False positives / Missing detections thread

During the scan by MBAM,I got the popup - "Threat Identified in File" > C:\WINDOWS\system32\drivers\SBREDrv.sys

Looks like a FP.

See attached screenshots:

See also, recent excerpt from scan log.

Prevx Scan Log - Version v3.0.1.65
Log Generated: 26/8/2009 14:05, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 4 (Dir: 1)
Last Scan: Wed 2009-08-26 11:05:41 E. Australia Standard Time. Number of Scans: 532. Last Scan Duration: 14 minutes 58 seconds.
[D] c:\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\$isr\1\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\windows\system32\sbbd.exe [PX5: C04760EA28AF6F49A18800A99DBCAC0062880C1B] Malware Group: Community.OuterEdge
[DN] (ACTIVE) c:\recycler\s-1-5-21-1417001333-2049760794-725345543-1003\dc757.exe [PX5: 5BF3813B30EDD274CBC904213272CD008582EBEC] Malware Group: Community.OuterEdge

 

Thank you for the notification, it should be now fixed

 

Happily browsing when a pop up from Prevx informed that mswsock.dll had been injected into my registry and asked if I wanted to allow it once, always, block etc so i hit block.

It then requested I reboot my PC. Only then did I google mswsock.dll to find it is "a module providing extensions for Winsock. Services provided by this file are not part of Winsock." [according to Uniblue anyway]

I'm guessing this is an FP but perhaps someone with greater savvy than me could confirm?

 

Hello,
Could you let us know what version of Prevx you're using? Prevx 3.0 does not have any warnings like this as it automates this decision process - you may want to upgrade to Prevx 3.0 if you are using Prevx 2.0 and do not find any benefit in the additional warnings.

 

Thanks for the lightning fast response

What is strange is that I am running Prevx 3.0. I purchased a license last Sunday?!

 

If I did manage to respond as fast as light I'd be scared! I'm unsure what warning you would have received, but it would be worth investigating it further if you could click Tools > Save Scan Results and then save the .log file to disk and email it to report@prevxresearch.com

We'll analyze it from there to see what would have caused the prompt. Let me know if you have any other questions!

 

Thanks. Is there a setting whereby logs are saved automatically? Unfortunately I have no current saved logs. Would a pop up generate a log entry? It was a light silver box with the warning message. I do have all the heuristics settings at max which may be (a) overkill and (b) potentially disruptive...

If any further incidents occur I will grab a screen shot.

 

The warning dialog from Prevx 3.0 should look like the one in this post: https://www.wilderssecurity.com/showpost.php?p=1530574&postcount=316

You should be able to create a log on demand by clicking Tools along the left side of the Prevx interface and then clicking Save Scan Results which will contain information on the newest scan you've run and most of the previously seen files as well. If this doesn't save them for you, let me know and I'll walk you through getting the other scan logs which are saved to disk automatically

 

I uninstalled KIS 2010 and reinstalled KIS 2009 and now Prevx is saying Im infected.

The threat says,

klif.sys in c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\klifx64

The weird thing is that I had both running just two days ago and no problems.

I did go to the Kaspersky website to download a new KIS 2009 file and it seems that is where the problem is.

I'm not sure what I sure do. Is this a false positive?

 

I'm almost positive it is - we have had some historic FPs against Kaspersky's kilf.sys driver. There are a lot of infections which are using the kilf.sys name as well so its not possible to track down exactly which file you're seeing - could you send a scan log from Tools > Save Scan Results to report@prevxresearch.com so that I can correct the FP?

Thanks!

 

Sure thing. Should I right click on the threat line where it says to report also?

I got a file, so I will send it email right away. Just confused on what to do on Prevx now. Just leave it or what?

Sorry about being dumb about it, but since I don't want to clean it, I'm not sure how to get the threat detection off.

 

I've fixed the FP - we do prefer having FPs reported manually by sending a scan log in just to ensure that a human looks at it. This particular FP is caused by a more subtle rule which I've now identified. I've only corrected this particular file for now but I've forwarded the information to the research team so that they can get it fully corrected in the AM

Thanks for the report!

 

No Problem. Thanks for the quick response. Glad to know it was OK.

 

I got this reported as malware-

http://www.fileinspect.com/task-manager/

It's from auslogics. Listed on their blog here-

http://www.auslogics.com/en/blog/2009/08/auslogics-task-manager-to-help-you-control-your-pc/

 

I didn't receive a FP when testing it here - could you save a scan log by clicking Tools > Save Scan Results and send it to report@prevxresearch.com so I can ensure I'm looking at the exact file you have?

Thanks

 

Not sure if this makes a difference, but when I scanned with Prevx I got the false positive and reported it as such. Then I just scanned with Hitman Pro and got the malware alert again. It does not show as a false positive anymore when I just use Prevx. But I thought that was because once I reported it as a false positive I got a message saying I wouldn't be warned about it anymore.

The MD5 Hash of the auslogics task manager program is 77601BB504C619C13614BEE4993628F0 . And the SAH1 Hash is F571DB0272E72B29ECB9C94210A813B718BCAE0D .

 

The following file is identified as "Rootkit" doubt:

[28/8/2009 13:18] The file [c:\program files\calibre\uninstall.exe] contains a threat of type [] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86

The following related (more or less) entries are detected as well, the last two detections are kind of strange since these shortcuts do not point to any "uninstall.exe" at all. (I seriously hope I never have to clean my system using PrevX... )

[28/8/2009 13:18] The file [\??\C:\Users\[....]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\calibre\Uninstall calibre.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre\Uninstall calibre.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\Users\Public\Desktop\Call of Duty(R) 2 - Einzelspieler.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\Users\Public\Desktop\Call of Duty(R) 2 - Mehrspieler.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86

 

I've fixed the FP, that could be caused by recent changes to the harddisk - had you just installed the "Calibre" program or made any significant changes to your disk layout?

 

It will locally not show as a false positive within Prevx but it is not automatically changed across the community. I've corrected it now, however, so if you run another scan you should be clean

 

Calibre was updated immediately before or during a bootup scan (since it takes nearly 20 minutes to complete the scan it's hard to tell). Calibre is updated at least once a week and this is the first time PrevX detected it.
However Calibre is using InstallJammer which apparently builds or modifies the uninstall.exe at runtime, so this may have caught PrevX's attention.

 

thanks

 

I just got message from prevx about kbda1.dll is to be cleaned - is that FP ?

 

Yes, I believe I've fixed it - can you try once more?

 

its ok now

thank you

 

Earlier today, Prevx alerted me to an attack. After it attempted to clean out the infected files, it asked for a reboot. After the reboot, my system wouldn't come back up, and after quite a bit of debugging, I ultimately had to do a repair install of WinXP.

Once it came back up, Prevx insisted on rescanning my system. It found infections in these files in the directory C:\windows\system32\drivers\

ipfltdrv.sys
nwinkfwd.sys

It sent me through the regular routine of disconnecting from the net, etc. But each time it cleaned up, rebooted and rescanned, it found the same infected files. I did this four or five times.

Finally, I booted on a cleanly installed winxp drive. I copied those files to a thumb drive and then came back to my regular drive. Prevx was still complaining about those two files.

I ran a checksum on the "infected" files and the ones from the clean install, and they were identical.

Prevx seems to be in this infinite loop, and I don't know if there is an actual threat, or if it's a false positive.

And I can't find any way to stop Prevx.