alfred Posted September 26, 2010 Report Share Posted September 26, 2010 All, Each day, 7 days a week, 3 times a day, we manually review our FP's and vet them. We do this by looking at what files our users roll out of Quarantine. We examine each file. In many cases I find users who are rolling things out of Quarantine that are actually threats. In this case the roll backs are where the user, sees us (correctly) id a threat and quarantine it yet they still roll it back out of Quarantine. Nearly every time this is because the threat is masquerading as software they really want to run. In the last 24 hours 37 different Community users rolled back this SHA (and related threat name): AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615 Trojan.Rootkit-1503 It's our biggest single item rolled out of Quarantine in the last 24 hours. The rub is, this threat is real. In fact it's Conficker. http://www.virustotal.com/file-scan/report.html?id=aa0bbaecb678868e1e7f57c7ca9d61b608b3d788be490790eb1d148beadf4615-1282200455 Goes to show how insidious some of the packaging and social engineering can be to get people to run threats. al Link to comment Share on other sites More sharing options...
buckslayr Posted September 26, 2010 Report Share Posted September 26, 2010 Thanks for the heads up! Link to comment Share on other sites More sharing options...
Pedersen Posted September 26, 2010 Report Share Posted September 26, 2010 Why do people think they know better and ignore our warnings? if in doubt then ask, we will be happy to tell if it was a FP or not. Just have some patience. Link to comment Share on other sites More sharing options...
Guest Mature Posted September 26, 2010 Report Share Posted September 26, 2010 FP is always tough to handle... Maybe you could put a "vote" on this "threat" see how many users has rolled back this file. Link to comment Share on other sites More sharing options...
ritchie58 Posted September 27, 2010 Report Share Posted September 27, 2010 Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right? Link to comment Share on other sites More sharing options...
alfred Posted September 27, 2010 Author Report Share Posted September 27, 2010 Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right? Yes, when in doubt, submit the software. If not to us then to another AV vendor or Virus Total, Jotti etc. al Link to comment Share on other sites More sharing options...
ritchie58 Posted October 14, 2010 Report Share Posted October 14, 2010 At first I was curious why IMP quarantined a software program called HddLed 1.7 which I found useful since I run multiple drives. I have used this program for years with no apparent ill effects. I did some research, however, and found this version of HddLed had a Buffer Overflow Attack Vulnerability to its code and Immunet spotted the problem. For anyone not familiar with what a buffer overflow is here is a link: What Is A Buffer Overflow Link to comment Share on other sites More sharing options...
markusg Posted October 15, 2010 Report Share Posted October 15, 2010 you can hide all kind of malware in installern, i saw often, tdss icomes with an keygen, so you have packed the real keygen + tdss dropper :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.