Panda Dome shows VirusTotal hits on Autoruns

Discussion in 'other anti-virus software' started by redmed, Jul 8, 2018.

  1. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    I recently updated Panda Free to the new Panda Dome Free and ran Autoruns on the system and multiple Panda Dome elements showed TotalVirus hits. Is this normal or should I get rid of Panda Dome? I have been working fine with the previous Panda but never ran a Autoruns on it.
     
    Last edited: Jul 8, 2018
  2. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    confirm that the exe you're running on virustotal is the real one
    also get rid of Panda, yes :D
     
  3. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    584
    Location:
    Moon
    false positive
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    panda software is a virus :D (futile crap)
     
  5. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    Getting a false positive using traditional AVs is normal, every AV will generate those no matter what, but personally I think that only if an AV generates lots of those that you're completely sure are not infected, then you should consider uninstalling/replacing. This is why there's a whitelist/exclusions feature.
     
  6. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    I'm using the VirusTotal via Autoruns. Do I have a choice which exe file to use with Autoruns from Sysinternals? Which exe to trust?
     
  7. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    The SHA256 for Autoruns.exe Size: 730256 bytes (713 KiB) - Version 13.90: B37A56D54B8DA27B30525153C342BCB3B62D7896AB9146A09B087FC5A64B9A43.
    A simpler way to make sure that it's the real exe is simply check for valid digital signatures, the exe is signed as Microsoft Corporation.
     
  8. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    At a loss of how to check for valid digital signatures. Everything I can find refers to PDF or text files. Should I open Autoruns.exe in Microsoft Word? I can't because I gave up MS Word for LibreOffice a long time ago. I open Autoruns.exe in LibreOffice and did not see anything close to what you have??
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    open an exe file in a word editor? does this make sense for yourself? what do you expect to find?
    VT results are not allowed in this forum and they know why and we know why.
    there are 67 engines on the hunt , "autoruns.exe" from sysinternals may result in 0/67, but in general it results in 1/67 or more which are found from some very unknown engines or the china crap where is no evidence. the problem is that other vendors get the result mailed and are investigating into this "nothing", waste time and effort for "nothing" because this BS engine has a false positive. and user gets panicked - for nothing.

    VT is a second opinion when some can read its results, but for the masses its useless.
     
  10. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    can you not jump onto the newbie and just simply help him? you don't need to flip out just cause he doesn't know something..
     
  11. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    Thanks
     
  12. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    What is SHA256?
    What is "B37A56D54B8DA27B30525153C342BCB3B62D7896AB9146A09B087FC5A64B9A43" ? A text string to match somewhere?
    How do I check for a valid digital signature?
    The Autoruns.exe I have is 714KB and the version is 13.90 so do I have a problem? Other than ignorance.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    redmed, as I understand there is a problem with Panda's elements (exes, dlls) being recognized as malicious on Virustotal? And you're using Autoruns to perform Virustotal check?
    If you downloaded Panda from official site, I think you shouldn't worry. Also if you get low detection count (like 1/67) you shouldn't worry too much, it's probably false positive from one vendor.

    EDIT: you can also check results by clicking on detection link and it will show you which AV engine detected Panda's component as malicious and how it classified it.
     
  14. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    Right click the exe, then Properties, in the digital signature see if it has a valid sign, both SHA1 and SHA256 being signed as Microsoft Corporation.

    ----
    I think I misunderstood your post, your problem is that Panda files are being detected by other AVs on Virustotal and not Panda detecting Autoruns as a virus. My bad! :confused:
    In that case I agree with what Minimalist mentioned, if it's detected by many, can you share SHA256 of each Panda file that is being flagged on virustotal? You'll find that in the virustotal site itself after you scan a file.
    You shouldn't share the virustotal link as it's against forum rules, just share the SHA256 that you'll find on the top of the VT scan page.
     
  15. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    OK, I finally found the SHA256 & the Microsoft digital signature in the properties, Thanks. But I'm still confused what the "B37A56D54B8DA27B30525153C342BCB3B62D7896AB9146A09B087FC5A64B9A43" refers to. At this point I'm not concerned with the validity of the Autoruns.exe. I'm just trying to educate myself about the text string.
     
  16. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    In simple words, it's like a fingerprint of data (like an exe), just to make each set of data unique.
    In our case, if that Autoruns.exe was modified in any way, in example of changing a 1 to 0 in the executable it will produce a different hash.

    For more detailed info, you can search for "hash algorithms" or 'cryptography'.
     
  17. redmed

    redmed Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    16
    Thanks, I'm interested in where this text (or Hash) string is within the file and if there is a specific byte offset in each file. And whether it is possible for someone to insert this authentic hash into a hacked file and produce a "Counterfeit" digital signature. So far I found that this hash is contained in a table within the file but as of yet not the file offset where I can see this table. Curious as to how secure "Digital Signatures" are. Interesting reading about the different SHAxxx's for me. I like to know how things work.
     
  18. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    i just realized that OP is about Panda being marked in Autoruns after it checked on Virustotal and not backwards :D:D
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.