Author Topic: ===> False Positives <===  (Read 219062 times)

0 Members and 1 Guest are viewing this topic.

Reply #420July 07, 2020, 08:13:46 pm

Mops21

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #420 on: July 07, 2020, 08:13:46 pm »
Hi

Thank you very much for your Infos

And have you any Infos for the Xvirus and for the XSec Antivirus Samples that I upload here for me

With best Regards
Mops21

Reply #421July 07, 2020, 09:24:56 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #421 on: July 07, 2020, 09:24:56 pm »
Hi Mops21,

You are very welcome.
No, not yet.

Regards.

Reply #422July 08, 2020, 07:36:52 pm

Mops21

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #422 on: July 08, 2020, 07:36:52 pm »
Hi

Thank you very much for your Infos

With best Regards
Mops21

Reply #423August 17, 2020, 05:57:31 am

kinglan10

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #423 on: August 17, 2020, 05:57:31 am »
Hey I'm new here and I think I may have gotten a false positive using roguekiller. I hope I'm getting this reporting thing right

RogueKiller Anti-Malware V14.6.3.0 (x64) [Aug 10 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18363) 64 bits
Started in : Normal mode
User : IVES [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200813_142051, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/08/16 23:19:16 (Duration : 00:29:27)
Switches : -minimize

いいいいいいいいいいいい Processes いいいいいいいいいいいい

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい

いいいいいいいいいいいい WMI いいいいいいいいいいいい

いいいいいいいいいいいい Hosts File いいいいいいいいいいいい

いいいいいいいいいいいい Files いいいいいいいいいいいい
[Tr.Gen (Malicious)] (file) pbsvc.exe -- (Even Balance, Inc.) C:\Windows\SysWOW64\pbsvc.exe -> Found

いいいいいいいいいいいい Web browsers いいいいいいいいいいいい

いいいいいいいいいいいい Antirootkit : 0 (Driver: Loaded) いいいいいいいいいいいい





So yeah, this may be a false positive I think, the VT score is "not scanned" btw, though I do have the file quarantined rn just in case.
« Last Edit: August 17, 2020, 06:38:40 am by kinglan10 »

Reply #424August 17, 2020, 10:07:26 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #424 on: August 17, 2020, 10:07:26 am »
Hi kinglan10,

Welcome to Adlice.com Forum and thanks for your feedback.

This detection is indeed a false positive and will be removed in the next signature definitions package.
In the meantime, you can safetly restore this file from the quarantine area.

Regards.

Reply #425August 18, 2020, 04:04:02 am

kinglan10

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #425 on: August 18, 2020, 04:04:02 am »
Hi kinglan10,

Welcome to Adlice.com Forum and thanks for your feedback.

This detection is indeed a false positive and will be removed in the next signature definitions package.
In the meantime, you can safetly restore this file from the quarantine area.

Regards.



Hello Curson, thank you for the reply. :)
I'm glad this file was a picked up merely as a false positive, I'll be restoring this file back to it's location.

Take care sir.

Reply #426August 18, 2020, 01:10:52 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #426 on: August 18, 2020, 01:10:52 pm »
Hi kinglan10,

You are very welcome.
Take care, too.

Regards.

Reply #427January 25, 2021, 06:28:36 pm

Trombyl

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #427 on: January 25, 2021, 06:28:36 pm »
Just ran a scan and it detected all of my vst's (virtual instruments for music production, .dll's) and the folder they were in as trojans (tr.ursu) which I assume is a false positive? I can see no reason as to why they would suddenly have become malicious
« Last Edit: January 25, 2021, 06:34:39 pm by Trombyl »

Reply #428January 25, 2021, 10:51:19 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #428 on: January 25, 2021, 10:51:19 pm »
Hi Trombyl,

This indeed looks like a false positive.
Could you please attach RogueKiller scan report with your next reply ?

Regards.

Reply #429January 26, 2021, 12:27:17 pm

Trombyl

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #429 on: January 26, 2021, 12:27:17 pm »
Scanned another machine containing the same files and it seems like it's the folders that rougekiller has a problem with

RogueKiller Anti-Malware V14.6.1.0 (x64) [Jun 17 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Vardagsrum [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210125_075648, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/01/25 13:00:16 (Duration : 00:16:07)

いいいいいいいいいいいい Processes いいいいいいいいいいいい

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい

いいいいいいいいいいいい WMI いいいいいいいいいいいい

いいいいいいいいいいいい Hosts File いいいいいいいいいいいい

いいいいいいいいいいいい Files いいいいいいいいいいいい
[Tr.Ursu (Malicious)] (folder) VSTPlugins -- C:\Program Files\VSTPlugins -> Found
[Tr.Ursu (Malicious)] (folder) VstPlugins -- C:\Program Files (x86)\VstPlugins -> Found

いいいいいいいいいいいい Web browsers いいいいいいいいいいいい

いいいいいいいいいいいい Antirootkit いいいいいいいいいいいい

いいいいいいいいいいいい Antirootkit : 0 (Driver: Loaded) いいいいいいいいいいいい

Reply #430January 26, 2021, 04:07:00 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #430 on: January 26, 2021, 04:07:00 pm »
Hi Trombyl,

Thanks for your feedback.
This is indeed a false positive. It's now fixed in the latest signatures package.

You can safetly restore the deleted  files and folders from the quarantine.
Sorry for the inconvenience.

Regards.

Reply #431February 07, 2021, 01:38:50 pm

Toomuch_

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #431 on: February 07, 2021, 01:38:50 pm »
Here are three false positives on my pc, virustotal does not report an infection on any of these files. I Believe these files are part of Absolute Home and office stolen computer tracker:

RogueKiller Anti-Malware V14.8.4.0 (x64) [Jan 13 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : samid [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210203_130952, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/02/06 23:03:56 (Duration : 00:04:59)
Switches : -minimize

いいいいいいいいいいいい Processes いいいいいいいいいいいい

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい

いいいいいいいいいいいい WMI いいいいいいいいいいいい

いいいいいいいいいいいい Hosts File いいいいいいいいいいいい

いいいいいいいいいいいい Files いいいいいいいいいいいい
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.exe -- C:\Windows\System32\rpcnetp.exe -> Found
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.exe -- C:\Windows\SysWOW64\rpcnetp.exe -> Found
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.dll -- C:\Windows\SysWOW64\rpcnetp.dll -> Found

いいいいいいいいいいいい Web browsers いいいいいいいいいいいい

いいいいいいいいいいいい Antirootkit : 0 (Driver: Loaded) いいいいいいいいいいいい




Reply #432February 07, 2021, 05:21:01 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #432 on: February 07, 2021, 05:21:01 pm »
Hi Toomuch_,

Thanks for your feedback and welcome to Adlice.com Forum.
Could you please make an archive of these three files and attach it with your next reply ?

They are indeed part of Absolute Computrace, which can be used with malicious intents : Absolute Computrace Revisited
Is a Computrace module displayed in your computer BIOS/EFI ?

Regards.

Reply #433February 07, 2021, 11:23:21 pm

Toomuch_

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #433 on: February 07, 2021, 11:23:21 pm »
Here are the three files attached and compressed. Absolute was offered by my OEM manufacturer at the time of purchase HP (Spectre X360). I installed it myself, so I assume it will show up in the UEFI however, I haven't checked. I can say that my laptop is still active and being tracked on the Absolute web portal.



« Last Edit: February 07, 2021, 11:24:58 pm by Toomuch_ »

Reply #434February 08, 2021, 05:27:08 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: ===> False Positives <===
« Reply #434 on: February 08, 2021, 05:27:08 pm »
Hi Toomuch_,

Thanks for your feedback again.

These files are indeed part of the legit Absolute software. However, since these files can be present on computers where the user has not installed the software (Kaspersky's article) or was even used maliciously (bootkit Lojax, see Lojack Becomes a Double-Agent) we decided not to remove the detections.

However, it will now be classified as PUP (Potentially Unwanted Software) in lieu of Trojan since, like in your case, it can have legitimate purposes.
Thank for your understanding.

Regards.