Help with ¿FP?

I'm trying to be sure if a file is a malware or not.
Comodo in paranoid mode (without AV) dont make any popup.
VirusTotal: 30/40 (75%)
Comodo Cima: -http://camas.comodo.com/cgi-bin/submit?file=7cc08f1573a3c7eafd08de79eb5a738e36d45cfedc4784b55de78e30c69a9b43-

What do you think? there is anything similar to CIMA where I can check the file?

Thanks

 

that MD5 shows its a keygen. Keygens are always loaded with malwares.

 

Sorry but you are wrong, not always.

After execute the file in a computer I made a full scan with 2 of the AV's that detect it like a malware also with malwarebytes, Hitman Pro and Prevx and they found nothing.

Update: -http://www.threatexpert.com/report.aspx?md5=c78a7b417054ac28ec856e5ae899c7be-

Seems that the only reason because is detected is for the kind of packer that the keygen uses. A very poor rule for an AV.

 

OK
The result showing its a backdoor .

 

Yes but only because the AV says it. The behavior of the file is safe, dont create new files, dont modify the memory, see again CIMA.

 

The ThreatExpert report clearly shows that it does nothing other than providing a keygen, no backdoor or anything else. Either the packer puts it in the too hard basket for AVs, or any keygen is a PUA - or maybe both.

 

Thanks for the aclaration, each day I trust less in the AV's
I hope that cima will be integrated in comodo soon. I have submit the FP to comodo but would be nice submit FP's to VirusTotal

 

Why are you interested if this keygen is clean? Even if it is clean most AVs won't adjust signatures for cracks.

From CAMAS it created a new svchost thread. Possibly some AVs flagged it as a backdoor because of this behaviour. Why would a keygen create this thread or need it? Who knows?

 

Do you understand why any executable needs a svchost thread? no true? xD

Another example:
VirusTOTAL: 5/40 (12.5%) (Old keygen: 2008.03.06 11:41:04 UTC)
CIMA: -http://camas.comodo.com/cgi-bin/submit?file=f6ee169a7555549f2418ec45bafc0ca376b5481f8e8a68b8efb531788c289a97- same behavior.
ThreatExpert: -http://www.threatexpert.com/report.aspx?md5=81404256f98a45571401f7832d4ebfc1- (packed with PE_Patch.UPX)

I think that I have a factory of fp's in my computer xD

 

In Threat Expert you can clearly see that IKARUS is detecting it as a not-a-virus.Keygen.CoreAVC, but keep in mind that there are many private crypters like Incognito which can be used to avoid detections. This known private crypter is very powerful and IMHO many keygens are also using this.

 

Ok but if you execute the file, have to be uncrypted?
Anyway CIMA will show what will do this uncrypted files, no?

 

Well, it's a keygen and I wouldn't trust it. Malware usually inject threads into svchost.exe to create/drop files or send out data.

 

This is Wilders security Thread and here promotion of keygens are not accepted.
I think this thread will be closed soon.

u r playing with trouble .
ALll cracks are loaded with troubles.

 

The firewall didnt make any alert, should the firewall made an alert?

1) I am not promoting anything, and you?
2) Who told you that? your AV?

This is what I pretend to promote with this thread:
I hope that somebody could be able to explain how to check this kind of files correctly, like any AV company should do.

 

it created svchost.exe

From MS site

 

Again, almost any application in the world needs to have access to svchost.exe process in order to be execute.

PE: -http://camas.comodo.com/cgi-bin/submit?file=1e6096c0f6b5db4c9f15a9c1352297830b981e668280862c3f2b1fe8a51521f5-
autoruns.exe from: -http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx-

 

You use CIS? IIRC, CIS treats all MS-signed exes as trusted and by default allows svchost outbound connection. But CIS should alert you if something is trying to modify or inject something into svchost.

 

Defense+(paranoid): no alert
Firewall(safe mode): no alert

 

From this quote it's pretty obvious what the subliminal purpose of this thread is. To guest: use at your own risk.

 

Subliminal? dont be paranoic. I just want to know how a suspicious file must be checked, I suppose norton, panda, KAV, avast... dont use VT, CIMA and ThreatExpert for check the files.
So which tools use a "professional" and how, this is my question.

 

There are many online sandboxes available
http://camas.comodo.com/
http://www.threatexpert.com/
www.sunbeltsandbox.com/
http://www.joebox.org/
http://anubis.iseclab.org/index.php
http://www.norman.com/microsites/nsic/Submit/en-us
http://wepawet.iseclab.org/

 

Thanks a lot, JoeBox and anubis are really good.

JoeBox: -http://www.mediafire.com/file/mvymjhjwzzi/result.html-
Anubis: -http://anubis.iseclab.org/?action=result&task_id=13687a9bfe250620449db577f91a87cd3&format=html#chapter1-

Now seems more suspicious but anyway the data need the correct interpretation.
I have seen many http, dns and registry data but I have uploaded safe (autoruns.exe) files that does not need internet connection and shows similar results.

Also I have checked the integrity of the win7 files and everything is ok

 

u r welcome

 

If your threatfire popup during the execution of this Keygen, then probably there is something inside it, which need to be taken care. But after seeing the Threat Expert and CIMA report i can say that it is almost clean. But you should use it with extreme care.. (Please do note that doing piracy is an offense)