False positive?

Discussion in 'Prevx Releases' started by Pain of Salvation, Sep 17, 2009.

Thread Status:
Not open for further replies.
  1. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Prevx detected two Rootkits on my PC. The .exe is xpsviewer.exe.

    I think it is a false positive...
     

    Attached Files:

    • log.log
      File size:
      290.4 KB
      Views:
      28
  2. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Any trust in Prevx that I started to acquire is now gone!

    Prevx File Investigation Report:
    http://www.prevx.com/filenames/X5512832529437851-X1/XPSVIEWER.EXE.html

    Windows Hardware Developer Central - View and Generate XPS:
    http://www.microsoft.com/whdc/xps/viewxps.mspx

    Explore the features: XPS documents:
    http://www.microsoft.com/windows/windows-vista/features/xps.aspx

    NOTE: XPSViewer.exe is an hidden system file:
    http://www.fileinspect.com/fileinfo/xpsviewer-exe/


    HKEY1952
     
  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Why is it gone?
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You seem to have completely missed the point. You can't assess if a file is malware only from its name! LOL
    But you need more information like the size, location, the behaviour, unique hash code, etc...

    The web page at Prevx is telling you that XPSVIEWER.EXE, doing XXXX, with yyyy size, located in zzzz and identified in qqqq countries is malware, not the one installed on your PC. :)

    Cheers,
    Fax
     
  5. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Any malware scanner will inevitably at some point generate an false positive or an false negative, this is expected and acceptable, however,
    this particular false positive concerning the Microsoft XPSViewer.exe is totally out of context and unacceptable, especially the ludicrous Prevx File Investigation Report details.
    This is one time Sir, that I will not argue my point, because I know that I am right.....and the road ends.....right here.


    HKEY1952
     
  6. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL

    I agree.


    The file in Pain of Salvation's log is this one:
    http://info.prevx.com/aboutprogramtext.asp?PX5=F4E38556001A95720E8D00D21C7C2200B79BCD14

    It is not marked as malicious in the Prevx database. Guess a strange behavior of this file triggered the Rootkit.MFTHide detection.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello all,
    This false positive is caused because of a mismatch between usermode data and kernel mode data and is detected within our rootkit scanner. I suspect most other antirootkit programs would detect this as well and it literally means that the file has a missing entry within the file system (which is a technique used by some advanced rootkits today).

    However, the cause of it generating a false positive is very rare and usually would only happen either from harddisk corruption, another AV blocking that specific file (which I doubt in this case), or a file having just been written to the disk/created.

    This FP in particular affected only one user (Pain of Salvation) and the file in his log has never been seen on any other PC, which leads me to believe that it had just been created on the system or possibly has been corrupted in some form.

    Let me know if you have any questions! :)
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Respectfully.....your entire Post is misleading and wrong.....

    There are two files for the XPSViewer:

    01)- XPSViewer.exe.mui
    (a) Internal Name = XPSViewer.exe
    (b) Original File Name = XPSViewer.exe.mui

    02)- XPSViewer.exe
    (a) Internal Name = XPSViewer.exe
    (b) Original File Name = XPSViewer.exe

    xpsviewer_mui_internal.JPG xpsviewer_mui_original.JPG
    xpsviewer_exe_internal.JPG xpsviewer_exe_original.JPG

    That's All Folks


    HKEY1952
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Sorry, but it isn't - you have misread his log:

    [R<11000020>] c:\windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.0.6001.22221_es-es_b2545417a9a413f3\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide
    [R<11000020>] c:\windows\winsxs\x8a9e0~1.181\xpsviewer.exe.mui [PX5: F4E38556001A95720E8D00D21C7C2200B79BCD14] Malware Group: Rootkit.MFTHide

    This is not referring to xpsviewer.exe. These files are identical - the issue came because one of them was not flushed all the way to disk so Prevx was seeing that it was hidden from the Master File Table.
     
    Last edited: Sep 18, 2009
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Lol, sorry but, right or not, and as explain by Joe, you are still ... missing the point :D

    Fax
     
  11. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    You are out of your playpen again fax


    HKEY1952
     
  12. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I am sorry but I for one do not understand the reason for overreaction. One false positive, which occurred in one system, due to some odd condition. Where's the problem?

    There is no problem.

    It's not like this is some system-crippling bug affecting thousands of systems a la unmentioned european company :D
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Yeap :thumb: :D
     
  14. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Directory Hard Links


    HKEY1952
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Pen which pen? The heuristics on your end seems to generate a lot of false positives :D
    Sorry couldn't resist, peace...love and music forever :p
     
  16. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Hmm, I am not encountering this false positive. I'm using Windows 7 x64 RTM.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No one else encountered the FP - it was literally limited to Pain of Salvation and wasn't a signature detection, as pointed out by ctrlaltdelete, so no other user could ever have been affected by it.
     
  18. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Hi Joe can you confirm this as a FP.
    I have marked them as such and just require confirmation from you or one of your team.
    Thank you
     

    Attached Files:

    Last edited: Sep 19, 2009
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, it is :) We corrected this FP yesterday and the misdetection should be removed automatically on a re-scan
     
    Last edited: Sep 20, 2009
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    A note to all - we strongly encourage reporting FPs by using the methods in this thread: https://www.wilderssecurity.com/showthread.php?t=245129

    To prevent this thread turning down unproductive routes, please follow the instructions in that post to submit false positives. I'm now closing this thread but feel free to send me a PM if you have any questions.

    Thank you for your support!
     
Thread Status:
Not open for further replies.