False positives / Missing detections thread

Discussion in 'Prevx Releases' started by EraserHW, Jun 14, 2009.

Thread Status:
Not open for further replies.
  1. Nail64

    Nail64 Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    5
    Hi PrevxHelp,

    I sent a new logfile. I cleaned most of the files listed. I see some of them are no longer detected as threats. There are only 2 that are listed that seem to be weird.

    Can you take another look? Thanks
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Thank you for the new log - the remaining two are false positives, the handful that you had before were indeed malicious but are cleaned now and everything else looks fine :)

    If you run another scan, the files won't be detected anymore.
     
  3. Nail64

    Nail64 Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    5
    Looks like everything is good now. Thank you
     
  4. elations

    elations Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    1
    I'm testing Windows 7 (RC 64-bit version) and because my regular software firewall isn't, as yet, compatible, I'm checking out Kaspersky AV 8.0 Technical Preview for Windows 7 which has the "Anti-Hacker" module that acts as firewall. For roughly a day now, the free version of PrevX I have running on my machine flags the Kaspersky driver klif.sys as "Medium Risk Malware". An earlier submission to VirusTotal confirmed that PrevX identified the file as malware. Interestingly, I wasn't the first person to submit this file, but the previous submission was named differently and had an .exe extension. Here's that previous result.
    ~VirusTotal screenshot removed per Policy.~

    I still assumed this would probably be a false positive, and being busy with other things, and because I wasn't yet registered at Wilders Security and haven't submitted a sample to PrevX yet, I decided to wait a bit and see what happened. I expected the alerts would go away soon as many other PrevX users would be running the same technical preview and this would be looked at sooner rather than later. However, much time passed without resolution. I had previously already submitted a few suspected malware sample to Kaspersky, a few examples from a constant stream of new malware pouring into certain usenet groups, and the fact it wouldn't cost much time to just follow the same protocol and submit to them a sample of kilf.sys, I quickly did that when I found a little time. Very soon I received the reply that the sample was malware free. I then submitted the same file VirusTotal again and found that, this time, PrevX didn't seem to find anything wrong with it anymore. The online scan, that is, because on my system, nothing appears to have changed. PrevX still identifies two instances of klif.sys, and a related registry entry, as malware. I've rescanned a few times since then, but no change, I still get red alert. Don't know what's amiss here, but something obviously doesn't work the way its supposed to, so now, at long last, I've decided this has to end, one way or the other, and took the time to register with Wilders and write this message, so I can submit the file plus scanresults. I still hope its a false positive, of course, but have also braced myself for worse scenarios. Oh, I just realize the forum doesn't accept the submission, so I'll send it separately by email (it'll take a couple of minutes). Here's just a screenshot showing the alert:

    klif.sys.infected.JPG
     
    Last edited by a moderator: Jul 20, 2009
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello elations,
    Thank you for taking the time to register and report the detection :) This is indeed a false positive and is caused because of the changes which Kaspersky's driver makes to the system. Most antivirus/firewall drivers modify the system in ways identical to rootkits and other malware so it is common for one vendor to detect another vendor's drivers/components as malicious (Kaspersky does it to us but we aren't trying to be vindictive with this false positive ;))

    I've corrected the FP and am adding a signature to prevent similar FPs in the future.

    You should now be able to scan your system and it will show a clean status.

    Thank you again for the report and let me know if you need anything else!
     
  6. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    just a quick off topic question...
    Posts 95, 96, 104 and more have virus total links posted why was this removed and the others noto_O
    Could someone please post a link where this policy is outlined?
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It is a general part of the forum's policy to remove VirusTotal links (just because of how flawed comparisons via VirusTotal are), however, I'm going to be asking the moderators if there is a need to remove a link when it isn't trying to compare AVs.

    The link the policy is here: https://www.wilderssecurity.com/showthread.php?t=180057
     
  8. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks for the clarification and the provided link:D
     
  9. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Same FPs another time - that's enough reason to get Prevx off my system once more. :cautious:
     

    Attached Files:

  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :gack: They just released an update (the files you had before are still marked good). gamemon.des does heavily use rootkit technology which is why we flag it.

    I've searched through and fixed a few gamemon.des', hopefully yours included.
     
  11. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Yeah, thanks - I probably won't use Prevx till v4, UNLESS the bridge is what's also featuring the FP-reductions. Is that so, and would these be avoided?
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Now they would be avoided regardless of the version used (via a rule in place to detect these specifically) but there is little we can do to not detect software like this which is so heavily guarded by rootkit technology.
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Okay, I just recalled that something similar was applied before, maybe in this very same topic I guess - what was that? What you're saying is anyways that from now on the files that I'd pictured in that window won't happen again, correct?
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I hadn't made a more complex routine to prevent this particular FP, but now under all reasonable circumstances we won't produce a FP on gamemon.des (or the associated remnant components which were also detected).
     
  15. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Okay, Joe - thank you very much. ;)
     
  16. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Hello Joe

    Looks like the GUI written for MyDefrag is a little too new...?

    [BP] c:\users\philbyv\desktop\mydefrag gui\gui_mydefrag.exe
    [PX5: DADB776600C4C8D67E73028ED7FDD50022AF8D90]
    Malware Group: Medium Risk Malware

    [DN] c:\users\philbyv\desktop\mydefrag gui\mydefrag.exe
    [PX5: A99DFC150090DFF9E0B70C5015BA46004B6256CE]
    Malware Group: Community.OuterEdge

    I've already flagged this through MyPrevx to Claudia, Jessica, Victoria et al :p

    I understand you only need the PX codes - hope that's right.

    philby
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Fixed :D Thanks!
     
  18. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Once again, you set a new rapid-response record...

    Thank you.

    philby
     
  19. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    552
    Location:
    Italy - Ravenna
    Hi Joe or Marco, I have this warning on my pc about BitCHE a program for searching Utorrent Files
    It is on my pc since 2007 and today I receave the Prevx warning so I think is a FP
    Here the log:

    Prevx Scan Log - Version v3.0.1.65
    Log Generated: 22/7/2009 19:57, Type: 1,8192
    Windows XP Professional Service Pack 3 (Build 2600) 32bit|1040
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 2, Pop: 2, Heu: 3 (Dir: 1)
    Last Scan: Wed 2009-07-22 19:56:17 ora legale Europa occidentale. Number of Scans: 239. Last Scan Duration: 5 minutes 49 seconds.
    [BP] (ACTIVE) c:\documents and settings\...\dati applicazioni\convivea\bit_che\scripts\special.exe [PX5: 0232CF09ED0CBD8D5F8400196D8EAF0049FB89B8] Malware Group: Medium Risk Malware
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hi Romagnolo1973,
    I've looked at it and 17/43 vendors find it on VT :doubt: Could you send the file to report@prevxresearch.com so we can analyze it directly?
     
  21. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    It is a false positive, tho the way it acts is really way suspicious :rolleyes:
     
  22. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    I get the following FP for a newer version of UpdateStar again:

    [22/7/2009 21:52] The file [C:\Users\<user>\AppData\Roaming\UpdateStar\UpdateStar.exe] has been blocked because it contains a threat of type [Low Risk Adware] - Identity: C46E9A16F0327F1EE0AD47FA54DDE500D643273C
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks for the report - I've corrected it, however, it was an age/popularity false positive so you may want to lower your heuristic/age/popularity settings if you get too many of them :)
     
  24. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    UpdateStar is the only one PrevX detects (every time the application is updated though).

    I don't know if the following two fall into the same category, I doubt since MyPrevX lists them as I-Worm/Stration.DTP:

    c:\program files\rainmeter\skins\hud.vision\black\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]
    c:\program files\rainmeter\skins\hud.vision\white\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is unrelated to the other detection - 11 products find the file on VT but it is indeed a FP (most likely detected by others also because it is used/dropped by infections to execute other files... lazy malware authors :rolleyes:)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.