Jump to content


Photo

Possible A False Positive On Honeyview


  • Please log in to reply
9 replies to this topic

#1 loskamita

loskamita

    Member

  • Members
  • PipPip
  • 10 posts

Posted 31 May 2014 - 11:39 AM


Immunet detected Honeyview druing installing, the detected file which name TouchURL.exe, seems a false positive, please check it, thanks.

You can download the installation package from (http://www.bandisoft.../honeyview/ing/).

The zip password: a

Attached Files



#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,846 posts
  • LocationOil City, Pa. U.S.A.

Posted 01 June 2014 - 05:20 AM

Hi loskamita, I did some research and that does seem to be a legitimate file for the Honeyview image viewer. Just to make sure I even checked Virustotal's database and no info was found on this executable which is a very good sign it's legit!

The detection name is W32.SPERO.Cosmu.07.06.11.

If you wish to use the image viewer you can use the Quarantine Restore feature. Open the GUI and click on Quarantine located below and to the right of the History tab and click on the TouchURL.exe listing. Then just click on the Restore button after that. This will automatically add an exclusion to Immunet's Exclusion List. Since this .exe was using a temp file during the install process it may not be listed in Quarantine or the Restore may fail because the temporary file may no longer exist. If this happens you may have to manually type in the exact file path for Immunet's Exclusion List. After that you should be able to install the program.

Regards, Ritchie...

* Immunet Global Forum Moderator *


#3 loskamita

loskamita

    Member

  • Members
  • PipPip
  • 10 posts

Posted 28 June 2014 - 05:05 AM

Immunet still detect TouchURL.exe, I think Immunet team did not check this yet, can you report to them again? because I have reported to Immunet official page and their email but both not work, seems their web page and mail have problem, thank you.

#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,846 posts
  • LocationOil City, Pa. U.S.A.

Posted 28 June 2014 - 09:41 PM

Try using this URL: support@immunet.com if you continue to have issues. Did you add a complete file path exclusion for that file and it's still being quarantined?

* Immunet Global Forum Moderator *


#5 loskamita

loskamita

    Member

  • Members
  • PipPip
  • 10 posts

Posted 01 July 2014 - 06:50 AM

support@immunet not work on my situation, I send email to support@immunet but return failure.
I don't need to add a path exclusion because it's just a temporary file, all I have to do is switch off Immunet's realtime scan during installation.

In my experience, Immunet's official page is outdate, and unstable.

#6 rsmith

rsmith

    Sourcefire Administrator

  • Administrators
  • 16 posts

Posted 01 July 2014 - 08:31 PM

If you want to temporarily stop the Immunet agent from running you can use the commands:

$ net stop immunetprotect

then to restart

$ net start immunetprotect

This will stop the detection from happening if this is what you need. We do get the occasionally false positive and our website can be super buggy, unfortunately. The email may not have worked if you tried to send the zip along with it. Gmail is picky with zip files. I'll see if I can fix the detection but for now the stop/start should help you out. Make sure you turn it back on as soon as you are done with the file


- Reg

#7 loskamita

loskamita

    Member

  • Members
  • PipPip
  • 10 posts

Posted 03 July 2014 - 09:19 AM

Thanks for your guys response.
I mean I just switch off "Monitor Program Install", "Monitor Program Start" in the setting in Immunet's gui during installation of Honeyview, then everything is ok, not so big problem.

But for your website, indeed it should be maintained more frequently, because it is your product-Immunet's official page, for example if someone did not have any method to send you file(no matter malicious file or false positive report) through your website, he may get upset and lose interest in your product, because not everyone willing to register an account to report things. and it's not a good thing that let ritchie58 take so many time to report everyone's question to Immunet team, that's too tired.

Anyway, thanks for you took a look for this problem!

#8 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,846 posts
  • LocationOil City, Pa. U.S.A.

Posted 04 July 2014 - 01:13 AM

Thanks for the honorable mention loskamita, much appreciated! I do try to help out as much as I can my friend but sometimes I don't have all the answers for fellow users. That's where the expertice advice, like from Jose and other Admins, comes in handy!

Best wishes, Ritchie...

* Immunet Global Forum Moderator *


#9 loskamita

loskamita

    Member

  • Members
  • PipPip
  • 10 posts

Posted 09 July 2014 - 08:39 AM

rsmith, Seems the false positive not solve yet, does it like the false positive of Kaspersky's Tdsskiller which difficult to fix? I want to know in regular how many days will consume to get false positive solved?

#10 rsmith

rsmith

    Sourcefire Administrator

  • Administrators
  • 16 posts

Posted 09 July 2014 - 05:45 PM

The file has been fixed. Note: If it was recently detected/quarantined you will need to clear the Immunet cache as it checks that first before getting a disposition from the cloud. To clear the cache use the commands above to stop the agent then delete the 3 cache.db files in the Immunet folder under Program Files. Restart it and you should be good to install




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users