Disk Sentinel' software for a long time, but today Prevx started detecting it as a malware. Is this false positive or real malware?

I have send the scanned log to Prevx.

 

Hello,
This is indeed a FP and has been fixed now - thanks for the report!

 

Thanks!

 

Out of curiousity (probably since I'm even running your software right now in evaluation ), what could be reason that a legit program is suddenly detected on your end - if at all?

 

Every time we add or tune a rule to detect a new variation of a threat, that rule is applied to every other piece of software globally to detect variants which we may have missed previously.

When dealing with some rules that detect 500,000+ samples at a time, it is hard to track down the one false positive caused by it

 

Only because I can see a possibility of trouble, like seen here (and especially for the average Joe) - is this kind of thing "solved" somehow through the technologies released in v4.0?

I completely understand the reason, but one can't avoid the fact that it does give high probability for trouble and/or FPs - I would suspect still higher than other products, since I've indeed witnessed and experienced this personally with the software. It's one of the reasons I "had" to stop using the software, simply because I always want to go a no-FP, automatic way - something which I've without a doubt accomplished without sacrificing the effectivity of my protection.

 

4.0 will have additional measures to prevent FPs, however, the exact same "problem" occurs with conventional AVs. Every new signature created scans every file, which is why conventional AVs have FPs as well. Our systems automatically track possible FPs and prevent signatures from being created which would cause additional FPs but nothing is perfect and everything is a balance between FP/detection.

I highly doubt that Prevx has more FPs than other products, being that we have only around 5 FPs reported by the entire Prevx community every day. We also don't have a submission form on our website so most of all of the FPs either get publicly reported here or just sent via email (and to the report@prevxresearch.com email address, we have had only 2 FPs reported in the last two weeks).

With over 30,000+ new infections blocked the first time they're seen every day (not counting older infections which is much higher), I think that is a reasonable rate to have, especially because FPs tend to only happen on odd, little-used software.

 

I don't know if I can stress this enough... the software that I use doesn't have FPs through signatures or other automatic, proactive features - atleast not stable software. That's a reason I stopped using NOD32. It was giving simple FPs that caused me a lot of trouble. No offence, but that's actually true, and that's why I'm atleast trying to stress this point.

 

The goal of every AV is to have 0 FPs, which is of course what we're trying to do. However, it is logically and mathematically impossible to produce 0 FPs if a program has any degree of heuristic detection.

 

Point taken. I'll try to ignore what's reported here as it could be looked at like a fast reporting-system. I'll continue to run Prevx in evaluation mode as that will let me know if MSE, which I'm running now, is missing something - completely free - and see how I like the software's operation as it's today.

 

If you look at the FPs reported by AV-Comparatives in recent tests, many of the applications don't appear to be as well known to the average user. When I looked at the list, I hardly knew most of them, let alone have them installed on my system. Obviously if I had any one of them on my rig at the same time of the test with the same AV flagging the FP alert, I would have got the warning.

In all the years I've used conventional AVs I've never had FPs against programs I have installed, but have seen some script heuristic FPs by those AVs that run script emulators as part of their web scanning.

In testing Prevx, I've not seen any FPs yet.

 

Frankly, any vendor with a high level of false positives would have gone out of business years ago. Periodically we hear of some highly publicized cases when an AV detects a system file and corrupts thousands of systems. There really should be measures in place in every company to prevent this (akin to our automated rule testing - if a rule flags a system component, it is dropped). Outside of that, however, it really becomes a question of the software which the individuals use. I don't have exact numbers but I've heard people say that more than 95% of the software on 95% of user's PCs is the same. The remaining 5% is where things get difficult and to deviate from the "standard" software set, a user would need to be at least marginally technically inclined - many of whom are participants in various forums like this one. On the other side of the spectrum, my parents have absolutely no idea how to install software or how to even go about finding new software - a case which I suspect is seen pretty widely.

The problem with forums is that various vendors are frequently berated for having "low detection" or "high false positives" and whichever user can "yell" the loudest ends up getting their point across when in all actuality, forum users are off many standard deviations from the average user in their browsing habits and system use and therefore don't have a representative view on what a vendor actually does provide.

We had a nice "case-in-point" false positive ages ago on an extremely obscure program which not only sent out emails to everyone in the user's address book but it also did not have any graphical interface, it was unsigned, encrypted/packed, and it added a registry run key to perform the message sending on bootup. Whether this was a software vendor just being cruel to AV developers we will never know but we did not bother changing any rules we had in place to detect the file and we just whitelisted that one version.

Software is incredibly diverse, as is malware (logically as it is a subset of software). There is no way to prevent all false positives unless you want to write signatures which detect only single programs and have no level of heuristic/generic signatures. I know that vendors today are working hard to write signatures that cover as many variants as possible and this may cause an uptick in false positives just because of the literally exploding volumes of malware. There are many measures which can be put in place to help reduce false positives, including whitelisting and reputation checking, but none of them are perfect because some user, somewhere, is going to want to run a mass mailing, encrypted, hidden program on bootup

 

Joe,
Did you get my PM and had a chance to analyze what I sent? This one seemed to have been a nasty little bugger, it was a bit of work cleaning it off of my test VM. Neither Prevx nor Malwarebytes or anything else I could throw at it was able to clean it 100%; A-2 in paranoid mode was the only thing that stopped it in its tracks, after which I cleaned it by hand.

P.S. This was a true 0-day at the time of submission, 0% detection on virustotal.com and few other ~Jotti scan results removed per policy.~

 

I forwarded it onto one of our researchers (EraserHW). I'll ping him to respond here in the morning as to what he found

 

We shortly added detection for it after your submission:

http://www.virustotal.com/analisis/...9c3730a67f73273368197a35440fdfc7f6-1247740317

We didn't have problems in cleaning it up, but if you have had any kind of problem, please report us them so we can further investigate on it

Thank you

 

e_fbagaea.dll

Hello,

I've got an alert from Prevx 3 (High Risk Cloacked Malware) and the file name is e_fbagaea.dll. I am not sure if it is a false positive or is a real malware. I've send a scan log to Prevx in the morning. Here is a link to VirusTotal
~VirusTotal screenshot removed per Policy.~
What should I do, ignore it, delete the file?
Thanks,
Jedi_m

 

Hi PrevxHelp,

I bought Prevx 3.0 on Friday after running it in trial mode for about a week. During the trial I never ran the Full Scan but I ran it once it was purchased.

It found about 17 files that I think are FPs so I added them to the detection overides by click "Report as false positive". I sent my scan log to the email address posted so you guys can determine if they are all FPs or not.

One example is d3dx9_39.dll which you detect as riskware. Virustotal link below:

~VirusTotal screenshot removed per Policy.~

I am also running MSE 1.0 beta and none of these have been detected by it.
Thanks

 

Hello,
I've checked out the log and only see two false positives in it, but the last scan shows as "aborted". Can you please try running another "Scan Now" scan and save another scan log to ensure that we have everything to fix? In the meantime, I've fixed the two FPs Thanks!

 

Wow that was quick! Thanks for checking them out. So some of them are legit?

I'm running another scan right now, I also removed most of them. I'll submit when the scan is complete. Thanks

 

Some of the files in your log are indeed malicious but it will be clearer once I see the whole thing