Jump to content

Testing With Threats And Reporting Fp's


alfred

Recommended Posts

All,

 

 

Unless you are running a VM I have to advise against testing live malware. This portion of the beta is not focused on 'detections' as much as it is on installation and operational quality. However, if you do test malware and are able to produce FN's (False Negatives, files we miss but should otherwise catch) please only report this IF you can provide the malware to us either through an:

 

a) External link

B) FTP

c) SHA256 of the file (so we can attempt to track it down ourselves)

 

Without the data to review on FN's the reporting is not super helpful.

 

In the event of an FP (False Positive, file we convict that we should not be convicting) please report this IF you can provide some (or all) of the following data:

 

a) The software package name (as well as version and language)

B) The OS the detection happened on (32/64 bit)

c) The name of the detection which hit it.

d) URL to the package if available.

e) SHA256 of the file (so we can attempt to track it down ourselves)

 

If you need a tool to generate SHA256 checksums please see:

 

http://md5deep.sourceforge.net/#download

 

Thanks all,

al

Link to comment
Share on other sites

Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment.

 

Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it.

 

good analyse.

 

Report thread: http://forum.immunet.com/index.php?/topic/564-false-positive/

 

 

If you want to fix here there is a small information.

 

Nome File : folderpilot_v100.exe

Dimensione File : 1784727 byte

Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2

SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350

SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e

 

VT (http://www.virustotal.com/file-scan/report.html?id=4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e-1292432121)

 

the attachment is : http://forum.immunet.com/index.php?app=core&module=attach&section=attach&attach_id=394

 

 

this a detection of Spero or Ethos, please check it.

 

Alfred: in these thread the detection is fixed. " i wait for an upgrade :)".

Link to comment
Share on other sites

Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment.

 

Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it.

 

good analyse.

 

Report thread: http://forum.immunet.com/index.php?/topic/564-false-positive/

 

 

If you want to fix here there is a small information.

 

Nome File : folderpilot_v100.exe

Dimensione File : 1784727 byte

Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2

SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350

SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e

 

VT (http://www.virustotal.com/file-scan/report.html?id=4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e-1292432121)

 

the attachment is : http://forum.immunet.com/index.php?app=core&module=attach&section=attach&attach_id=394

 

 

this a detection of Spero or Ethos, please check it.

 

Alfred: in these thread the detection is fixed. " i wait for an upgrade :)".

 

Awesome, this is fixed. Please mail me direct (alfred@immunet.com) and I can send you a key.

Link to comment
Share on other sites

Hallo i found some false positive with Avira detection (don't detect this malware)

 

1)alg.exe

File type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Name it: W32.trojan.00a1

SHA256: 00a120ddecaaa7d302d61a8515a5294462a6a35ce7ae453a553abe3d02663bea

 

NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it.

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=00a120ddecaaa7d302d61a8515a5294462a6a35ce7ae453a553abe3d02663bea-1292532776

 

2)File name: cleansvc.exe

File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 44a3c22f6fff82e60a4e86c584617155

SHA1 : 4ba9ec69f889900347639cc704ce67f881dcf355

SHA256: 179dab70da38253cd2f8b1ef29905528134c7d5cca9c7d23452e99e443e72b2c

Detection as: W32.TROJAN.179D

 

NB: When i upload this attachment on the ticket system of avira, said it's false positive, because before Avira detect it but they don't have found any problem is a legit program and they has delete this attachment.

 

3)file name: desktop.exe

File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : ead731c0000faef18bbdabbfdbd7649a

SHA1 : db92ebd88a324b7a4d1d22e1a2a4913c514d2f1b

SHA256: 3307009190dc850d5cd88a991519f2c704a684eb7b2e0eec8a7afc91587afe98

Name detect as: W32.TROJAN.3307

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=179dab70da38253cd2f8b1ef29905528134c7d5cca9c7d23452e99e443e72b2c-1292533784

 

NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it.

 

4)File name: desktopset.exe

File Typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 580b7c31d8cd5ba29482f55f4225600d

SHA1 : 78c8e29237a4874117bc12c2ee3d5436dbd4445a

SHA256: ac8397c2ff240493433f744f1e61719b61436c2a18ab0bab87b2780e3bb3f78a

Name detect as: W32.Trojan.AC83

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=ac8397c2ff240493433f744f1e61719b61436c2a18ab0bab87b2780e3bb3f78a-1292536091

 

NB: Team avira said me: "The file 'desktopset.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. "

 

5)getlic.exe

File typo:PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 0e653e663a82623b80fc4be1bc0dab54

SHA1 : d862853e0bd6c5415a2d1631031fafeaf06dd3f6

SHA256: ba18b1fab1ec806c5e11959746780087e941f3820091a9bc6ee8362f9fc053c9

Name detect as: W32.TROJAN

 

virustotal: http://www.virustotal.com/file-scan/report.html?id=ba18b1fab1ec806c5e11959746780087e941f3820091a9bc6ee8362f9fc053c9-1292537312

 

NB:Avira team said: The file 'getlic.exe' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content." please check it.

 

6)ghp.exe

File typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : c75dd88ff809358b5337d1af66c5c3ae

SHA1 : e8a3b9fbd3d508e7e29f0f7f7a374ff29e3038cf

SHA256: 8786ecbdffebc65097c1505f2f22940a81a558b9abaa769a3b7568a423dea0bc

Name detect as: W32.malwaref

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=8786ecbdffebc65097c1505f2f22940a81a558b9abaa769a3b7568a423dea0bc-1292539725

 

NB: Avira team said me: The file 'ghp.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. " Please check it.

 

7) File name: ghp2.exe

Typo File: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 64e1a2b9da2ac40b8e64f3d511ce6d96

SHA1 : e653fc306fc6bf1e821d925d42550b4e9b5d5a5c

SHA256: 6f2dfa1951ed5a34ffb7c365cb81cda163d76deb24009aa3b3e4e44527f4e175

Name detect as: W32.Trojan.6F2D

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=6f2dfa1951ed5a34ffb7c365cb81cda163d76deb24009aa3b3e4e44527f4e175-1292540020

 

Avira team said me: The file 'ghp2.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Please check it.

 

8)FIle name: nplogon.exe

TYpo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 8cb4a8b1df76ff5067e26a7081ec3878

SHA1 : e82d4e926d16ef0ffc6fda8bd4d9b3959375367e

SHA256: faa441d04e3887dfb4fc39201d021c483ee8c658869af02d995ed925a0600c92

Name detect as: W32.Trojan.FAA4

Virustotal: http://www.virustotal.com/file-scan/report.html?id=faa441d04e3887dfb4fc39201d021c483ee8c658869af02d995ed925a0600c92-1292541004

Virscan.org: http://www.virscan.org/report/aa71f0aab816871952ce5d74e91334b7.html

 

Avira team: The file 'nplogon.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm.. " Please check it.

 

9)File name: nport.exe

Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 04bb4658a27572c56f3ab4ff2a8a74fd

SHA1 : 6380bdf25587d2269ba099e7457e5f9e80fd8e0c

SHA256: 0bf1ab2d0ea6c6e9c440e900b813789b4a16980b6f778787eeb980a5a2e809e8

Detect as: W32.Trojan.

for Team of Avira said Clean, please check it.

 

 

10)UnHideFolder.exe

Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 8211396de1b8388d9cbb4fe8e7f46a7d

SHA1 : e7df918dd79b5551674516c21db8f9832b759cdd

SHA256: d2ac081493f976d9f22773133d4ac0331f8b89d16c8c77081b40c1a4df652332

Detect as: W32.Trojan.2dac

 

Virustotal: http://www.virustotal.com/file-scan/report.html?id=d2ac081493f976d9f22773133d4ac0331f8b89d16c8c77081b40c1a4df652332-1292543122

Virscan: http://www.virscan.org/report/9a91cbd233e7378dae6e34c62293c95b.html

 

Avira team: The file 'UnHideFolder.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm." please check it.

 

the detection is not present with Tetra and Clamav engine, please check it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...