alfred Posted December 15, 2010 Report Share Posted December 15, 2010 All, Unless you are running a VM I have to advise against testing live malware. This portion of the beta is not focused on 'detections' as much as it is on installation and operational quality. However, if you do test malware and are able to produce FN's (False Negatives, files we miss but should otherwise catch) please only report this IF you can provide the malware to us either through an: a) External link FTP c) SHA256 of the file (so we can attempt to track it down ourselves) Without the data to review on FN's the reporting is not super helpful. In the event of an FP (False Positive, file we convict that we should not be convicting) please report this IF you can provide some (or all) of the following data: a) The software package name (as well as version and language) The OS the detection happened on (32/64 bit) c) The name of the detection which hit it. d) URL to the package if available. e) SHA256 of the file (so we can attempt to track it down ourselves) If you need a tool to generate SHA256 checksums please see: http://md5deep.sourceforge.net/#download Thanks all, al Link to comment Share on other sites More sharing options...
etms51 Posted December 15, 2010 Report Share Posted December 15, 2010 Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment. Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it. good analyse. Report thread: http://forum.immunet.com/index.php?/topic/564-false-positive/ If you want to fix here there is a small information. Nome File : folderpilot_v100.exe Dimensione File : 1784727 byte Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2 SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350 SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e VT (http://www.virustotal.com/file-scan/report.html?id=4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e-1292432121) the attachment is : http://forum.immunet.com/index.php?app=core&module=attach§ion=attach&attach_id=394 this a detection of Spero or Ethos, please check it. Alfred: in these thread the detection is fixed. " i wait for an upgrade ". Link to comment Share on other sites More sharing options...
alfred Posted December 15, 2010 Author Report Share Posted December 15, 2010 Hallo i found a new false positive with Clamav for Windows, i delete Clamav engine, but i left activate the Ethos/ Spero engine, i found at the this attachment. Hallo, when i upload this attachment to Avira Team said me "The file 'folderpilot_v100.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Folder Pilot 1.00 '. " but Immunet detect this attach as W32 Suspicious, please check it. good analyse. Report thread: http://forum.immunet.com/index.php?/topic/564-false-positive/ If you want to fix here there is a small information. Nome File : folderpilot_v100.exe Dimensione File : 1784727 byte Tipo file : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 2c00df1f1f843bfde9d6de2f0c3b5da2 SHA1 : 106c466227edde8c2ccabef78b2bdeb1ba685350 SHA256: 4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e VT (http://www.virustotal.com/file-scan/report.html?id=4d7971e388b76377b31625f70920973f82aafc9cb89d17f6d9e046f7496a950e-1292432121) the attachment is : http://forum.immunet.com/index.php?app=core&module=attach§ion=attach&attach_id=394 this a detection of Spero or Ethos, please check it. Alfred: in these thread the detection is fixed. " i wait for an upgrade :)". Awesome, this is fixed. Please mail me direct (alfred@immunet.com) and I can send you a key. Link to comment Share on other sites More sharing options...
etms51 Posted December 16, 2010 Report Share Posted December 16, 2010 Hallo i found some false positive with Avira detection (don't detect this malware) 1)alg.exe File type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit Name it: W32.trojan.00a1 SHA256: 00a120ddecaaa7d302d61a8515a5294462a6a35ce7ae453a553abe3d02663bea NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it. Virustotal: http://www.virustotal.com/file-scan/report.html?id=00a120ddecaaa7d302d61a8515a5294462a6a35ce7ae453a553abe3d02663bea-1292532776 2)File name: cleansvc.exe File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 44a3c22f6fff82e60a4e86c584617155 SHA1 : 4ba9ec69f889900347639cc704ce67f881dcf355 SHA256: 179dab70da38253cd2f8b1ef29905528134c7d5cca9c7d23452e99e443e72b2c Detection as: W32.TROJAN.179D NB: When i upload this attachment on the ticket system of avira, said it's false positive, because before Avira detect it but they don't have found any problem is a legit program and they has delete this attachment. 3)file name: desktop.exe File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : ead731c0000faef18bbdabbfdbd7649a SHA1 : db92ebd88a324b7a4d1d22e1a2a4913c514d2f1b SHA256: 3307009190dc850d5cd88a991519f2c704a684eb7b2e0eec8a7afc91587afe98 Name detect as: W32.TROJAN.3307 Virustotal: http://www.virustotal.com/file-scan/report.html?id=179dab70da38253cd2f8b1ef29905528134c7d5cca9c7d23452e99e443e72b2c-1292533784 NB: When i upload this attachment on the ticket system of avira, said it's false positive, now the Avira don't detect it. 4)File name: desktopset.exe File Typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 580b7c31d8cd5ba29482f55f4225600d SHA1 : 78c8e29237a4874117bc12c2ee3d5436dbd4445a SHA256: ac8397c2ff240493433f744f1e61719b61436c2a18ab0bab87b2780e3bb3f78a Name detect as: W32.Trojan.AC83 Virustotal: http://www.virustotal.com/file-scan/report.html?id=ac8397c2ff240493433f744f1e61719b61436c2a18ab0bab87b2780e3bb3f78a-1292536091 NB: Team avira said me: "The file 'desktopset.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. " 5)getlic.exe File typo:PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 0e653e663a82623b80fc4be1bc0dab54 SHA1 : d862853e0bd6c5415a2d1631031fafeaf06dd3f6 SHA256: ba18b1fab1ec806c5e11959746780087e941f3820091a9bc6ee8362f9fc053c9 Name detect as: W32.TROJAN virustotal: http://www.virustotal.com/file-scan/report.html?id=ba18b1fab1ec806c5e11959746780087e941f3820091a9bc6ee8362f9fc053c9-1292537312 NB:Avira team said: The file 'getlic.exe' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content." please check it. 6)ghp.exe File typo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : c75dd88ff809358b5337d1af66c5c3ae SHA1 : e8a3b9fbd3d508e7e29f0f7f7a374ff29e3038cf SHA256: 8786ecbdffebc65097c1505f2f22940a81a558b9abaa769a3b7568a423dea0bc Name detect as: W32.malwaref Virustotal: http://www.virustotal.com/file-scan/report.html?id=8786ecbdffebc65097c1505f2f22940a81a558b9abaa769a3b7568a423dea0bc-1292539725 NB: Avira team said me: The file 'ghp.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. " Please check it. 7) File name: ghp2.exe Typo File: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 64e1a2b9da2ac40b8e64f3d511ce6d96 SHA1 : e653fc306fc6bf1e821d925d42550b4e9b5d5a5c SHA256: 6f2dfa1951ed5a34ffb7c365cb81cda163d76deb24009aa3b3e4e44527f4e175 Name detect as: W32.Trojan.6F2D Virustotal: http://www.virustotal.com/file-scan/report.html?id=6f2dfa1951ed5a34ffb7c365cb81cda163d76deb24009aa3b3e4e44527f4e175-1292540020 Avira team said me: The file 'ghp2.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Please check it. 8)FIle name: nplogon.exe TYpo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 8cb4a8b1df76ff5067e26a7081ec3878 SHA1 : e82d4e926d16ef0ffc6fda8bd4d9b3959375367e SHA256: faa441d04e3887dfb4fc39201d021c483ee8c658869af02d995ed925a0600c92 Name detect as: W32.Trojan.FAA4 Virustotal: http://www.virustotal.com/file-scan/report.html?id=faa441d04e3887dfb4fc39201d021c483ee8c658869af02d995ed925a0600c92-1292541004 Virscan.org: http://www.virscan.org/report/aa71f0aab816871952ce5d74e91334b7.html Avira team: The file 'nplogon.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm.. " Please check it. 9)File name: nport.exe Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 04bb4658a27572c56f3ab4ff2a8a74fd SHA1 : 6380bdf25587d2269ba099e7457e5f9e80fd8e0c SHA256: 0bf1ab2d0ea6c6e9c440e900b813789b4a16980b6f778787eeb980a5a2e809e8 Detect as: W32.Trojan. for Team of Avira said Clean, please check it. 10)UnHideFolder.exe Typo file: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 8211396de1b8388d9cbb4fe8e7f46a7d SHA1 : e7df918dd79b5551674516c21db8f9832b759cdd SHA256: d2ac081493f976d9f22773133d4ac0331f8b89d16c8c77081b40c1a4df652332 Detect as: W32.Trojan.2dac Virustotal: http://www.virustotal.com/file-scan/report.html?id=d2ac081493f976d9f22773133d4ac0331f8b89d16c8c77081b40c1a4df652332-1292543122 Virscan: http://www.virscan.org/report/9a91cbd233e7378dae6e34c62293c95b.html Avira team: The file 'UnHideFolder.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm." please check it. the detection is not present with Tetra and Clamav engine, please check it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.