False positives / Missing detections thread

Re: Prevex not finding an active spambot

Well it's best to let the Prevx team help you out to find the cause of this problem and you are in great hands!

TH

 

Hi, just got back and booted up, Prevx scanned automatically and found the following, which where ALL there earlier, and all FP's as far as i'm concerned !


c:\documents and settings\\desktop\t\555\combofix\combofix.exe [PX5: 66767783413728499C032D344B708A0073F3D1D8] Malware Group: Medium Risk Malware

combofix.exe = Lol


[BP] c:\documents and settings\\desktop\\zemana spy tests\screenlogger.exe [PX5: 144FE21D983C2A4DD18704BB2E6D1E0086982798] Malware Group: Low Risk Test Virus

[BP] c:\documents and settings\\desktop\\zemana spy tests\webcamlogger.exe [PX5: 327A08DB98A59BC2DF5804E4B63BD100386B8CF1] Malware Group: Low Risk Test Virus

[BP] c:\documents and settings\\desktop\\zemana spy tests\clipboardlogger.exe [PX5: 88EA1C59981E05E4DB000489ADB5C7009B7FAE31] Malware Group: Low Risk Test Virus

All zemana spy tests = SAFE


[BP] c:\documents and settings\\desktop\\sysprot\sysprot v1.0.0.7.exe [PX5: 16F4EF06005319B57CC2029901514C009E6BA296] Malware Group: Medium Risk Malware

sysprot v1.0.0.7.exe = SAFE


c:\documents and settings\\desktop\\hidetoolz_v2.1\hidetoolz v2.1.exe [PX5: 7E3CD74700A3C8717E4F01DBDF274700F4D5CEA2] Malware Group: High Risk Worm

hidetoolz v2.1.exe = SAFE


c:\documents and settings\\desktop\\detect virtual pc or vmware\host detection.exe [PX5: D7308F2E004FCC9BA0EF00D269FA5500C5678C14] Malware Group: High Risk Worm

host detection.exe = SAFE


c:\documents and settings\\desktop\\new text document-txt.exe [PX5: D42EA513E6111EB116E1018702195C0006D60EEF] Malware Group: Low Risk Adware

new text document-txt.exe = SAFE Something renamed by me.


c:\documents and settings\\desktop\\through-the-eyes-of-a-keylogger_v1_0_0.exe [PX5: 36EE70E600414CCE102A017BA4FF19005F2F77F5] Malware Group: Low Risk Test Virus

through-the-eyes-of-a-keylogger_v1_0_0.exe = SAFE = Tests


c:\documents and settings\\desktop\\aklt\aklt.exe [PX5: 5ACA58B200076A56A4DA025E8AF7A700CA7BF5B1] Malware Group: Medium Risk Malware

aklt.exe = SAFE = Firewall Leak Tests


c:\documents and settings\\desktop\\cmcark_cw0.2.4.500\cmcark.exe [PX5: 14EBA34257AB4F83133F2682478F36005D5F163C] Malware Group: High Risk Worm

cmcark.exe = SAFE = ARK


c:\documents and settings\\desktop\\samurai version 2.7\imagehooks.dll [PX5: D89CCAC3001EBDB0702A02FC42433F00583407C7] Malware Group: High Risk System Back Door

c:\documents and settings\\desktop\\samurai version 2.7\userhooks.dll [PX5: A20AACBF0091FEAAA0A602E4A2FAEC00B016B7AD] Malware Group: Low Risk Adware

samurai version 2.7 = SAFE = Security App, never seen any ads, but don't use it anymore

TIA

S

 

Hi SteveO,
We detect some of these files intentionally (like the leaktests) but there are some FPs in here which I'll be fixing shortly Thank you for the report(s)

EDIT: The only actual false positives here are your "new text document exe" (but caught because the tool used to make it is used frequently to make malware), combofix (which is caught by a number of other AVs because it uses tools like NirCmd which are used very heavily by malware), and cmcark.exe.

The rest of them are adware or riskware - hidetoolz.exe may not be malicious by itself but it is used to hide processes and is found by 23/41 vendors on VT (most explicitly as "HideProc"). The samauri dlls do appear to be adware as well

 

Re: Prevex not finding an active spambot

Thanks TH and I loaded up Look'n'Stop Firewall 2.06p4 I saw on your sig. Now I have to answer all the "Authorize" questions . Wish I knew how to make it log Port 25 SMTP.

 

Re: Prevex not finding an active spambot

Feel free ask questions about Look'n'Stop in their forum Frederic would be happy to assist you!!

https://www.wilderssecurity.com/forumdisplay.php?f=28

TH

 

Please see this log the most thinks are FP(the first is a autoit script or something like that) the rest are zoom shortcuts and pidgin plugins.

 

Hello,
The pidgin plugin is clean but the other file is an autorun worm and registers itself quite maliciously in the registry. You should be able to remove the file but ensure that you remove the system service named:

.1247270467sstr

and any associated entries in there as well.

Let me know if you have any questions or find anything else!

 

Hi,
i have deleted the file but the new scan says pidgin-musictracker is maleware but it is also a plugin and where is the system32.exe from yesterday i cant find it anymore.

 

Re: Prevex not finding an active spambot

Latest update. When I ran a GMER today it found nothing. When I went to the GMER site in IE8 to see if I could get more info on it, the www.gmer.net page was turned into a page of hex gibberish. Repeatable. Other sites were OK. I could bring up the www.gmer.net just fine in Safari or Opera, so it seems like a IE thing, and an obvious infection. When I ran GMER again I was unable to press the SCAN buttion in the rootkits area, so something is blocking it now. I emailed GMER about that. Prevx still shows nothing, while spams were being actively sent on Port 25/SMTP.

I used the firewall to selectively turn off my "allow" apps in LnS and the spam stopped being generated when Outlook was blocked. Whatever it is, it seems pretty sophisticated, watching webpages, blocking functions, etc...

 

Now its fixed Thanks again - I'm not sure with the system32.exe file, it may have changed into the other filename It definitely isn't there anymore in your log.

 

Hi,

I noticed today some of my earlier detects have now gone, great ! These are still showing though.


new text document exe

(but caught because the tool used to make it is used frequently to make malware) Actually i encrypted it with Axcrypt, not a baddie. Might be due to the encryption ?

[BP] c:\documents and settings\\desktop\\sysprot\sysprot v1.0.0.7.exe [PX5: 16F4EF06005319B57CC2029901514C009E6BA296] Malware Group: Medium Risk Malware

Sysprot = ARK = SAFE so ?

c:\documents and settings\\desktop\\installed onxp\samurai version 2.7\imagehooks.dll [PX5: D89CCAC3001EBDB0702A02FC42433F00583407C7] Malware Group: High Risk System

Why Back Door ?

c:\documents and settings\\desktop\\samurai version 2.7\userhooks.dll [PX5: A20AACBF0091FEAAA0A602E4A2FAEC00B016B7AD] Malware Group: Low Risk Adware

No adware i've ever seen so ?

c:\documents and settings\\desktop\\detect virtual pc or vmware\host detection.exe [PX5: [PX5: 36EE70E600414CCE102A017BA4FF19005F2F77F5] Malware Group: Low Risk Test Virus

It only checks for VM or not so ?



Also strangely enough, Avira has now alerting me that the earlier detect Combofix is Malware, but it wasn't before ? I'll send it to them as a FP too.

TIA

 

Previously Detected Files:
c:\windows\syswow64\system32.exe [PX5: 2B160C6D00691F2AC0C505345FFFFE0004AD73A2] Malware Group: High Risk Cloaked Malware

End of Prevx Scan Log - http://www.prevx.com

but now i cant find it

Is ther anyway you could send the file to Agnitum and A-Squared?(if you have a database from maleware)
Because when it is disapered(maybe a update to the virus code)
http://www.emsisoft.de/de/support/submit/
http://www.agnitum.de/support/submit_files.php

 

This is indeed the case - I'll see what we can do to update the signature to prevent some FPs on Axcrypt files but it will have to be done carefully to prevent loss of detection. I should have this updated in 15 mins or so

This program does appear to contain adware - a variant of the "TopSearch" adware (which is most likely a bundled DLL rather than unique adware). A number of other vendors detect it as well and I think it does need to remain there.

This tool is used almost exclusively by malware and I don't really see how it could be used outside of malware really It's been used in a few dozen different infections so IMO it is more worthwhile to detect it than not.

I wouldn't blame them Most AVs find Combofix (ironically) because of all of the tools they have bundled inside the archive - a lot of them are also used heavily by malware

 

Axcrypt = Good news

samurai = If you say so boss ! Even though i havn't used it for ages, i never saw ANY adware, strange ?

host detection.exe = Ooh err, really ! I think i'll send it to you so you can examine it in detail. I'm sure i DL'd from an OK place, but can't remember now, but any info i find i'll send with it.

Re Avira. I've had Combofix in for a while, but only today it detects it lol.

Fanx

 

Not sure It may not be outwardly malicious - but it is adware (or at least a Possibly Unwanted Program via McAfee's terminology).

The file itself is legitimate but the way that its used isn't - its very easy to latch onto a file being malicious if you detect that it performs different behavior when under a virtual machine or not. This way, they're putting the virtual machine detection in a separate program to evade detection. Sneaky, but still malicious (which is why us and a number of other AVs block this file).

 

We don't harvest all malware samples so we don't have a copy of it but it doesn't look like it is in your log anymore so you should be safe (Previously Detected Files means that they used to be there but aren't anymore )

 

That's the thing that bothers me most... it's one thing with totally new software, e.g. betas or new versions - even if not good, it's understandable that at least Age/Spread heuristics might throw up something - but when it comes to software which has not changed at all and Prevx suddenly goes *poof* "Aha! I think I found something!", then it's getting really bothersome. I dunno why it should at all. What's the reason it connects something that hasn't changed with malware because of new rules or whatever?

I won't throw up "my own software blahblahblah" once again since I know that would bring the same answer which doesn't make sense to me anyway, simply because that answer is not the truth to me.

 

Okey dokey, you d man !

Thanx

 

Every time an AV adds a signature (Avira included as they had the same FP as us, as well as 10+ other companies that also FP on the combofix file), it has to be applied to every other program in existence, regardless of if it was allowed past before. So, FPs are very dynamic and change with every additional signature added for every company.

 

Here again lol

I just tried to exclude those detects and got this, which i havn't before when i've had to do it.

1 - Is this new ?

2 - Where am i supposed to put them, and why won't the Prevx App do this automatically as before ?

TIA

 

You can use that dialog to pick a file, or you can right click on the file in the detection list and click "Report as a false positive" which will automatically add it to the exclusion list

Let me know if you have any other questions with it

 

Ahhh, but if you try and right click from the Detection Overides panel to do that as i just did, it won't let you. As it seems this option is only avaialable from the Scan results panel ! I must have done it like that before.

Might be nice if we could do it from within the Detection Overides panel in future as well.

Thanx

 

Ah I see what you mean - in the Detection Overrides screen you just have to double click on the entry and you can change it But yes, the scan results screen is where the right click option is most prominently available (and easiest to get to).

 

Re: Prevex not finding an active spambot

Hi,

I've sent to you two e-mails today. Could you check if you have got them or if they have been moved inside a spam folder maybe?

Thank you

 

Yes that's obviously why right clicking didn't work. All's well now though, overidden them Thanx.

If i may,

samurai version 2.7 You didn't say why you class it as a Back Door. Adware/Pup possibly you say, but Back Door ? That's a lot more dodgy than any Adware.

Sysprot = Why the warning still on this SAFE ARK ?

TIA