Prevx identifying malware as "good"

Whats up with this guys?

Prevx Scan Log - Version v3.0.5.185
Log Generated: 10/8/2010 23:25, Type: 1,8192

Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: your-a97ec67e86

Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)

Last Scan: Tue 2010-08-10 23:22:37 GMT Daylight Time. Number of Scans: 8. Last Scan Duration: 7 seconds.

[G] (ACTIVE) c:\documents and settings\username\local settings\temp\tmp8c28ae1d\old.exe [PX5: 691082C300B9B37586F201EFEE7C62009F0F0A9B]

 

In much the same way that Prevx requests FPs be sent by sending a scan log as described in this thread, I'd imagine sending the FN by the same method would also be appreciated.

 

This isn't a post regarding the addition of a malware sample, more why a malware was specifically marked as "good" in the prevx log- as far as I am aware "good" ( [g] marked in log) files have been specifically checked by prevx and are deemed safe. This is pretty worrying and something must have gone wrong, I am just curious as to what exactly went wrong and get some input from Prevx on the forum.

 

Are you sure it's malicious? Can you Upload to VT and just give the info as to how many scanners detect it? http://www.virustotal.com/

TIA,

TH

 

MD5 1658fda781dd847e91307c3c81aa83ba

26/40

 

Thank You for the report Baz_kasp!

Send a scan log and the file as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129 with the link to this thread to get it fixed and detected ASAP!

HTH,

TH

 

Just to update a little bit, it seems there was some sort of rootkit at work here as there were files on the computer not even visible in the prevx log, that were picked up by combofix (zbot related)....which are detected after they have been removed by combofix, but not when active on the system.

I knew there was something wrong because there would be sporadic notification from prevx that it had blocked a malware infiltration from stuff like this:

[BP] c:\documents and settings\\local settings\temp\tmpe3b2e518\winamp.exe [PX5: 25884CACE8C54D3791FE0190DBEB8C004E9296A2] Malware Group: Medium Risk Malware
c:\documents and settings\\local settings\temp\tmp67a61cb2\avp.exe [PX5: 1D8ABA0600AD0E7052FA00B9996880009BC3956C] Malware Group: Medium Risk Malware
[BP] c:\documents and settings\\local settings\temp\tmp5926eaf8\winamp.exe [PX5: 25884CACE8C54D3791FE0190DBEB8C004E9296A2] Malware Group: Medium Risk Malware
c:\documents and settings\\local settings\temp\tmpc6e71d9a\avp.exe [PX5: 000FD68F00465F96522600C07124FD00D57BE128] Malware Group: Medium Risk Malware


I've sent a message to support to get a remote session with an engineer to make sure its all been discovered and added to detections, as I am not convinced the infection has been entirely removed (hence do not want to log into email)

 

If you search for 1658fda781dd847e91307c3c81aa83ba on VT you see this



No Prevx was used for the scan ?

If you look at their list of vendors they are listed



?


@ Baz_kasp

Good catch did you get infected, if so how, or were you just testing etc ?

 

It's a relatives computer that has recently had some malware problems. I'm trying to clean it up but also to get prevx sorted with these nasties as it seems strange that prevx wasn't even listing the zbot in the scan logs- combofix picked up 8ca67ffaf371452ac8804e6eba7bdb55 and 1ccecdd8b06c0c5e2737063ea70001be (funnily enough the px scanner on VT lists this as a high risk threat, but nothing happens when scanning on the actual computer)

 

@ Baz_kasp

Good not you then Any ideas what www etc they got it from, and how, drive by, fake AV etc ? Also what OS and browser version and AV ?

Yes wierd all round, be interesting to see how this pans out.

 

I think the only relevant fact here was that the computer was AV-less when I was called to "save" it...

 

@ Baz_kasp

AV-less = Oops, sounds like a real nasty, and those zbot's just keep on coming

Hopefully you can show the relatives what not to do etc for the future

 

Actually thinking about it, if they were on W7 with IE8, and fully patched, then that would cause for concern i believe.

 

Are you going to keep Prevx on that machine if so get it with SafeOnline to protect there online activities!

TH

 

It's already running paid up 3.0 with safeonline.

 

Great I have contacted Joe (PrevxHelp) about this issue for he can keep an eye on the progress!

TH

 

I've taken a look in our central database and the file is definitely U, not G... I'm not entirely sure why it would be sent down as G but I'm going to leave it as-is until our research team takes a look at it.

Thanks for the heads up!