False positives / Missing detections thread

It depends on the infection and its hard to say exactly what would trigger it as it uses our community intelligence (so behaviors are gathered/age is considered/etc.)

 

FPs fixed Thanks!

 

I found your submission - there was a management issue in report@prevxresearch... it was assigned to Marco (EraserHW) but he's on vacation currently I've corrected the FP - sorry for the delay!

 

Spyware Cease, as discussed here, doesn't appear to be detected by Prevx. The setup file is 14.1MB in size - I haven't sent this through as unsure if too big to send even when compressed.

 

hi joe spyblaster is getting away from prevx
i think it is a rouge some antiviruses at vt recognize it as malware but not prevx

 

Confirmed. It's listed by hpHosts as a rogue, and is on a couple of other domain blocklists.

I've submitted the file to Prevx Research.

 

Great, thanks Will have it added shortly!

EDIT: I've analyzed the file - we already block all components of it, we just don't look at the .msi (but if the malware was to try and run we block every piece of it).

 

It's me again with:

[7/8/2009 16:15] The file [c:\users\[user]\appdata\roaming\updatestar\updatestar.exe] contains a threat of type [Low Risk Adware] - Identity: 93066E19F0C8E004E0494706987F3E007EB55664

Last time you identified the detection of the previous version of the application as age/popularity false positive. However, this version of updatestar.exe was installed on July 27 and PrevX didn't detect this "threat" in the July 27 - August 6 timeframe (minimum two scans a day). I don't understand why this is detected two weeks after installation first? If this is a heuristical detection I'd have expected an alert shortly after installation or at least 1 day later. (According to the information in your malware network the file was first seen in SPAIN or ITALY on Jul 28 2009).

 

I just checked our database - on August 7th (today) at 13:30 we added a new rule to detect some new Adware.Lop samples and it seems to have overstepped its bounds a bit and caught this one again. I've updated the rule and corrected the file's determination.

Thanks for the report

 

I confirm the program executable is detected when run after installation.

Could you check Spyware Cease please as mentioned in post #200 as I just checked during a sandboxed install. There are no alerts at any point when running the program after installation.

 

Any further news on this one yet? Just did a scan on my sandboxed installation of the application, and Prevx doesn't detect.

 

Your answer was already posted I believe...

That pretty much summarizes our take on the rouge, having had a closer look, its tough to even touch the installer as it is and if truth be known, this is purely user initiated scareware, using rouge just doesnt do justice here, I cant even classify it as that since it doesnt actually drop anything Id classify as malicous or atleast it didnt here.

As Joe said, with full protection, you can dload the installer(.msi) but it should never be able to fully execute or drop file to disc, again, atleast it wasnt able to here, its always possible your using a different installer than the one I found.

 

That answer was in relation to Spyblaster; I'm now talking about Spyware Cease, which I first mentioned in post #200.

 

Sorry - I've tracked back to your post now. I'm testing Spyware Cease as we speak and will report back with what I find!

 

Confirmed Rogue: Will add protection momentarily - it looks quite good, however Definitely upping the bar on how subtle rogues can be.

 

I thought it was, and judging by the thread where it's discussed, others think so too.

Just as a point of reference, when files are large, like say 14MB in size, it probably isn't practical to send for analysis even when compressed. (The 7z compression I did of it actually increased it slightly. ) Is the best way then to report it here or do you accept such large attachments?

 

Feel free to just send links if its easier - I just Googled it to find it this time

 

Ref: Spyware Cease - just done a scan of all the installed files in the sandbox; no alerts. I can PM you the log if you wish.

The installer generates no alerts either.

 

Hmm... could you send me a log to report@prevxresearch.com? We may have gotten different versions.

 

Sent.

 

Yikes... I dug deeper and have determined more than 1,000 variants of SpywareCease as bad now, stretching back to Oct. 2008, most with barely any detections on VT

The primarily malicious component is the .exe itself - the other DLLs are mostly repackaged legitimate components so I've left them but we should now detect it fine

 

Umm.. I don't really understand this.

Scanning the files in the sandbox still yield no results; scanning the single .exe in the sandbox produces no alerts.

However, if I copy the .exe from the sandbox to the Desktop and scan it, hurrah, there's an alert.

Something isn't right here. I'd like to test the execution of these kinda programs in a sandboxed environment for safety reasons - that's the point of the sandbox surely. Maybe I'm doing it all wrong, who knows. :/

 

What sandbox are you using? Its possible that the sandbox itself is preventing Prevx from scanning the file but its hard to say exactly>

 

Sorry, I should have said before - it's Sandboxie.

 

This might be caused because of a fluke in our caching and handling a sandbox - can you try rebooting your system to see if it is then detected?