Jump to content
WacoJohn

Immunet 3.0 Quarantines Temp File But Not Actual File

Recommended Posts

If I click a download link at a website .. immediately before the d/l begins, Immunet 3.0 (Free) quarantines the file .. except not 'exactly' the file. Say the filename is diagnose.exe. Soon as I click to d/l it/save to desktop, diagnose[1].exe gets quarantined. It gets quarantined FROM:

 

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F33XGHK\diagnose[1].exe

 

It is flagged W32.Trojan

 

but the actual file ... diagnose.exe DOES download and is saved to the desktop. A custom scan with 3.0 Free on that file specifically, does not flag it in any way. No problem with it.

 

Seems 3.0 is seeing some kind of TEMP file as infected and quarantineing it .. but only the temp file corresponding to an actual file being downloaded.

 

Incidentally, diagnose.exe is VERY likely NOT infected.

 

Finally, this happens often .. not just with this file but others .. and from other websites.

 

XP Home SP3 is the system.

  • Like 1

Share this post


Link to post
Share on other sites

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F33XGHK\diagnose[1].exe

XP Home SP3 is the system.

Hi WacoJohn,

Even if I think we both have the same version of Immunet (3.0.1.6112 Free), I cannot in my computer recreate the same problem, because I have permanently moved the folder "Temporary Internet Files" to another drive: J:\Temporary Internet Files

Sorry,

sweidre

Share this post


Link to post
Share on other sites

Hi WacoJohn,

Even if I think we both have the same version of Immunet (3.0.1.6112 Free), I cannot in my computer recreate the same problem, because I have permanently moved the folder "Temporary Internet Files" to another drive: J:\Temporary Internet Files

Sorry,

sweidre

 

We both have the same version. I don't THINK it has much to do with the location of that TEMP folder as it does what file is being downloaded. The source of the file I am reporting is www.freshdevices.com and the (free) product is Fresh Diagnose.

 

They have ANOTHER product called Fresh UI and downloading it results in the same problem I am describing .... quarantines frui[1].exe from the Temp folder. I reported the frui problem a few weeks ago though.

Share this post


Link to post
Share on other sites
Guest Orlando

Hi,

 

No problem, it quarantined the files in the TEMP folder because the browser downloads these files first in the TEMP folder and then moves them on the desktop, Immunet blocks them first of the moving.

 

For reporting a FP, please read this guide.

 

Orlando

Share this post


Link to post
Share on other sites

Hi,

 

No problem, it quarantined the files in the TEMP folder because the browser downloads these files first in the TEMP folder and then moves them on the desktop, Immunet blocks them first of the moving.

 

For reporting a FP, please read this guide.

 

Orlando

 

Maybe I am missing something AGAIN .. but from my view that IS a MAJOR problem. Scenario: There is a downloadable and executable file on the internet at a website. Attempt to d/l it results in 3.0 quarantineing the TEMP file as either infected or a FP. Then, it allows the exe file to actually save to the target folder .. but does NOT quarantine that 'copy'? In fact, a custom scan of that specific file (not the TEMP one) results in a CLEAN scan. If it is a 'copy' of a quarantined file, it should quarantine also. What if it is infected (not a FP)? If what you say is true, it is ludicrous as a function of 3.0.

 

The FP rate of Immunet is TERRIBLE. I spend a TREMENDOUS amount of time dealing with FP issues. In fact, so far, EVERY quarantine has been a FP and I have been using the product for about a month or more. I have 'reported' most .. yet 3.0 seems to continue the same ones frequently.

 

As for reading how to report an FP .. believe me, I am now pretty much an expert. 3 different ways to do it, .. none of which are convenient, .. it is a pain in the rear. Can't send it except in a zip file .. can't zip it until you remove it from quarantine, if you remove it from quarantine, it quarantines again. You have to 'shut down' 3.0 .. about a 5 step process then unquarantine, then zip it then turn 3.0 back on again which is another 5 step process. There is an upload limit in the forum. I should not have to report a FP or anything else. 3.0 should quarantine 'whatever' and it should automatically be dealt with via the cloud. If FP, it should be automatically UNqaurantined. If infected, I should be notified so I know what the $$@$!! to do with it.

 

I am doing more work with 'detection' than Immunet 3.0 is ... and it is most always over a #$@@ false positive. I'm just about 'done' with it.

Share this post


Link to post
Share on other sites

It does seem that since the introduction of the ClamAV engine to Immunet that there has been numerous complaints about temp files used by applications being flagged as malicious. I had such an encounter when a temp file that a Firefox add-on uses (Forecastfox Weather) was being flagged as malicious.

Share this post


Link to post
Share on other sites

It does seem that since the introduction of the ClamAV engine to Immunet that there has been numerous complaints about temp files used by applications being flagged as malicious. I had such an encounter when a temp file that a Firefox add-on uses (Forecastfox Weather) was being flagged as malicious.

 

 

Sounds like what I am posting about. If I30 'thinks' the temp file is malicious, why would it let the actual file avoid detection? If the temp file IS malicious, and it is a copy of the 'actual' file, then the actual file would be malcious too .. it would seem.

Share this post


Link to post
Share on other sites

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F33XGHK\diagnose[1].exe

It is flagged W32.Trojan, but the actual file ... diagnose.exe DOES download and is saved to the desktop. A custom scan with 3.0 Free on that file specifically, does not flag it in any way. No problem with it.

Seems 3.0 is seeing some kind of TEMP file as infected and quarantineing it .. but only the temp file corresponding to an actual file being downloaded.

Incidentally, diagnose.exe is VERY likely NOT infected.

Finally, this happens often .. not just with this file but others .. and from other websites.

XP Home SP3 is the system.

Hi WacoJohn,

I have the same Immunet Free v.3.0.1.6112 as you have! But I have Win 7 Pro 64-bit and Temporary Internet files moved to my J:\Temporary Internet Files. Neverless, please, give me the website, from where you downloaded the file: diagnose.exe or diagnose(1).exe! I intend to reconstruct, if possible, the problem you came across. As I see it, we must find the real root to your problem! The FP explanation given is not enough. Still the major problem is unsolved. Of course, I cannot promise to find a solution, but maybe I might be able to find further highlighted details of the issue! For safety reason, I will prior to the exercise, take a backup (Norton Ghost) of my systemdrive to restore to, if needed! (At first, I tried to download the file: fruit.exe, but I found the site to download from looked a bit unreliable, so I now will try with the file: diagnose.exe instead!

Cheers,

sweidre

PS. The hicup is that no admins have visited the forum on this Friday. During the weekend no visits by the admins can be expected, neither! DS

Share this post


Link to post
Share on other sites

http://www.freshdevi...k_software.html

The product name is FRESHDIAGNOSE. They have another product FRESHUI which behaves the same (same problem) when I try to d/l it.

Hi WacoJohn,

I had no problems at all! Nice Software in fact! My Steps:

01.) I went to the site: http://www.freshdevices.com/benchmark_software.html

02.) Site Name: What's Fresh Diagnose?

03.) There were listed 5 pieces of 100% free softwares:

03a.) Fresh Video Downloader

03b.) Fresh Download

03c.) Fresh Diagnose

03d.) Fresh UI

03e.) Fresh View

04.) I had to fill in my name & email and pressed button "Submit (press once!)" in order to get,a free licence via email from the 11th day until forever. ( I have not got any email yet!)

05.) I selected Download Page

06.) Of all 5 products listed I selected only 3. Fresh Diagnose v.8.53 and pressed "Download here" (mirror 1). More Info: OS Supplied Win7/Vista/XP/2000/Me

07.) I downloaded via my browser "Slimbrowser" into the path: Z:\Import\Program\1. EXE\diagnose.exe (2,140 kB)

08.) I double-clicked on Z:\Import\Program\1. EXE\diagnose.exe (= setup file) and it was installed to:

09.) C:\Program Files (x86)\FreshDevices\FreshDiagnose\ with Start Menu Folder: FreshDevices\FreshDiagnose\

10.) I studied briefly the README: File: ver.8.53 Release Date: May 7, 2011

11.) I clicked on: C:\Program Files (x86)\FreshDevices\FreshDiagnose\fdiag.exe and got a very nice window in English. Some other languages could have been selected, but as "Swedish" was not listed, I continued with English.

12.) I clicked on "About" to get a free registration code from the same webpage as before. As this button was only permitted to click on once, I abstained to click another time.

13.) Using Windows Explorer right-click shell context menu I scanned the folder C:\Program Files (x86)\FreshDevices\FreshDiagnose with Hitman Pro, Immunet Protect, SuperAntiSpyware, & ESET Smart Security (NOD32) and no Malwares or False Positives were found! Goddy, Goody!

14.) As Malwarebytes' AntiMalware Pro and Emsisoft AntiMalware only scan whole drives (right-click scan is not available), I abstained from scanning with these softwares.

15.) During the 10-days testperiod I will search for free registration code via email.

Conclusion:

My download & installation worked without any problems at all! (No temporarary folders or files, no quarantining by any of my all security softwares. Note: Not even Emsisoft, that is notorious for quarantining "false postives", worse than Immunet! Now, the reason for my smooth downloading & installation might be the fact that the installation file: "diagnose.exe" has after your earlier Malware Analysis been reported to the Immunet Cloud as a "false positive" = 100% clean! So, I think that you earlier acted as a test-rabbit regarding this "diagnose.exe" file, that the strong heuristics of ETHOS module first regared as a Malware and quarantined it. (but not any longer). I think you often act as a test-rabbit of files not used by others in the community.

Cheers,

sweidre

PS. I'm sorry for this long and detailed report! But I was prepared for real problems, that should be described in detail step by step. In fact not necessary! DS

Share this post


Link to post
Share on other sites

Of all the products they offer (free), I use Fresh Diagnose (diagnose.exe) and FreshUI (frui.exe). In the past, when I would initiate a download of either, I3.0 would quarantine diagnose[1].exe or frui[1].exe from a browswer temporary folder (as I have described). In spite of the temporary copy being quarantined, I still ended up with diagnose.exe or frui.exe in my target d/l folder. They scan clean with I3.0. This is how I have described the problem.

 

That this did not happen for you, I am almost certain that the temp files have now been deemed 'clean' because I reported both as FPs a short while ago.

 

I just NOW downloaded diagnose.exe .. to see if anything got quarantined .. and nothing did.

 

Now, the reason for my smooth downloading & installation might be the fact that the installation file: "diagnose.exe" has after your earlier Malware Analysis been reported to the Immunet Cloud as a "false positive" = 100% clean! So, I think that you earlier acted as a test-rabbit regarding this "diagnose.exe" file, that the strong heuristics of ETHOS module first regared as a Malware and quarantined it. (but not any longer). I think you often act as a test-rabbit of files not used by others in the community.[/Quote]

 

I agree with the above quote. I should also mention neither diagnose.exe/diagnose[1].exe or frui.exe/frui[1].exe are on my exclusion list.

 

EDIT: Add comment

 

I have been thinking about this situation and though I don't know the mechanics of a browser's downloading of a file, there is something not adding up. I get the quarantine of diagnose[1].exe from the Temporary folder within a millisecond of clicking on the d/l link .. as if diagnose[1].exe is not the actual file itself. There is just not enough time for it to d/l as a COPY of diagnose.exe. Maybe diagnose[1].exe is a (temporary) header or descriptor of diagnose.exe .. probably a very small file. I3.0 is falsely quarantining that little tiny file .. but NOT quarantineing the actual file (diagnose.exe) which takes a 'few seconds' to actually d/l. The quarantine of diagnos[1].exe is INSTANT from the moment I click on the link to d/l . THEN .. it appears the d/l of the actual file begins .. which does NOT get quarantined. The important point is that it is diagnose[1].exe that is getting quarantined .. not diagnose.exe ... which suggests they are not COPIES of a file ... they are exclusively different from each other .. and the [1] file (whatever the heck it is) is the false positive.

 

It's going to take a 'tech/engineer' who knows the physical difference between diagnose[1].exe in a TEMPORARY folder from diagnose.exe which ends up on my desktop (the target of the d/l) to answer this.

Share this post


Link to post
Share on other sites

Hi WacoJohn,

I have uploaded the setup file:

Z:\Import\Program\1.EXE\diagnose.exe (2,140 kB) to Virus Total Uploader , and none of the 42 Anti-Malware products reported anything (see screenshot attached)

Cheers,

sweidre

Share this post


Link to post
Share on other sites

Hi WacoJohn,

1. It is evident, that the ETHOS module (heuristic detection) is too strong and causing unnecassary & annoying "false postives". Immunet Technical Staff must alter the ETHOS module! ( Very Important! )

2. When Immunet is not quarantining a "false postive", the problem with duplicates: diagnose.exe & diagnose(1).exe will never appear!

So fixing item 1 will automatically fix item 2!

Cheers,

sweidre

Share this post


Link to post
Share on other sites

Make sure you turn on 'scan packed files, and scan archives', in some version they were default off.

If they are off then Immunet can only scan the file when unpacked, hence only removes the temp files as you say.

If scan of archives/packed executables is on then it can scan these files prior to unpacking, and quarantine the archive itself.

 

 

Hmmm .. you make an excellent point. I will be sure to have both checked. Only thing I don't get is the temp file is a copy of the packed file (I think). How could it be Immunet quarantines a temp file (in this case .. packed) but doesn't quarantine the copy?

 

I just NOW checked I3.0 and scan archives/packed is ON. There is nothing on exclusion list regarding fresh diagnose. Went to the website and attempted a d/l of freshdiagnose. Instantly got a popup:

 

THREAT QUARANTINED

diagnose[1].exe has been detected as W32.Trojan. Quarantine was successful. Would you like to restore it?

 

I select NO.

 

BROWSER (IE8) says "To help protect your security, IE blocked this site from downloading files to your computer. Click here for options

 

Implying NOTHING has been downloaded YET .. but SOMETHING must have been d/l'd .. and it is apparently diagnose[1].exe to a temp folder .. because I3.0 is quarantineing it!!

 

I click on OPTIONS and allow the d/l. Window pops up: DO YOU WANT TO RUN OR SAVE THE FILE DIAGNOSE.EXE?

 

I select SAVE (to desktop). Result:

 

File downloads .. download completes BUT the d/l window does not close immediatly .. it stays open for some time. Immunet icon on the task bar shows activity. HD light is busy. I3.0 is obviously scanning diagnose.exe on the desktop. Once finished, d/l window closes.

 

So .. here we are again .. something in a TEMP folder gets quarantined .. it's associated exe file DOESN'T get quarantined.

 

I might add .. I reported the FALSE POSITIVE of diagnose[1].exe to Immunet about a week ago. This time, I am going to be sure to leave it in quarantine .. and see what happens next.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...