False positives / Missing detections thread

I was not referring to Spyware Blaster, I was referring to Post 200 that you linked to.

Joe has confirmed exactly what I was saying....

Prevx and almost all other AVs are well aware of SpywareCease, problem is, it doesnt really do alot to the system, the reason VT has so few hits and most have deemed the app just plain bloatware/scareware type.

Its been around over 2 years now and really has no place in a DB but thats a researcher choice, if spyware cease is bad, then so is regcure and about a 1000 other apps that dont do what they claim to do or make a big deal outa of a cookie or orphaned registry entry, I spec we better add in CCleaner too, its doing about the same thing.

Not knocking you or Joe, its just I went through alot last year to come to this conclusion and decided not to add it into the DB.

Its definilty one of those that runs that fine line.

 

I've rebooted, and whilst a scan of the sandboxed single .exe file didn't trigger an alert, a scan of the sandboxed folder did.

@Cretemonster:
I understand what you're saying, and agree with both you & Joe. However, that hasn't been the main issue for me. The problem has been seeing some sort of detection within a sandboxed environment. It worked out of the sandbox, but not within it.

 

Probably best to move this to another thread as you have Also regarding SpywareCease: I disagree, Cretemonster, with it being a product that just detects cookies. On an entirely empty XP SP3 VM, it detected 22 files as backdoor trojans. Unless Microsoft has gone very lax on its software integrity measures, I suspect that it is indeed a rogue Maybe they started with cookies and then realized that they weren't getting enough of a conversion to buy, but, if it would just detect cookies, it may be able to pass easier as legitimate.

 

Agree this one is a topic all its own as most of these crapwares are.

 

Hey Joe.

Prevx (highest settings) detects MWAV (Microworld Anti Virus Tool) as malware.

Temp\mexe.com => Malware

 

False positive with this (win7):

(~snip~ VT link removed as per policy)

 

Habakuck/rolarocka: Could you please send a scan log by clicking Tools/Save Scan Results to report@prevxresearch.com? I'm trying to track down the exact files without luck so far

 

I think the problem is solved. I used an older Version 9 of the MWAV Tool.
Updating to Version 11 and i have no problem anymore...

 

fdprint.dll is not on the scan log anymore. It only appears as a false positive after an new install of prevx. Will try it again.

edit: Its not detected after a new fresh install... I will continue to monitor this.

 

Great I've re-corrected that file anyway so it won't cause any warnings for anyone. Thanks for the report!

 

Great. You are wellcome.

 

Combofix - again

Combofix is being detected again

(ACTIVE) h:\software\combofix.exe [PX5: D9BC1C83D92D58BA1822302D1CE52B00C94E2332] Malware Group: Medium Risk Malware

 

Re: Combofix - again

Combofix will unfortunately continue to have problems - I've corrected this one but there simply isn't a way to generically trust them... it makes far too many system changes using suspicious programs which are also frequently used by malware

Nearly ever version is detected by between 8 and 22 vendors on VT, they simply far-exceed the threshold for suspicious behavior all around.

 

Re: Combofix - again

Understood, but maybe you could consider asking whoever is in charge of whitelisting other AV software, to check each version of Combofix & Smitfraudfix as they come out?

Speaking from the "frontline", it's amusing in an annoying kind of way to see security software sitting happily on an infected computer & then blocking the cleaners!

 

FP with Wavosaur

wavosaur.1.0.5.0.exe [PX5: 90E7036A008D32B9B0E10821220B5400EDEBCF34] Malware Group: Low Risk Adware

 

Fixed Thanks for the report!

 

Re: Combofix - again

Blocking the cleaners is not intentional - many other AVs do it also, simply because to clean the system it has to make changes to the system and Combofix/similar programs go about it in a very malware-like manner.

I'll see what we can do to prevent Comboxfix FPs in the future without impacting detection.

 

http://www.imagesforme.com/out.php/i641925_Pr3vX.bmp

 

Could you please send a scan log to report@prevxresearch.com by clicking Tools > Save Scan Results? The filename isn't enough to go on because kilf.sys has been used by malware.

 

Done███

 

Possible missed detection: Perfect Uninstaller

It isn't detected by Prevx:

perfectuninstaller_setup.exe [PX5: 14A6205A504CA605C865337FD347C70037F7DEE2]
pu.exe [PX5: F62A38384096AD93ED273744EFB45E000D60C72C]

Downloaded from: perfectuninstaller.com

Discussed here: https://www.wilderssecurity.com/showthread.php?p=1524387

 

I don't see anything Could you try sending it in a rar or 7z archive or just sending it plaintext?

 

PrevX Team i was not amused to see that PrevX didn't catch this sample:
~snip~ Possible malware link removed
I will PN Joe the password for the archive.

Why is it not detected? I think that the source code has some mistakes and because of that the programm does not run fine but i think the malicious behavior should be enough for prevx to catch it.

 

And another very bad failure:

This is real malware! No skript kiddy code like the first failure i posted.

So why is that not detected? The malicious behavior is so obvious! And i run PrevX with highest settings....

 

We don't focus on detecting files like this (a batch script). We may consider adding more detection for files like this in the future but today, these are not threats to normal users (and nearly always only exist in malware collection).