Jump to content


Photo

Testing With Threats And Reporting Fp's


  • Please log in to reply
3 replies to this topic

#1 Alfred

Alfred

    Advanced Member

  • Administrators
  • 401 posts

Posted 15 December 2010 - 04:45 PM

All,


Unless you are running a VM I have to advise against testing live malware. This portion of the beta is not focused on 'detections' as much as it is on installation and operational quality. However, if you do test malware and are able to produce FN's (False Negatives, files we miss but should otherwise catch) please only report this IF you can provide the malware to us either through an:

a) External link
B) FTP
c) SHA256 of the file (so we can attempt to track it down ourselves)

Without the data to review on FN's the reporting is not super helpful.

In the event of an FP (False Positive, file we convict that we should not be convicting) please report this IF you can provide some (or all) of the following data:

a) The software package name (as well as version and language)
B) The OS the detection happened on (32/64 bit)
c) The name of the detection which hit it.
d) URL to the package if available.
e) SHA256 of the file (so we can attempt to track it down ourselves)

If you need a tool to generate SHA256 checksums please see:

http://md5deep.sourc...e.net/#download

Thanks all,
al

#2 etms51

etms51

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 58 posts
  • LocationItaly Venice

Posted 15 December 2010 - 05:04 PM

Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment.

Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it.

good analyse.

Report thread: http://forum.immunet...false-positive/


If you want to fix here there is a small information.

Nome File : folderpilot_v100.exe
Dimensione File : 1784727 byte
Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2
SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350
SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e


VT (http://www.virustota...950e-1292432121)

the attachment is : http://forum.immunet...h&attach_id=394


this a detection of Spero or Ethos, please check it.

Alfred: in these thread the detection is fixed. " i wait for an upgrade :)".

#3 Alfred

Alfred

    Advanced Member

  • Administrators
  • 401 posts

Posted 15 December 2010 - 05:45 PM

Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment.

Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it.

good analyse.

Report thread: http://forum.immunet...false-positive/


If you want to fix here there is a small information.

Nome File : folderpilot_v100.exe
Dimensione File : 1784727 byte
Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2
SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350
SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e


VT (http://www.virustota...950e-1292432121)

the attachment is : http://forum.immunet...h&attach_id=394


this a detection of Spero or Ethos, please check it.

Alfred: in these thread the detection is fixed. " i wait for an upgrade :)".


Awesome, this is fixed. Please mail me direct (alfred@immunet.com) and I can send you a key.

#4 etms51

etms51

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 58 posts
  • LocationItaly Venice

Posted 16 December 2010 - 11:53 PM

Hallo i found some false positive with Avira detection (don't detect this malware)

1)alg.exe
File type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Name it: W32.trojan.00a1
SHA256: 00a120ddecaaa7d302d61a8515a5294462a6a35ce7ae453a553abe3d02663bea

NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it.

Virustotal: http://www.virustota...3bea-1292532776

2)File name: cleansvc.exe
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 44a3c22f6fff82e60a4e86c584617155
SHA1 : 4ba9ec69f889900347639cc704ce67f881dcf355
SHA256: 179dab70da38253cd2f8b1ef29905528134c7d5cca9c7d23452e99e443e72b2c
Detection as: W32.TROJAN.179D

NB: When i upload this attachment on the ticket system of avira, said it's false positive, because before Avira detect it but they don't have found any problem is a legit program and they has delete this attachment.

3)file name: desktop.exe
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ead731c0000faef18bbdabbfdbd7649a
SHA1 : db92ebd88a324b7a4d1d22e1a2a4913c514d2f1b
SHA256: 3307009190dc850d5cd88a991519f2c704a684eb7b2e0eec8a7afc91587afe98
Name detect as: W32.TROJAN.3307

Virustotal: http://www.virustota...2b2c-1292533784

NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it.

4)File name: desktopset.exe
File Typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 580b7c31d8cd5ba29482f55f4225600d
SHA1 : 78c8e29237a4874117bc12c2ee3d5436dbd4445a
SHA256: ac8397c2ff240493433f744f1e61719b61436c2a18ab0bab87b2780e3bb3f78a
Name detect as: W32.Trojan.AC83

Virustotal: http://www.virustota...f78a-1292536091

NB: Team avira said me: "The file 'desktopset.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. "

5)getlic.exe
File typo:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e653e663a82623b80fc4be1bc0dab54
SHA1 : d862853e0bd6c5415a2d1631031fafeaf06dd3f6
SHA256: ba18b1fab1ec806c5e11959746780087e941f3820091a9bc6ee8362f9fc053c9
Name detect as: W32.TROJAN

virustotal: http://www.virustota...53c9-1292537312

NB:Avira team said: The file 'getlic.exe' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content." please check it.

6)ghp.exe
File typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c75dd88ff809358b5337d1af66c5c3ae
SHA1 : e8a3b9fbd3d508e7e29f0f7f7a374ff29e3038cf
SHA256: 8786ecbdffebc65097c1505f2f22940a81a558b9abaa769a3b7568a423dea0bc
Name detect as: W32.malwaref

Virustotal: http://www.virustota...a0bc-1292539725

NB: Avira team said me: The file 'ghp.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. " Please check it.

7) File name: ghp2.exe
Typo File: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 64e1a2b9da2ac40b8e64f3d511ce6d96
SHA1 : e653fc306fc6bf1e821d925d42550b4e9b5d5a5c
SHA256: 6f2dfa1951ed5a34ffb7c365cb81cda163d76deb24009aa3b3e4e44527f4e175
Name detect as: W32.Trojan.6F2D

Virustotal: http://www.virustota...e175-1292540020

Avira team said me: The file 'ghp2.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Please check it.

8)FIle name: nplogon.exe
TYpo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8cb4a8b1df76ff5067e26a7081ec3878
SHA1 : e82d4e926d16ef0ffc6fda8bd4d9b3959375367e
SHA256: faa441d04e3887dfb4fc39201d021c483ee8c658869af02d995ed925a0600c92
Name detect as: W32.Trojan.FAA4
Virustotal: http://www.virustota...0c92-1292541004
Virscan.org: http://www.virscan.o...74e91334b7.html

Avira team: The file 'nplogon.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm.. " Please check it.

9)File name: nport.exe
Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 04bb4658a27572c56f3ab4ff2a8a74fd
SHA1 : 6380bdf25587d2269ba099e7457e5f9e80fd8e0c
SHA256: 0bf1ab2d0ea6c6e9c440e900b813789b4a16980b6f778787eeb980a5a2e809e8
Detect as: W32.Trojan.
for Team of Avira said Clean, please check it.


10)UnHideFolder.exe
Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8211396de1b8388d9cbb4fe8e7f46a7d
SHA1 : e7df918dd79b5551674516c21db8f9832b759cdd
SHA256: d2ac081493f976d9f22773133d4ac0331f8b89d16c8c77081b40c1a4df652332
Detect as: W32.Trojan.2dac

Virustotal: http://www.virustota...2332-1292543122
Virscan: http://www.virscan.o...c62293c95b.html

Avira team: The file 'UnHideFolder.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm." please check it.

the detection is not present with Tetra and Clamav engine, please check it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users