Here Is Another Fp . A D/l From Cnet

[WacoJohn]

this is an update to a popular program 'UNLOCKER' provided by CNET .. the 32 bit version downloaded fine .. this 64-bit version got quarantined.

 

what does this mean?:

 

"Used 1.96MB of your 2MB global upload quota (Max. single file size: 808.65K)"

[sweidre]

this is an update to a popular program 'UNLOCKER' provided by CNET .. the 32 bit version downloaded fine .. this 64-bit version got quarantined.

what does this mean?:

"Used 1.96MB of your 2MB global upload quota (Max. single file size: 808.65K)"

Hi WacoJohn,

1. UNLOCKER

My ESET Smart Security (NOD32) also quarantined this Unlocker file. During my Win XP (32-bit) period, I downloaded directly from the producer "Colombe" a zip- file, that was not qurantined by Immunet or ESET. After unzipping, the file was nicely installed. Now, I have changed to Windows 7 64-bit, and the 64-bit file was qurantined by both Immunet and ESET, so I have left Colombe's UNLOCKER for good. I have instead gone for "IObit UNLOCKER" (freeware), that was not qurantined by any of my AVs, and it works better than Colombe's UNLOCKER, in fact!

2. UPLOAD QUOTA

Unfortunately, the upload quota in Immunet forum is limited to 2MB. So, frequently, I have to go to My Profile's Page -> Settings -> Manage Attachements -> Delete attachments not needed to get space back!

Cheers,

sweidre

[Rob.T]

Looking into this...

[Rob.T]

Thanks John, this has been fixed.

[WacoJohn]

Hi WacoJohn,

1. UNLOCKER

My ESET Smart Security (NOD32) also quarantined this Unlocker file. During my Win XP (32-bit) period, I downloaded directly from the producer "Colombe" a zip- file, that was not qurantined by Immunet or ESET. After unzipping, the file was nicely installed. Now, I have changed to Windows 7 64-bit, and the 64-bit file was qurantined by both Immunet and ESET, so I have left Colombe's UNLOCKER for good. I have instead gone for "IObit UNLOCKER" (freeware), that was not qurantined by any of my AVs, and it works better than Colombe's UNLOCKER, in fact!

2. UPLOAD QUOTA

Unfortunately, the upload quota in Immunet forum is limited to 2MB. So, frequently, I have to go to My Profile's Page -> Settings -> Manage Attachements -> Delete attachments not needed to get space back!

Cheers,

sweidre

 

Thank you Sweidre (and RobT). Unlocker 32 bit passes Immu 3.0 but the 64-bit doesn't .. as you described. In either case, it would be a FP, I am certain. Thank you for 'splainin' the upload quota. I guess that means 2MB for life ... or over some timeframe? In any case, I will 'gain space' from my profile. Thank you both again.

[sweidre]

Thanks John, this has been fixed.

This brief reply is a little bit confusing! Regarding Colombe's UNLOCKER not only its setup file will be qurantined by many AVs, also its uninstallation file will be qurantined by AVs. Softwares downloaded from CNET are said to be clean, but regarding Colombe's UNLOCKER users on CNET page are complaining, that this download is infected!. Has RobT placed the UNLOCKER in the "False Postives" category of Immunet? (Other AVs also regard UNLOCKER as contaminated!) Has RobT extended the 2 MB upload limit for all users? (If you do 4 or 5 screenshots the quota of 2MB is too limited, in my mind!) I hope, that RobT is a little more verbose about was has been fixed!

Cheers,

sweidre

[WacoJohn]

This brief reply is a little bit confusing! Regarding Colombe's UNLOCKER not only its setup file will be qurantined by many AVs, also its uninstallation file will be qurantined by AVs. Softwares downloaded from CNET are said to be clean, but regarding Colombe's UNLOCKER users on CNET page are complaining, that this download is infected!. Has RobT placed the UNLOCKER in the "False Postives" category of Immunet? (Other AVs also regard UNLOCKER as contaminated!) Has RobT extended the 2 MB upload limit for all users? (If you do 4 or 5 screenshots the quota of 2MB is too limited, in my mind!) I hope, that RobT is a little more verbose about was has been fixed!

Cheers,

sweidre

 

This brings up a few good points. I am the LAST person to know if a file is infected or not. I rely on antivirus products to notify me. When I get a quarantine from any of them, I have to first assume it is infected. THEN I have to consider if it is a false positive. I really have no way to know EITHER WAY. I TRY to submit them for 'analyisis' .. whether it be to McAfee, Immunet, or whomever. I ASSUME 'they' disassemble the file and technically examine it .. but I don't know what they do with it. If they simply scan it with 20 other AV products and get a 'small' failure rate, .. and conclude it is safe ... that isn't going to cut it.

 

I just submitted that 64-bit UNLOCKER install file FROM CNET, to WWW.VIRUSTOTAL.COM and they apparently scanned it with 42 AV products. Of those, three flagged it as infected:

 

Emsisoft 5.1.0.5 2011.05.04 Adware.Win32.ADON!A2

NOD32 6094 2011.05.04 Win32/Adware.ADON

VIPRE 9192 2011.05.04 RiskTool.Win32.ProcessPatcher.Sml!cobra (v)

 

RobT's input is 'it's fixed'.

 

Truthfully .. I don't feel very 'secure' about it. As you mentioned, I (we) really don't know what Immunet actually does with submitted files (no reflection on RobT).

 

This business about ME submitting files .. some to FP 'category' and others to 'infected' category is actually beyond my qualifications. It is not up to me to decide if it is FP or not ... all I know is it is 'flagged/quarantined'.

 

Personally, I think 'FP' should be done away with .. it isn't up to me to determine an FP .. it is the Product's responsibility to determine. I think ALL quarantines should be submitted ... to one place ... let the 'experts' determine what is FP and what is infected .. because as far as I am concerned, I really have no idea.

 

This brings ANOTHER question. I have IMMUNET running on my machine. It 'catches' a file. It goes into quarantine. Suppose I don't do ANYTHING .. I don't submit it .. just let it sit there. What does IMMUNET do at that point???? Do they somehow 'pick it up' from its users quarantine 'box' and process it? What happens when they process it .. if it is FP .. is it 'magically' released from my QUARANTINE? Am I notifed by email 'what it is'? If it is NOT FP and actually infected .. what happens then?

 

Immunet is a 'cloud' approach and it is my understanding that what happens to me ... FPs, infections, somehow 'benefit' everyone else on the cloud, but I don't understand how that works.

 

I am 'missing something' obviously. Probably did not read a readme file or something. All I know is I get files quarantined .. I submit them (most of them). That seems to be about the end of the story .. and I am left to do a lot of wondering.

[sweidre]

I just submitted that 64-bit UNLOCKER install file FROM CNET, to WWW.VIRUSTOTAL.COM and they apparently scanned it with 42 AV products. Of those, three flagged it as infected:

 

Emsisoft 5.1.0.5 2011.05.04 Adware.Win32.ADON!A2

NOD32 6094 2011.05.04 Win32/Adware.ADON

VIPRE 9192 2011.05.04 RiskTool.Win32.ProcessPatcher.Sml!cobra (v)

 

it is the Product's responsibility to determine.

 

I have IMMUNET running on my machine. It 'catches' a file. It goes into quarantine. Suppose I don't do ANYTHING .. I don't submit it .. just let it sit there. What does IMMUNET do at that point????

Hi WacoJohn,

You have submitted the 64-bit UNLOCKER install file FROM CNET to VirusTotal, of which 3 of the 42 Anti-Malware products regarded the file as contaminated:

Emsisoft 5.1.0.5 2011.05.04 Adware.Win32.ADON!A2

NOD32 6094 2011.05.04 Win32/Adware.ADON

VIPRE 9192 2011.05.04 RiskTool.Win32.ProcessPatcher.Sml!cobra (v)

So the possibility 3/42 is very low, that the file is contaminated. It is possibly a "False Positive! Note, the underlined words! We cannot by 100% certainty say, that the file is clean! So, finally it is up to the individual computer user to decide! But what to do, if let's say, that 21 of the 42 products regard a file to be contaminated!?

If IMMUNET quarantine a file. It will remain there, until IMMUNET regards the file as clean (a FP). Hmm... let's say that the laboratory of IMMUNET regards the file as clean, but other Malware products regard the file being malicious. So evidently, in all cases, it is finally up to the individual user to decide! I do not like this either!!!

Cheers,

sweidre

[WacoJohn]

So evidently, in all cases, it is finally up to the individual user to decide! I do not like this either!!!

Cheers,

sweidre

 

Actually, from a consumer standpoint, .. that is not really good enough. I do not know the 'industry', but somewhere I got the idea that McAfee etc brought 'samples' down to machine code and then 'looked' for 'known patterns' to determine if a file is infected. Apparently, .. that is not the case. I don't know WHAT they do. If they have a library of known 'good files' .. they could probably do an md sum check. Like I say .. I have no idea. But for the responsibility to fall on me means I have to run multiple products .. when I get a 'flag', I have to upload the file to some website like WWW.VIRUSTOTAL.COM who simply runs the file agains 40+ antivirus products .. some of which flag and some don't and I am left to wonder.

 

This is a lousy method. I don't know what Immunet does. All I can say is .. I am glad I don't PAY for antivirus protection .. because there is not 'enough' promise to deliver. If some little jerk in Bulgaria writes some malicious code and sticks in into some freeware product .. no one knows he did it .. unless McAfee or ? is testing everything and anything they can find. They would need a 'good copy' and an infected copy .. note the difference, figure out what kind of damage the infected file does, catalogue it to their 'library', and figure a way to 'clean' it. Actually, I think their 'library' is made of (known) malicious 'patterns' .. not every 'file' in the universe. So they scan 'files' looking for malicious patterns. I guess Immunet does the same thing. I just don't know.

 

I don't know .. maybe I am way out in left field with all this .. mainly because I don't understand the science. It just seems like Immunet ETC need to explain some things to the consumer .. so we know what is going on.

 

Maybe an IMMUNET person can clarify some of this. I am still not sure what happens to a file that gets quarantined by Immunet .. I may or may not submit it .. what if I just leave it sitting there? Does Immunet even know it got flagged? Do they do anything about it? Does it ever get resolved via Immunet technology? How does Immunet resolve it? I just can't figure out how the Immunet product model works. Who knows ... might be a corporate secret.

[sweidre]

Hi WacoJohn,

Originally the Antivirus' companies only stored known malwares in a database, that was tranfered to the computer users via weekly or daily updates. Then they started to add heuristic models (mehods) to determine if a file was malicious or not (thru analysis of the pattern of the file). Competition between Antivirus Products lead to stronger & stronger heuristic models, because each Antivirus Product wanted to show that its product was superior to find malwares. The effect of this too strong heuristic models was that "False Postives" were found. False Positives are almost as dangererous as Malwares. If an AV qurantines clean important system files as malicious, the Operative System will be hampered, and finally you must empty your systemdrive and reload it with a fresh OS from the beginning. Immunet has the ETHOS module, that is a heuristic module.

Some Antivirus softwares are known to give too many "False Postives": Emsisoft Anti-Malware, Immunet, ClamAV, McAfee etc. My Emsisoft often quarantines many files as malicious, but after some days, it pops up a message, that some of the quarantined files are not malicious: "Do you want to have them restored or not?" I do not know, if Immunet will come back and admit, that files havec been qurantined by mistake! This question should be put to IMMUNET staff!

Cheers,

sweidre

[sweidre]

Hi WacoJohn,

I have been thinking a little! If you set the ETHOS module to "Off" the too strong heurestic method in Immunet is disabled in your computer. But if other Immunet users not are doing the same, you will get those "false postives" from other members anohow via your SPERO module, that gets info from the community cloud! If the ETHOS module were set to "Off" in all computers of all Immunet users, you will not get any "false postives". But the best way should be to convince Immunet to make ETHOS module into not too strong heuristic module! Previously finding Malware and presumtive Malwares was the main issue, now we all suffer from "False Positives" instead!

Cheers,

sweidre

[WacoJohn]

Hi WacoJohn,

I have been thinking a little! If you set the ETHOS module to "Off" the too strong heurestic method in Immunet is disabled in your computer. But if other Immunet users not are doing the same, you will get those "false postives" from other members anohow via your SPERO module, that gets info from the community cloud! If the ETHOS module were set to "Off" in all computers of all Immunet users, you will not get any "false postives". But the best way should be to convince Immunet to make ETHOS module into not too strong heuristic module! Previously finding Malware and presumtive Malwares was the main issue, now we all suffer from "False Positives" instead!

Cheers,

sweidre

 

THANK YOU. As I (tried) to admit .. I don't know about 'such things', .. and THANK YOU for explaining. Of course I was aware of all the modules but had no idea what did what. I also had only an elementary idea of antivirus 'technique' in the first place. Based on your clarifications, I can use Immunet with more confidence.

 

What I would like to know, .. from Immunet, is 'does the product' resolve quarantines on its own (eventually) .. whether I submit nor not ... FPs and malware? For the sake of the cloud, should I UNquarantine (manually) FPs or let them remain quarantined until 'the system' restores them (if that is how it works).

 

What I have been doing is 1. Getting a quarantine. 2. Probably submitting it .. but not necessarily. 3. Using my own means to decide if FP. If (most likely) FP, I have been restoring the file from Quarantine. I may not be using the product correctly. For one thing, I might be restoring an infected file. For another thing, I may not be supporting the cloud ..if I remove a file from quarantine manually. By the way .. the only way (I can see) to submit a quarantined file is to UNquarantine it first .. then zip it, then submit it .. one way or another (3 different ways to submit).

[sweidre]

I may not be supporting the cloud ..if I remove a file from quarantine manually. By the way .. the only way (I can see) to submit a quarantined file is to UNquarantine it first .. then zip it, then submit it .. one way or another (3 different ways to submit).

Hi WacoJohn,

 

A.) I am not an expert in this field! My explanations of ETHOS & SPERO are coming from letting my cursor hovering over the ?-marks to the right of the words ETHOS & SPERO respectively. (These ?-marks are found here: Settings -> ETHOS - > ?-mark & Settings ->SPERO -> ?-mark).

 

B.) If IMMUNET has once qurantined the file, the file (infected or false postive) is already reported to the cloud as a malware. Your removal of the file from your qurantine is not reported to the cloud, I think anyhow! (I hope, an admin will read these lines!)

 

C.) If IMMUNET analyzes the file and founds it to be a "false positive", this fact will be reported automatically to the cloud. So, submittal of false postives in zip- or 7z- format (sending by @gmail, attachement must be in 7z- format only, because neither .exe or .zip are permitted to attach to a Gmail!) must by the user be submitted to http://support@samples.immunet.com for analysis and the result will autmatically be sent to the cloud.

 

D.) In the old days there were not much talk about "False Positives". If an AntiMalware placed a file in quarantine, it should remain there for a week or so, until the user would find, that the file was not missing by the Operating System or by any other necessary 3rd party software. When the week (approx.) had gone, and the user had not found any harm to the computer, the user could then with confidence highlight the file in quarantine and click on "remove"/"delete"- button to have the infected file permanently removed from the computer. If the user had found, that the file was needed for a necessary software to work properly, the user had to check the level of seriousness (low, medium, or high) of the file infection. (Often this info could be received from the AntiMalwares homepage itself, where all found infections were listed). Another way was to make an objective(?) Googole search for the file name and/or the infection name to get more info. Based upon this info of the file and of its infection, it was then up to the user to have the file restored again or not! The Google search often gave a way to have it cleaned from the infection, so removal was not needed (often by using a 3rd party software, hmmm..). If the info given was not complete and the user would not take the risk, an option was to uninstall the software as a whole and install it again or go for a similar software of another brand.

 

E.) Nowadays, the situation is quite different! Files are qurantined very frequently (depends on Antimalware used), so the user have not time to investigate all the qurantined files (including "false postives") by himself. (Personally, I am today using VirusTotal for checking, and if time is available, I also do a Google search) Regarding IMMUNET, I do not know, if IMMUNET can "clean" infected file from the infection (the best way), or if qurantining the whole infected file is the only option. To qurantining "false postives" is on a verge to being a crime (unnecessarily hampering OS or softwares from working properly.)

 

F.) You mentioned "unquarantine (manually)"! This word is a bit misleading! You can "unquarantine" an infected file by two options: "restore" or "remove". Restoration means that the file (infected or not) will be replaced into the same place (path) it originally belonged to. (If it is a false postive, this is the proper way. If it is infected, the infection might spread further in your computer). Removal means that the file (hopefully incl.the whole infection) will be permanently taken away from your computer. This is the correct way, if the infected file is not needed by your OS or by any softwares therein. If the file is needed by your OS or by any important software therein, a removal will hamper your computer, at least partly. If the file is a "False Postive" it shall not be removed at all, but restored.

 

G.) Finally, you should consider the health & workability of your own computer! How IMMUNET will take care about "infections" or "false postives" regarding maintaining its cloud with correct info and contents is the matter of IMMUNET! IMMUNET should consider three other things, in my mind: 1.) Automatic or Manual Restoration of false positives from each computer's quarantine, as Emsisoft is doing by putting questions to the user 2.) Develop a method to clean an infected necessary file from its infection without having the whole file qurantined! 3.) Will Immunet also correct registry changes, that were caused by malwares?

Cheers,

sweidre

PS. Note, that you cannot by looking at the file name see, if the the file is legitimate or contaminated. Many malwares add infection to existing legitimate file without changing the name of the file. Often those contaminated files are to be found in C:\Windows\System32\ directory! DS

[WacoJohn]

Excellent response, Seidre. Thank you again for all your insight. I certainly have a clearer perception of all that is happening .. with Immunet as well as other AV technologies/products.

 

It will be interesting to see if Immunet enters this thread .. with more clarifications. In any case, I am more informed now than ever before .. thaks to your input. Thank you again.