Jump to content
alfred

You Can Lead A Horse To Water......

Recommended Posts

All,

 

Each day, 7 days a week, 3 times a day, we manually review our FP's and vet them. We do this by looking at what files our users roll out of Quarantine. We examine each file. In many cases I find users who are rolling things out of Quarantine that are actually threats. In this case the roll backs are where the user, sees us (correctly) id a threat and quarantine it yet they still roll it back out of Quarantine. Nearly every time this is because the threat is masquerading as software they really want to run. In the last 24 hours 37 different Community users rolled back this SHA (and related threat name):

 

AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615

Trojan.Rootkit-1503

 

It's our biggest single item rolled out of Quarantine in the last 24 hours. The rub is, this threat is real. In fact it's Conficker.

 

http://www.virustotal.com/file-scan/report.html?id=aa0bbaecb678868e1e7f57c7ca9d61b608b3d788be490790eb1d148beadf4615-1282200455

 

Goes to show how insidious some of the packaging and social engineering can be to get people to run threats.

 

al

Share this post


Link to post
Share on other sites
Guest Mature

FP is always tough to handle...

Maybe you could put a "vote" on this "threat" see how many users has rolled back this file.

Share this post


Link to post
Share on other sites

Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right?

Share this post


Link to post
Share on other sites

Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right?

 

Yes, when in doubt, submit the software. If not to us then to another AV vendor or Virus Total, Jotti etc.

 

al

Share this post


Link to post
Share on other sites

At first I was curious why IMP quarantined a software program called HddLed 1.7 which I found useful since I run multiple drives. I have used this program for years with no apparent ill effects. I did some research, however, and found this version of HddLed had a Buffer Overflow Attack Vulnerability to its code and Immunet spotted the problem. For anyone not familiar with what a buffer overflow is here is a link: What Is A Buffer Overflow

Share this post


Link to post
Share on other sites

you can hide all kind of malware in installern, i saw often, tdss icomes with an keygen, so you have packed the real keygen + tdss dropper :-)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...