Possible False Positive???

Discussion in 'Prevx Releases' started by LoneWolf, Sep 14, 2009.

Thread Status:
Not open for further replies.
  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Detected with a full scan.
    Real threat or FP?

    2009-09-14_110645.png

    EDIT: Might be connected to the latest Malwarebytes AntiMalware 1.41 install.
    Can anyone confirm this?
     
    Last edited: Sep 14, 2009
  2. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    I received the same detection today. I've submitted it to Prevx, malwarebytes, and avira. No word back yet.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    There are a lot of malicious files similar to the detection you're seeing in our database so I'm going to need some further information to research it. If you can follow these instructions here: https://www.wilderssecurity.com/showthread.php?t=245129 we will be able to correct the file detection :)

    Thanks!
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Thank you.
    e-mail sent with log.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The file is indeed a false positive (primarily because of its worm-like behavior in that it copies itself with random filenames). I've fixed it now - thank you for the report! :)
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Thank you. :thumb:
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    FWIW, Hitman Pro (Prevx engine) is still hitting on it as of just now.
     
  8. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    That's odd. Since the fix my prevx hasn't had a FP. I don't use hitman pro.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Correct, Prevx is not calling it malicious, but Hitman Pro with its older Prevx engine is. I sent Hitman Pro email. It's weird having a program use another program's engine, yet it is not as updated. Doesn't seem like an ideal situation to me, i.e. what does Prevx gain by allowing Hitman Pro to operate in this manner?
     
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    $$$$$$$$$$$$$$$$$$$$$$$$$


    HKEY1952
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Keep in mind that I asked, what does Prevx gain. You are of course correct that they receive $$$$$$$$$, but is it a gain?

    Is Prevx's reputation dinged by a company like Hitman Pro using a subpar Prevx engine? Are users rushing out to purchase Prevx because they see Hitman Pro utilizing it?

    Perhaps.

    But it still seems like a less than ideal situation to me.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    FYI, Hitman Pro uses the current Prevx engine and saying otherwise is just wrong. If you dont think so ask Marcos.
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    The diffference is the Prevx is real time scanning, Hitman is on demand. The same question Page, could be asked of the other vendors who allow, or are under contract with Hitman and how they agreed to have their product used.:cautious:
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I think I recall hearing that now. Please excuse my error if I misspoke. Why is Hitman Pro engine alerting on a false positive that Prevx fixed?
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I agree. The same question could be asked of other vendors.
     
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    very good question. I guess there is a delay in this. I know Joe fixes very quickly so no question there, but Hitman is also really in the development side of what it is going to evolve into, which is really going to shock a few.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I believe Hitman Pro has a layer of caching on top of our detections which is why there is some discrepancy between the two.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Hitman Pro caches the results. Every 8 hours the file is rescanned. This procedure is repeated for 1-2 months. After that the file is no longer rescanned and holds the classification indefinitely, until enough users submit the file as false positive in the application.

    So if the file was first classified as malicious more than 1-2 months ago, the file is not rescanned and the false positive remains. We reckon that vendors fix FPs within 2 months.
     
  19. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    What's the best way to report FP's to you?

    TIA,

    TH
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Each row in the view can be expanded by clicking on the arrow in front of the row. This way you can see which vendor classified the file as malware.

    The end of each row lists the action that needs to be performed on the item.

    The following screenshot lists a suspicious file (Dutch: Verdacht). This means no vendor knows the file yet but Hitman's behavioral scan found enough evidence for it to display it to the user.

    hitmanpro35_nl_screenshot4.jpg

    When clicking on the arrow at the end of the row a popup menu appears where you can choose to Delete, Do not delete or Report that this file is safe. It is the preferred way to submit false positives through the application.
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    That's what I do Thanks Erik!

    TH
     
Thread Status:
Not open for further replies.