False positives / Missing detections thread

There are an awful lot of infected installers in the wild at the moment!

I am waiting desperately for Joe's answer cause i am not sure what to do.

 

A note to all: If you could please send possible malware directly to report@prevxresearch.com using the instructions in https://www.wilderssecurity.com/showthread.php?t=245129 it would be greatly appreciated We don't want any users to unsuspectingly click on a link and end up infected

 

This does look like a new file infector - we're in the process of investigating/analyzing it to see what can be done.

 

Thanks so far.
Further Information: http://www.f-secure.com/weblog/archives/00001752.html
http://www.viruslist.com/en/weblog?weblogid=208187826

 

Agreed, but sometimes no response is given even if a decision is taken not to add the application(s) to the database.

A good example of this is the Perfect Uninstaller program I mentioned earlier in this thread at post #246; I had emailed about it 3 days previously (admittedly without the PX5 identifiers - will try to add those in future), but no response was received so I gave it time in case you were analysing it still. The program was/is still not being detected, perhaps rightly so, but I posted here to draw attention to it.

I hope you do get the emails as 2 weeks ago there was an issue because someone was on holiday so you missed it.

 

Hmm.... I found your email about Perfect Uninstaller and you're correct that the email was deleted and not responded to. This is against our policy (we should respond to every message, albeit probably later than when we originally add the detection) and I'll be looking into why this was dismissed in this manner.

However, regarding Perfect Uninstaller - I personally wouldn't consider this to be rogue. It's true that they do require you to pay to uninstall programs but they do appear to provide additional functionality on top of the default uninstall routines (and they do provide the user with the relevant information on the areas that would be removed.

Again, sorry for the complete lack of a response - that definitely isn't helpful to anyone!

 

That's my fault. I apologize about it. I handled a number of reports present in our report e-mail account and I was sure I replied to yours too. Instead, the e-mail was still here on my e-mail client and wasn't succesfully sent.

I still apologize about it, anyway we always reply to all e-mails we receive. If for any reason you don't get a response it's because there has been an error forsure.

Thank you for your patience.

 

what a man, taking the fall for Joe.

 

Good Team... As it should be.

 

Thanks for your response re: Perfect Uninstaller and apology for lack of response. That goes for EraserHW too. I appreciate both of you being upfront about it.

Now I can remove PU from my sandbox.

 

aswmon2.sys & aswmon.sys

These are avast! file system filter drivers, I believe. The Prevx alert, as you can see, popped up while running a Hitman Pro scan...

 

As a quick follow up to the above fp's...

FYI, initially I got the same behavior that I alluded to here, wherein clicking "View Threats" produced a scan instead. The scan came up clean.

I then removed the Detection Overrides I had put in place for these two files and re-scanned and all was good.

 

I don't understand one thing. Actually, there's a lot in life I don't understand yet but this is a good place to start.
If Hitman is using the latest from Prevx, why does Prevx pop up with a 'false positive' while Hitman says that nothing was found?
Hugger

 

Those FPs are caused by the age/popularity heuristics - could you let me know what your heuristic settings are? Higher settings could sometimes produce more FPs for these detections.

Hitman Pro uses part of our engine but not the whole thing - Prevx contains additional rootkit scanning and heuristics in realtime which will detect additional malware on top of the threats we find with the default scanning.

 

Heuristics are maximum, Joe. I am not in anyway distraught about such findings... it's easy enough to investigate the files in question, after trusting one time. I know I can adjust the heuristics downward, but I don't mind the occasional fp if it means enhanced protection.

Is it correct that after Prevx alerted on those two avast! files (and on two machines, also) that the cloud then recognized them and no longer ID'd them as risks? ... because subsequent scans, within minutes, came up clean.

 

Yes, that's correct - we tend to learn about files quite quickly so the FPs generally fix themselves (and I get to sit back and not do anything )

 

I'm sure that's not exactly the way it goes, Joe.

 

I dumped a log from a XP gaming machine that still has Prevx on it, here's a bunch of FP's that may or may not be fixed.

 

Did you actually see these FPs in realtime? We log "Malware Group: Community.OuterEdge" into the log just as a flag without actually warning in many cases (so some users could end up with hundreds of them, not meaning we would have detected all of those files if they were run )

Regardless, I've fixed these files anyway and they are now trusted in the database.

 

Heuristics are set to max, medium and medium respectively.
Now that I understand what is happening I'm not concerned about it.
Thanks for your help.
Hugger

 

What I am seeing is that Prevx finds the same fp files repeatedly when I run Hitman Pro.

These fp's were noted here yesterday. I thought that those two files were finally recognized by Prevx as fp's, but they are back again, with numerous other Alwil drivers flagged by Prevx. Yes, heuristics are on maximum, but my understanding was that the cloud would soon recognize these Alwil files and stop flagging them... in fact I thought that was the case yesterday, but evidently not.

FWIW, in addition to the two files yesterday (aswmon.sys & aswmon2.sys), Prevx is now identifying...

aswRdr.sys
aswFsBlk.sys
aswSP.sys
aavmker4.sys

as threats that should be removed.

Now here's the confusing part. After removing these files from the Prevx Detection Override, I right-click scan my system32\driver folder and Prevx says all files are clean. But if I run Hitman Pro again, Prevx jumps up and alerts on all of them as threats! It also ID's some in the Alwil program file.

Maybe this behavior makes sense to you, Joe. It's strange to me. Is it all due to maximum settings for heuristics? Does that explain clean Prevx scans (even of the specific driver folder), and subsequent Prevx alerts during Hitman Pro scans?

Also, as a suggestion, I'd like to recommend that Prevx Detection Override feature have a "Select All" option for removal, so that I don't have to take each fp out of there individually. Maybe that option already exists and I didn't look around enough.

 

This doesn't really make sense to me It sounds like an issue - but could you mail over a scan log so I can see exactly what's happening? I'm thinking Avast may be randomizing its drivers when it scans (possibly to evade malware blocking different components) but we have been making some large changes to the behavior for users on maximum protection so these FPs could be the result of those.

A scan log will definitely help to either let us tune the rules better or at least to fix these individual FPs

(Also, detection overrides doesn't have a select all feature.)

 

It doesn't currently, but he's suggesting it should.

 

Okay, I will send a scan log. FYI, on reboot just now I received an Age/Spread Criteria Violation Detection on aswRdr.sys... max heuristics, I know, but it's the same file I've been getting for a couple of days.

 

Hi!

Ive recently scanned my computer using Prevx 3 and it finds pixetell.exe as a Low Risk Adware. I can say for sure its not malware. Its kinda like a multimedia communication tool for e-mail.
You can check it out here:http://www.ontier.com/