Forticlient killed another virus

Discussion in 'other anti-virus software' started by jo3blac1, Mar 22, 2013.

Thread Status:
Not open for further replies.
  1. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    I got a real time on access detection by forticlient:
    c:\program files (x86)\mozilla firefox\accessiblemarshal.dll, virus found: W32/Wapomi.AE, action: Access denied, time: 03/22/13 16:44:33
    For some reason it automatically removed it. HMP and MBAM both scans came clean after the removal.

    Update: Windows Update doesn't seem to work anymore. I will probably restore windows to a clean image.
     
    Last edited: Mar 22, 2013
  2. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Did you run the hash through Virustotal or Jotti?
     
  3. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    sorry what is a hash? and no I did not use Virustotal or Jotti.
     
  4. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    okay Full scan found 1 threat:
    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll, virus found: W32/Wapomi.AE, action: Remove/quarantine

    Hmmm. HMP and MBAM both don't find anything.
     
  5. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    It's a false positive if AccessibleMarshal.dll is digitally signed, with hash SHA256: 13dd6ede1e9146e831b7dde74119c24f52cd11b62a9aaf37e78d238af8430084

    http://en.wikipedia.org/wiki/Checksum
     
  6. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Yes that Hash. Thanks 3xOgR13N
     
  7. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Does Forticlient have an option to alert as opposed to auto removal? I'm asking because I'm considering using Forticlient.
    thanks
     
  8. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    yes it does, right now the file is in my quarantine and i am about to restore it and run it against HMP and MBAM Pro.
    however the quarantine option is for real time or on demand not sure which one.
     
  9. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    I can't find that number in the digital signature. All I see is that it is signed by Mozillla Corporation.
    Digital Algorithim is SHA1
    Serial number 3d a9 38...

    I added this file to exception list in forticlient. I scanned my computer again with MBAM Pro and HMP and all seems clear.
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    successfully killed a browser :rolleyes: :D :thumb:

    MD5 v19.0.2 f5a4c05cab3024c8f87b166f8965eea0

    false positive is found on virustotal (1/46 = fortinet)
     
  11. ght1

    ght1 Guest

    No browser - no malware! Well done. :(
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    False positive most likely as i also have that file in Firefox folder and my system isn't infected.
     
Loading...
Thread Status:
Not open for further replies.