False positives / Missing detections thread

Discussion in 'Prevx Releases' started by EraserHW, Jun 14, 2009.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It depends on the infection and its hard to say exactly what would trigger it as it uses our community intelligence (so behaviors are gathered/age is considered/etc.)
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    FPs fixed :) Thanks!
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I found your submission - there was a management issue in report@prevxresearch... it was assigned to Marco (EraserHW) but he's on vacation currently :D I've corrected the FP - sorry for the delay!
     
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Spyware Cease, as discussed here, doesn't appear to be detected by Prevx. The setup file is 14.1MB in size - I haven't sent this through as unsure if too big to send even when compressed.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,971
    Location:
    Canada
    hi joe spyblaster is getting away from prevx:)
    i think it is a rouge some antiviruses at vt recognize it as malware but not prevx:D
     
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Confirmed. It's listed by hpHosts as a rogue, and is on a couple of other domain blocklists.

    I've submitted the file to Prevx Research.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Great, thanks :) Will have it added shortly!

    EDIT: I've analyzed the file - we already block all components of it, we just don't look at the .msi (but if the malware was to try and run we block every piece of it).
     
    Last edited: Aug 7, 2009
  8. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    It's me again with:

    [7/8/2009 16:15] The file [c:\users\[user]\appdata\roaming\updatestar\updatestar.exe] contains a threat of type [Low Risk Adware] - Identity: 93066E19F0C8E004E0494706987F3E007EB55664

    Last time you identified the detection of the previous version of the application as age/popularity false positive. However, this version of updatestar.exe was installed on July 27 and PrevX didn't detect this "threat" in the July 27 - August 6 timeframe (minimum two scans a day). I don't understand why this is detected two weeks after installation first? If this is a heuristical detection I'd have expected an alert shortly after installation or at least 1 day later. (According to the information in your malware network the file was first seen in SPAIN or ITALY on Jul 28 2009).
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I just checked our database - on August 7th (today) at 13:30 we added a new rule to detect some new Adware.Lop samples and it seems to have overstepped its bounds a bit and caught this one again. I've updated the rule and corrected the file's determination.

    Thanks for the report :)
     
  10. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I confirm the program executable is detected when run after installation. :)

    Could you check Spyware Cease please as mentioned in post #200 as I just checked during a sandboxed install. There are no alerts at any point when running the program after installation.
     
  11. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Any further news on this one yet? Just did a scan on my sandboxed installation of the application, and Prevx doesn't detect.
     
  12. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Your answer was already posted I believe...

    That pretty much summarizes our take on the rouge, having had a closer look, its tough to even touch the installer as it is and if truth be known, this is purely user initiated scareware, using rouge just doesnt do justice here, I cant even classify it as that since it doesnt actually drop anything Id classify as malicous or atleast it didnt here.

    As Joe said, with full protection, you can dload the installer(.msi) but it should never be able to fully execute or drop file to disc, again, atleast it wasnt able to here, its always possible your using a different installer than the one I found.
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    That answer was in relation to Spyblaster; I'm now talking about Spyware Cease, which I first mentioned in post #200.
     
    Last edited: Aug 8, 2009
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Sorry - I've tracked back to your post now. I'm testing Spyware Cease as we speak and will report back with what I find!
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Confirmed Rogue: Will add protection momentarily - it looks quite good, however :doubt: Definitely upping the bar on how subtle rogues can be.
     
  16. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I thought it was, and judging by the thread where it's discussed, others think so too.

    Just as a point of reference, when files are large, like say 14MB in size, it probably isn't practical to send for analysis even when compressed. (The 7z compression I did of it actually increased it slightly. o_O) Is the best way then to report it here or do you accept such large attachments?
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Feel free to just send links if its easier - I just Googled it to find it this time :)
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Ref: Spyware Cease - just done a scan of all the installed files in the sandbox; no alerts. o_O I can PM you the log if you wish.

    The installer generates no alerts either.
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hmm... could you send me a log to report@prevxresearch.com? We may have gotten different versions.
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Sent. :)
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yikes... I dug deeper and have determined more than 1,000 variants of SpywareCease as bad now, stretching back to Oct. 2008, most with barely any detections on VT :doubt:

    The primarily malicious component is the .exe itself - the other DLLs are mostly repackaged legitimate components so I've left them but we should now detect it fine :)
     
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Umm.. I don't really understand this.

    Scanning the files in the sandbox still yield no results; scanning the single .exe in the sandbox produces no alerts.

    However, if I copy the .exe from the sandbox to the Desktop and scan it, hurrah, there's an alert.

    Something isn't right here. I'd like to test the execution of these kinda programs in a sandboxed environment for safety reasons - that's the point of the sandbox surely. Maybe I'm doing it all wrong, who knows. :/
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    What sandbox are you using? Its possible that the sandbox itself is preventing Prevx from scanning the file but its hard to say exactly>
     
  24. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Sorry, I should have said before - it's Sandboxie.
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This might be caused because of a fluke in our caching and handling a sandbox - can you try rebooting your system to see if it is then detected?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.