Infected (null) ?

Discussion in 'Prevx Releases' started by CloneRanger, Dec 9, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, i was looking through my LOG, & from nearly 2 months ago i found these !

    Infection detected: c:\windows2\system32\svchost.exe [MD5: 8F078AE4ED187AAABC0A305146DE6716] [17/40100040] [(null)]

    Infection detected: c:\program files\zone labs\zonealarm\zlclient.exe [MD5: 05BD6FE6F859912F4167B60485D7F55F] [17/40101040] [(null)]

    I can't remember if i was testing some App or Malware @ the time. I doubt if i was testing Malware etc though, as i would have gone into Shadow Defender mode, & therefore the WSA Log would not have been saved after rebooting. Anyway i don't recall Ever seeing ANY alert from WSA that either of these two items had been infected ?

    1 - Could thee be FP's ?

    2 - What does (null) mean ?

    TIA
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That sounds like it was a false positive that the backend caught as it was responding, so it didn't include a malware group name.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Those 2 .EXE's are amongst several i have set to BLOCK in Active Connections. So i'm wondering if that has Anything to do with it ?
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It shouldn't be related to active connections but would show when blocked from the active processes list.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, on further inspection of the LOG file, i see other Apps that are set set to also BLOCK in Active Connections, that show the same thing. So i have a feeling it is "somehow" related ?

    The Infected (null) listings only show up on those Apps that are set to BLOCK. They are also Blocked in my ZA FW.
     
  6. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada
    This line's MD5 shows on this report at ThreatExpert:
    http://www.threatexpert.com/report.aspx?md5=86fee6e90b14b01a9fc25452cf27f224

    Spynet server Just FYI...
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ dbrisendine

    Well thanks for checking ;)

    @ PrevxHelp

    Using FileAlyzer - svchost.exe md5 = 8F078AE4ED187AAABC0A305146DE6716 which agrees with your figure :thumb:

    I also get this ?

    fa md5.png

    Anyway, i feel there is some ? interaction between WSA & ZA, regarding those (nulls)
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I think it is probably just the local blocking you've put in place - it wouldn't have a malware group name if determined locally so it wouldn't show one.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK, Thanx :thumb: Wierd though !
     
Thread Status:
Not open for further replies.