Infected (null) ?

Discussion in 'Prevx Releases' started by CloneRanger, Dec 9, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Hi, i was looking through my LOG, & from nearly 2 months ago i found these !

    Infection detected: c:\windows2\system32\svchost.exe [MD5: 8F078AE4ED187AAABC0A305146DE6716] [17/40100040] [(null)]

    Infection detected: c:\program files\zone labs\zonealarm\zlclient.exe [MD5: 05BD6FE6F859912F4167B60485D7F55F] [17/40101040] [(null)]

    I can't remember if i was testing some App or Malware @ the time. I doubt if i was testing Malware etc though, as i would have gone into Shadow Defender mode, & therefore the WSA Log would not have been saved after rebooting. Anyway i don't recall Ever seeing ANY alert from WSA that either of these two items had been infected ?

    1 - Could thee be FP's ?

    2 - What does (null) mean ?

    TIA
     
    CloneRanger, Dec 9, 2013
    #1
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That sounds like it was a false positive that the backend caught as it was responding, so it didn't include a malware group name.
     
    PrevxHelp, Dec 9, 2013
    #2
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Those 2 .EXE's are amongst several i have set to BLOCK in Active Connections. So i'm wondering if that has Anything to do with it ?
     
    CloneRanger, Dec 9, 2013
    #3
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It shouldn't be related to active connections but would show when blocked from the active processes list.
     
    PrevxHelp, Dec 9, 2013
    #4
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Hi, on further inspection of the LOG file, i see other Apps that are set set to also BLOCK in Active Connections, that show the same thing. So i have a feeling it is "somehow" related ?

    The Infected (null) listings only show up on those Apps that are set to BLOCK. They are also Blocked in my ZA FW.
     
    CloneRanger, Dec 10, 2013
    #5
  6. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada
    This line's MD5 shows on this report at ThreatExpert:
    http://www.threatexpert.com/report.aspx?md5=86fee6e90b14b01a9fc25452cf27f224

    Spynet server Just FYI...
     
    dbrisendine, Dec 10, 2013
    #6
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    PrevxHelp, Dec 10, 2013
    #7
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ dbrisendine

    Well thanks for checking ;)

    @ PrevxHelp

    Using FileAlyzer - svchost.exe md5 = 8F078AE4ED187AAABC0A305146DE6716 which agrees with your figure :thumb:

    I also get this ?

    fa md5.png

    Anyway, i feel there is some ? interaction between WSA & ZA, regarding those (nulls)
     
    CloneRanger, Dec 10, 2013
    #8
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I think it is probably just the local blocking you've put in place - it wouldn't have a malware group name if determined locally so it wouldn't show one.
     
    PrevxHelp, Dec 10, 2013
    #9
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    OK, Thanx :thumb: Wierd though !
     
    CloneRanger, Dec 10, 2013
    #10
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...