False positives / Missing detections thread

Hi PrevxHelp,

I sent a new logfile. I cleaned most of the files listed. I see some of them are no longer detected as threats. There are only 2 that are listed that seem to be weird.

Can you take another look? Thanks

 

Hello,
Thank you for the new log - the remaining two are false positives, the handful that you had before were indeed malicious but are cleaned now and everything else looks fine

If you run another scan, the files won't be detected anymore.

 

Looks like everything is good now. Thank you

 

I'm testing Windows 7 (RC 64-bit version) and because my regular software firewall isn't, as yet, compatible, I'm checking out Kaspersky AV 8.0 Technical Preview for Windows 7 which has the "Anti-Hacker" module that acts as firewall. For roughly a day now, the free version of PrevX I have running on my machine flags the Kaspersky driver klif.sys as "Medium Risk Malware". An earlier submission to VirusTotal confirmed that PrevX identified the file as malware. Interestingly, I wasn't the first person to submit this file, but the previous submission was named differently and had an .exe extension. Here's that previous result.
~VirusTotal screenshot removed per Policy.~

I still assumed this would probably be a false positive, and being busy with other things, and because I wasn't yet registered at Wilders Security and haven't submitted a sample to PrevX yet, I decided to wait a bit and see what happened. I expected the alerts would go away soon as many other PrevX users would be running the same technical preview and this would be looked at sooner rather than later. However, much time passed without resolution. I had previously already submitted a few suspected malware sample to Kaspersky, a few examples from a constant stream of new malware pouring into certain usenet groups, and the fact it wouldn't cost much time to just follow the same protocol and submit to them a sample of kilf.sys, I quickly did that when I found a little time. Very soon I received the reply that the sample was malware free. I then submitted the same file VirusTotal again and found that, this time, PrevX didn't seem to find anything wrong with it anymore. The online scan, that is, because on my system, nothing appears to have changed. PrevX still identifies two instances of klif.sys, and a related registry entry, as malware. I've rescanned a few times since then, but no change, I still get red alert. Don't know what's amiss here, but something obviously doesn't work the way its supposed to, so now, at long last, I've decided this has to end, one way or the other, and took the time to register with Wilders and write this message, so I can submit the file plus scanresults. I still hope its a false positive, of course, but have also braced myself for worse scenarios. Oh, I just realize the forum doesn't accept the submission, so I'll send it separately by email (it'll take a couple of minutes). Here's just a screenshot showing the alert:

 

Hello elations,
Thank you for taking the time to register and report the detection This is indeed a false positive and is caused because of the changes which Kaspersky's driver makes to the system. Most antivirus/firewall drivers modify the system in ways identical to rootkits and other malware so it is common for one vendor to detect another vendor's drivers/components as malicious (Kaspersky does it to us but we aren't trying to be vindictive with this false positive )

I've corrected the FP and am adding a signature to prevent similar FPs in the future.

You should now be able to scan your system and it will show a clean status.

Thank you again for the report and let me know if you need anything else!

 

just a quick off topic question...
Posts 95, 96, 104 and more have virus total links posted why was this removed and the others not
Could someone please post a link where this policy is outlined?

 

It is a general part of the forum's policy to remove VirusTotal links (just because of how flawed comparisons via VirusTotal are), however, I'm going to be asking the moderators if there is a need to remove a link when it isn't trying to compare AVs.

The link the policy is here: https://www.wilderssecurity.com/showthread.php?t=180057

 

Thanks for the clarification and the provided link

 

Same FPs another time - that's enough reason to get Prevx off my system once more.

 

They just released an update (the files you had before are still marked good). gamemon.des does heavily use rootkit technology which is why we flag it.

I've searched through and fixed a few gamemon.des', hopefully yours included.

 

Yeah, thanks - I probably won't use Prevx till v4, UNLESS the bridge is what's also featuring the FP-reductions. Is that so, and would these be avoided?

 

Now they would be avoided regardless of the version used (via a rule in place to detect these specifically) but there is little we can do to not detect software like this which is so heavily guarded by rootkit technology.

 

Okay, I just recalled that something similar was applied before, maybe in this very same topic I guess - what was that? What you're saying is anyways that from now on the files that I'd pictured in that window won't happen again, correct?

 

I hadn't made a more complex routine to prevent this particular FP, but now under all reasonable circumstances we won't produce a FP on gamemon.des (or the associated remnant components which were also detected).

 

Okay, Joe - thank you very much.

 

Hello Joe

Looks like the GUI written for MyDefrag is a little too new...?

[BP] c:\users\philbyv\desktop\mydefrag gui\gui_mydefrag.exe
[PX5: DADB776600C4C8D67E73028ED7FDD50022AF8D90]
Malware Group: Medium Risk Malware

[DN] c:\users\philbyv\desktop\mydefrag gui\mydefrag.exe
[PX5: A99DFC150090DFF9E0B70C5015BA46004B6256CE]
Malware Group: Community.OuterEdge

I've already flagged this through MyPrevx to Claudia, Jessica, Victoria et al

I understand you only need the PX codes - hope that's right.

philby

 

Fixed Thanks!

 

Once again, you set a new rapid-response record...

Thank you.

philby

 

Hi Joe or Marco, I have this warning on my pc about BitCHE a program for searching Utorrent Files
It is on my pc since 2007 and today I receave the Prevx warning so I think is a FP
Here the log:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 22/7/2009 19:57, Type: 1,8192
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1040
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 3 (Dir: 1)
Last Scan: Wed 2009-07-22 19:56:17 ora legale Europa occidentale. Number of Scans: 239. Last Scan Duration: 5 minutes 49 seconds.
[BP] (ACTIVE) c:\documents and settings\...\dati applicazioni\convivea\bit_che\scripts\special.exe [PX5: 0232CF09ED0CBD8D5F8400196D8EAF0049FB89B8] Malware Group: Medium Risk Malware

 

Hi Romagnolo1973,
I've looked at it and 17/43 vendors find it on VT Could you send the file to report@prevxresearch.com so we can analyze it directly?

 

It is a false positive, tho the way it acts is really way suspicious

 

I get the following FP for a newer version of UpdateStar again:

[22/7/2009 21:52] The file [C:\Users\<user>\AppData\Roaming\UpdateStar\UpdateStar.exe] has been blocked because it contains a threat of type [Low Risk Adware] - Identity: C46E9A16F0327F1EE0AD47FA54DDE500D643273C

 

Thanks for the report - I've corrected it, however, it was an age/popularity false positive so you may want to lower your heuristic/age/popularity settings if you get too many of them

 

UpdateStar is the only one PrevX detects (every time the application is updated though).

I don't know if the following two fall into the same category, I doubt since MyPrevX lists them as I-Worm/Stration.DTP:

c:\program files\rainmeter\skins\hud.vision\black\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]
c:\program files\rainmeter\skins\hud.vision\white\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]

 

This is unrelated to the other detection - 11 products find the file on VT but it is indeed a FP (most likely detected by others also because it is used/dropped by infections to execute other files... lazy malware authors )