Jump to content


Photo

Recursive Death Of Immunet On Two False Positives

false positive quarantine

  • Please log in to reply
3 replies to this topic

#1 mkultra

mkultra

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 05 March 2013 - 01:28 AM

Hi,
At the end of January, I updated my Immunet (free edition) on a laptop and left on a trip. The laptop specs:
* Fujitsu NP300V5A
* Intel i5
* 16GB
* Windows 7 64-bit (updated as of end of January)
* 512GB OCZ Vertex 4 SSD (approximately 50% free) for programs/data
* 120GB OCZ Vertex 3 SSD (approximately 50% free) for VMs/network captures
While on my trip, the laptop disconnected from the network due to its switch dying.
I installed a new switch this past weekend and the system connected and updated Immunet.
Then all heck broke loose as the real-time agent decided two files on my Dropbox folder were really malware. Note that no other antivirus on my work or personal computers (Sophos, Symantec, AVG to name a few) identified the files as viruses.
Here's what happened in summary:
* Immunet updates itself when the connection comes up
* Dropbox connects to the network
* Immunet blocks incoming suspect files from Dropbox, quarantining them
* Dropbox temp cache files corresponding to those files were blocked
* Dropbox temp cache files .... blocked...
* Etc etc.
* Open Immunet console and add exclusion for Dropbox folder
* Immunet still keeps blocking and quaranting the cache files
* Shut down all real-time, cloud etc in Immunet
* Immunet still keeps quarantining cache files
* Add exclusion for C:\
* Immunet stops quaratining files...
* During this process, Immunet quarantined the same 2 cache files 14,000+ times
Granted that the constant process of attacking the same files may have delayed Immunet accepting the exclusions from the GUI but I assume that the program "interrupts" and processes the exlusions at the time the exclusion setting window is applied/closed.
Now, I cannot access the quarantine AT ALL as the Immunet GUI will choke on trying to enumerate 14,000+ files.
Therefore, I can't restore anything from quaratine. I don't know which of the files are valid or even what they were anymore because Immunet doesn't give that information - especially since I can't even get it to show the quarantine without endless times Windows asking me if I want to "stop the script" because it never, ever returns and sucks up CPU trying...
So my questions:
1. How do I list what those files were and determine which ones to restore?
2. How do I restore the files I need since the GUI is clearly "pining for the fields"?
3. Have you ever considered those processing limits such that maybe you create sub folders based off a realistic set size?
4. Have you ever tested Drive, Dropbox, Box, etc with Immunet on postives that only exist on the leaf on which Immunet lies?
My presumed handling pending feedback:
* sort by date in the file system (Immunet quarantine folder)
* binary diff files of same size at the start
* delete everything from this weekend except the first few files (will).
* load Immunet and get "some" data from Quarantine - still doesn't list pertinent details about the file in the quarantine window from my recollection.
* restore files remaining
Thanks in advance.
  • neftveivet likes this

#2 mkultra

mkultra

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 05 March 2013 - 08:18 PM

Here's an update:
1. Re-enabled Immunet Agent. Started it.
2. Deleted all the files in quarantine but 15 minutes worth (over the last year and the start of the freakout).
3. Loaded the GUI and went to quarantine. The quarantine still shows all the files. I proceed to keep clicking "No" to Windows prompting me to abort the script. About 12 minutes later, I can see all the entries.
4. I can't select any of the entries tied to remaining files - the GUI "resets" my selection to the top last of the entries for which there is no file.
5. I can refine search criteria to isolate to the entries I want by typing in portion of the names I can see while scrolled.
6. I restore the two files I want (just PUPs for utilities I use).
7. I uninstall Immunet as it's totally unusable based on the current issue/risk and the lack of detail on how to proceed.
8. I saved the history and quarantine files remaining in case support is remotely interested.
9. I start a blog entry to hopefully warn others.
Thanks much.

#3 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 2,038 posts
  • LocationEarth

Posted 05 March 2013 - 11:13 PM

Hi mkultra, sorry to hear you're having so much trouble. Adding the complete C:\ folder to the exclusion list is not a good thing to do. That means your whole operating system is excluded! Why those cache files kept getting quarantined after you first excluded them is very strange.

It's good you saved the history & quarantine files. I would recommend that you send, via email, those files as an attachment and all information you have regarding this issue to support@immunet.com. Perhaps some good can come out of this. I do apologize for all the inconvenience this has caused you.

Best wishes, Ritchie...

* Immunet Global Forum Moderator *


#4 Nick

Nick

    Sourcefire Administrator

  • Administrators
  • 15 posts

Posted 09 March 2013 - 12:33 AM

Hello mkultra,

I'm sorry to hear that Immunet has been causing problems for you! Sorry for the delay. We would absolutely like to see the history files. An incompatibility with Dropbox is a priority bug. Currently, we have no known conflicts with these applications.

If possible, I'd like you to send that to support@immunet.com. If the attachment is too large, you may be able to send it using gmail and their drive feature.

I suspect that the quarantined files are largely going to be repetitions of the same temp file that was repeatedly dropped and quarantined. This directory may have been different from the main Dropbox directory. Was this the folder you initially excluded?

Nick





Also tagged with one or more of these keywords: false positive, quarantine

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users