False positive -why are they so dang slow to fix them

Discussion in 'other anti-virus software' started by kinwolf, Mar 18, 2008.

Thread Status:
Not open for further replies.
  1. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Suddenly last week, vbscript compiled as exe with Primalscript started to be flagged as trojan by my AV. I uploaded to virustotal and amazingly saw that my AV wasn't the only one with the false positive. So I send each company an email with the zipped exe and an explanation of why it was a FP(any script, even one with just a wscript.echo in it is reported as a trojan as soon as it's compiled as an exe)

    Well, a full week later it's still detected by all those AV. Getting tired of it cause I have to put multiple exception in the config. Some of those scripts run on servers to do administrative jobs. Just glad it's not the same AV on the servers, it would have been a major pain to remove the scripts from quarantine everywhere and add an exception for each.

    Why does it take them so long to fix FP? Yes, infections are bad, but FP can be as crippling to an organisation.
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    who flagged it ?
     
  3. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    I prefer not to name the companies, it would turns too quickly into VS thread.

    Suffice to say, 5 AV companies where flagging it, of those 5, only 1 has fixed the FP after a week. It's not the first time I have to wait so long for a FP to be fixed either. All time record stands at 1 month with a file from the HP smartstart CD.
     
  4. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    pointless if you don't say though,

    If drweb was one and still has not been fixed, you should still have a submission id, post it to them
     
  5. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Sometimes sending an email to report a false positiv isn't the quickest way lots of vendors use their forum to let people upload samples or reporting false positivs this is for BitDefender the quickest way to report a false positiv. I give this just as an example because the virus researchers are more active on this. So see if there is such a possibility that your antivirus vendor offers you. What I think that the reason could be is that these report addresses are overloaded so it can take a while before they can examine your sample.
     
  6. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    818
    Are you submitting it via the correct channels? Certain AVs have a specific e-mail address you send it to, others have a web-form you fill in and submit the sample.

    Remember to send it to the correct e-mail address... if you send it to the incorrect department (Eg, sending a sample to sales), they may simply discard it.
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Some creativeness makes this easy to figure out. And it isnt Eset.:thumb:
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    What trojan NAME did they give it please. If some AV's had differnet names..please post those also. That might help this discussion.;)

    It would also pin down if it is just one of those "caution look further into it" kind of thing..or they all think it is a hard coded real bad boy.

    We all know the AV's are constantly trying to be pro-active in their real time scans with heuristics or other " if it walks like a duck and quacks .. it must be a duck" implementations...so lets be realistic.
     
  9. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Ok, to kill the speculation(but please refrain from the VS war) last week I emailed, or used the online webform of the following AV companies.
    Avira(they fixed it)
    A-Squared(not fixed yet)
    F-Prot(not fixed yet)
    Bitdefender(not fixed yet)
    VBA32(not fixed yet)

    Aye, I made sure to send it to the correct place with all the AV companies. I looked in their support area or forums guideline to get the proper channel.

    Niels: Thanks for the tip, I'll post it on the forum there. I sent it to them via email plus they also had it from the quarantine that is send automatically, but I'll put it on the board if it can speed things up.

    Primrose: In all the cases it was detected by the heuristic and has a name like Trojan.Generic.xxx or Trojan.Dropper.xxx or W32/Trojan.xxx

    As I said, the fact that there is a FP isn't a huge issue, it happens, it's just the time to fix it that is. I guess it might be faster when you have a corporate account though.
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Trojan.Generic.xxx or Trojan.Dropper.xxx or W32/Trojan.xxx I don't consider those to be FP's..but rather go look at and surely none of those AV's would just quarantine it by default.

    Now I do see your point if you are a developer and want to get special attention OUT of that heuristic issue.

    Thanks for your post..hope they all clear it up for you.

    Kind of reminds me of the problem Microsoft always has with developers who design stuff for their OS's and do not submit them to their development department or use their SDK for look see..to make sure they don't not occupy some spaces Microsoft reserved for their stuff..everything goes along good for a while..then all of the sudden Microsoft comes out with a new SP or update to protect against an exploit..and they break the application of the third party developer or one of his drivers.
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Are you kidding me? Those are most likely not heuristics names at all. Bloodhound.Packed, NewHeur_PE, Vipre.Suspicious... those are heuristics names. Trojan.Dropper.ghi (random example) is not...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.