Jump to content


Photo

Samples Analysis Issues


  • Please log in to reply
6 replies to this topic

#1 ryuusei

ryuusei

    Advanced Member

  • Members
  • PipPipPip
  • 36 posts

Posted 29 January 2013 - 11:03 AM

I recently put a large number of samples compressed into the ZIP file submitted to immunet do analysis.
I found a few things I would like to not understand 1. Immunet can be detected containing a large number of samples ZIP file.
2. Decompress containing a large number of samples ZIP file, immunet can not be detected.
For example
10 samples were compressed into a zip file, and named 123, 123 zip file submitted immunet ,immunet detected 123 zip file as a virus, but the 123 zip file inside the 10 samples decompress ,use immunet to go scan ,immunet judged clean.

In addition, the problem if you do not fit in the version of the district to discuss, please forgive me, because I do not know where to put the problem.
  • jiansimisibr, ywjzfwvmeo, Doocculsinc and 18 others like this

#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,824 posts
  • LocationOil City, Pa. U.S.A.

Posted 29 January 2013 - 11:45 AM

Hi ryuusei, could you go into Scan Settings and see if Scan Archive Files and Scan Packed Files is turned on or off? Also what is the name of the detection so we know which module is detecting the zip file.

* Immunet Global Forum Moderator *


#3 ryuusei

ryuusei

    Advanced Member

  • Members
  • PipPipPip
  • 36 posts

Posted 30 January 2013 - 11:24 AM

Q:Scan Archive Files and Scan Packed Files is turned on or off?
A: on
Q:Also what is the name of the detection so we know which module is detecting the zip file.
A:has been detected as rogue:VLHJO-tpd.
quarantine was successful

#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,824 posts
  • LocationOil City, Pa. U.S.A.

Posted 02 February 2013 - 09:00 AM

Immunet does use "heuristic" detection methods. This way Immunet can detect and react to unknown and unseen threats. I believe that's what's causing the zip file to be flagged as malicious while the samples themselves do not since they're not yet in the cloud database.

* Immunet Global Forum Moderator *


#5 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,824 posts
  • LocationOil City, Pa. U.S.A.

Posted 02 February 2013 - 09:28 AM

I believe it is the TETRA module that detected the zip file with the information you provided. Here is some info on detection names I found from an older thread:

How do you know which engine detected the file?
* if the virusname starts with "W32." then it is a cloud detection
* if it starts with "W32.SPERO.", it is a cloud detection from the SPERO heuristic engine
* if it starts with "W32.ETHOS.", it is a cloud detection from the ETHOS heuristic engine
* if it starts with "W32.Clam.", it is a file that was detected by ClamAV on the cloud
* if it starts with "Clam.", it is a local ClamAV detection
* if it starts with "Clam." and ends with ".UNOFFICIAL", then it is your custom signature

If one or more of those samples were indeed rootkits or something similar to rootkits I could see where the heuristic functionality of the TETRA engine would detect the zip file and quarantine it even though the cloud or ClamAV engines did not because the detection signitures do not yet exist for those engines.

Regards, Ritchie...

* Immunet Global Forum Moderator *


#6 ryuusei

ryuusei

    Advanced Member

  • Members
  • PipPipPip
  • 36 posts

Posted 04 February 2013 - 01:34 PM

Hi
Thank you for the description, but I use the free version, so I can not start the TETRA engine detection,so this should not be TETRA engine caused, There may be other causes the generation of a problem.

#7 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,824 posts
  • LocationOil City, Pa. U.S.A.

Posted 04 February 2013 - 08:18 PM

If you're using the free version it definetly isn't the TETRA module detecting the zip file then. Mmm. It's one of the other engines causing this but I'm at a loss as to which engine it is. I hope a support person reads this topic and can further help you.

* Immunet Global Forum Moderator *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users