False positives / Missing detections thread

Discussion in 'Prevx Releases' started by EraserHW, Jun 14, 2009.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You may! :D

    Malware group names/types are very hard to define perfectly automatically which sometimes causes it to have different names. It is definitely adware/pup instead of a backdoor and I'll work on correcting this :)

    Simply the result of copy and paste failing me across two different computers :D It is fixed now - thanks :)
     
  2. cyb_2009

    cyb_2009 Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    13
    Re: Prevex not finding an active spambot

    Hi EraserHW, I was in a lot of work meetings today and finally able to check. I did get them. Thanks. I responded in PM. When I get a chance I'll get back looking at this. I appreciate all the help!
     
  3. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Re: Prevex not finding an active spambot

    Ok, perfect :)
     
  4. thathagat

    thathagat Guest

  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  6. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    Prevx is detecting the Rainmeter uninstaller as malware. FP??
     

    Attached Files:

  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Thank you for the report - we've corrected the FP :)
     
  8. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Just a point of interest - if people get alerts like that shown in the last screenshot, would a right-click and report as a FP also work as well as mentioning it here?

    If this is the case, perhaps some users don't realise they can do the above option; I don't think it's clear within the program or elsewhere that they can do this when reporting FPs - it's certainly not in the sticky post about reporting false positives or missing detections.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Right clicking "Report as a false positive" does get it forwarded to our research team, however, I personally prefer to have FPs reported here directly just because it gives much more credibility to the FP report itself - we have run into a lot of cases of malware authors using bots to try and get their malware whitelisted so we receive quite a lot of false-false positive reports which makes very-low volume FPs like the one reported above harder to find.
     
  10. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
  11. thathagat

    thathagat Guest

    hehe:D
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Re: oa009cfg.exe is a false positive?

    Hello,
    Can you please save a scan log by clicking Tools > Save Scan Results and send it to report@prevxresearch.com so we can analyze the exact file which exists on your computer?

    Thanks! :)
     
  13. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399

    Attached Files:

  14. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    Re: oa009cfg.exe is a false positive?

    Ok, thanks!
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Re: oa009cfg.exe is a false positive?

    Hello,
    We've corrected the FP - thank you for the report :)
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  17. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Joe,
    Should PrevX catch Flash buffer overflow? I came across a 0-day Flash buffer overflow POC that upon execution runs calculator as a shellcode, it worked like a champ on a test machine with PrevX, MSE and Mamutu (A-2 caught it in paranoid mode via behavior engine).
    I'm not sure if I'm allowed to post it here, but video of the actual POC is here:
    http://www.youtube.com/watch?v=wJb6a-J3i4c
    You can go to author's blog to get more details and POC itself.
    Now, I understand that signature-based detection would've failed here as this is a 0-day, but should buffer overflow be caught by either of the products I listed?
     
  18. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Question:

    How is the computer infected then? Will this shellcode execution lead to an infected file on the computer which PrevX is able to cach?
     
  19. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i am new to prevx:) where is prevx is stronger with?spyware?virus?rootkits?keyloggers?thanks
     
  21. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Shellcode could be anything, I'm not worried about PrevX catching (or not) actions of the shellcode itself; what I was wondering was if PrevX should be able to catch buffer overflow attacks, and if Flash one I posted above was different in some way.
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our secure browser will improve upon our exploit prevention but we do not try and block calls which lead to no actual damage - an exploit which executes calc.exe is not the same as an exploit which downloads/executes malware :) We focus on the latter and leave the former either to specialized routines or maximum settings (but currently you aren't able to configure Prevx to block a specific exploit like this - you will be able to in the future, however).
     
  23. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Joe,
    Thank you for your reply. So in theory, PrevX should've caught this buffer overflow if the actions of the shellcode would've been malicious, correct? If so, what particular (shellcode) actions would it have marked as malicious and triggered detection on?
     
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I still run Ewido 3.5. Ewido was bought by Grisoft(AVG). It is legacy software, which I find useful to check connections and for terminating processes.

    However, I was in a snapshot that I rarely use, when an old version of Prevx detected some threats.

    See log:

    Prevx Scan Log - Version v3.0.1.17
    Log Generated: 3/8/2009 23:01, Type: 1,8192
    Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
    Last Scan: Mon 2009-08-03 22:50:50 E. Australia Standard Time. Number of Scans: 9. Last Scan Duration: 8 minutes 29 seconds.
    (ACTIVE) c:\program files\ewido\security suite\modules\processviewer.dll [PX5: 4418E81940954FE576FD0057B2FD8100ECD521F7] Malware Group: Medium Risk Malware
    (ACTIVE) c:\program files\ewido\security suite\modules\autostartviewer.dll [PX5: 85F8B2724011D8C5D06100DF82B706006CC448E5] Malware Group: Medium Risk Malware
    (ACTIVE) c:\program files\ewido\security suite\archive.dll [PX5: 420C70AC4086315790C80318AB37A40082640ABC] Malware Group: Medium Risk Malware
    (ACTIVE) c:\program files\rising\rav\defmon.dll [PX5: F1A5FAA77002BF952A37020B75E32F0035EFCF8E]
    (ACTIVE) c:\program files\rising\rav\mailmon.dll [PX5: 3680D60D7075F6312AA0028A69C9EA0023BFFF1F]
    (ACTIVE) c:\program files\rising\rav\hookweb.dll [PX5: 95B9EC997025D5A22A38013C539563006BE57138]
    (ACTIVE) c:\program files\rising\rav\hookcont.dll [PX5: CC51EBD6708DABBA3A920128EA1208000AB23750]........................


    Today, I am back to my usual snapshot, and the following scan has not detected the above 3 files.

    See log:

    Prevx Scan Log - Version v3.0.1.65
    Log Generated: 5/8/2009 12:20, Type: 1,8192
    Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
    Last Scan: Wed 2009-08-05 12:04:59 E. Australia Standard Time. Number of Scans: 490. Last Scan Duration: 24 minutes 13 seconds.
    (ACTIVE) c:\program files\opera 10.0 alpha\opera.exe [PX5: BC1AA82A00E9E697BEF401DC1AD8A6001536B3E4]
    [UP] (ACTIVE) c:\program files\opera 10.0 alpha\opera.dll [PX5: 21979BB6001FC73E08F83CF6981F5D0008E36E2A]
    (ACTIVE) c:\program files\grisoft\avg7\avgabout.dll [PX5: 4DEBC8EA00AA7B9F047B1179DF6C650134CDC624]


    This program(Ewido 3.5) is installed in both snapshots. However, 3 threats are found in one snapshot, but not the other. Same files, but different scan results.

    P.S. I updated the version(3.0.1.17) shown in the first log to v 3.0.1.65, but still have the 3 detections occurring in that snapshot.
     
  25. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    How long should it take, roughly, for FPs to be fixed if sent by email?

    I sent email at 6.54pm last night re: the installer for Jalbum, but Prevx still detects the executable as medium risk malware at 1.32pm today.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.