Author Topic: ===> False Positives <===  (Read 352386 times)

0 Members and 2 Guests are viewing this topic.

Reply #300December 06, 2018, 10:14:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #300 on: December 06, 2018, 10:14:56 PM »
Hi SilenceEngaged,

Don't worry about that.
The [VT.Detection] entry show up because this file was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appear anymore.
A process reported as unknown to VirusTotal is a hint it may be part of a polymorphic-code infection, it's a clue that can be really useful sometimes.

Regards.

Reply #301December 10, 2018, 08:31:11 AM

Pierre95

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #301 on: December 10, 2018, 08:31:11 AM »

Bonjour,
J'ai fait une signalisation de FP sur Roguekiller.
Mais je m'aperçois que je n'ai peut être pas fait au bon endroit.
Je l'ai déposé ici
https://forum.adlice.com/index.php?topic=3550.0
Dans l'attente de votre réponse
Pierre

Reply #302December 10, 2018, 07:55:34 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #302 on: December 10, 2018, 07:55:34 PM »
Bonjour Pierre,

Merci pour le signalement.
Je t'ai répondu sur le thread en question.

Meilleures salutations.

Reply #303December 25, 2018, 05:09:07 PM

Trombyl

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #303 on: December 25, 2018, 05:09:07 PM »
Lately, roguekiller seem to occaisonally detect roguekiller's temporary installation/update files as suspicious, that seems odd. False positive or something else?
Attached details of such an occurrence
« Last Edit: December 25, 2018, 05:11:51 PM by Trombyl »

Reply #304December 25, 2018, 05:50:34 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #304 on: December 25, 2018, 05:50:34 PM »
Hi Trombyl,

Welcome to Adlice.com Forum and thanks for your feedback.
This is indeed a false positive, most likely caused by an issue with RogueKiller latest version installer. We will investigate and fix this as soon as possible.

Regards.

Reply #305January 07, 2019, 01:44:32 PM

Pierre95

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #305 on: January 07, 2019, 01:44:32 PM »
Bonjour à tous et bonne année  2019

Je vous signale un Faux Positif de Roguekiller ( du moins je le pense )

Roguekiller:  https://www.cjoint.com/c/IAev6vF8DWY

Pour les lignes suivantes:

 
Quote
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWDUMon -- (AVG Technologies CZ, s.r.o.) C:\Windows\System32\drivers\SWDUMon.sys -> Trouvé(e)

[PUP.Slimware (Potentiellement Malicieux)] (file) SWDUMon.sys -- (AVG Technologies CZ, s.r.o.) C:\Windows\System32\drivers\SWDUMon.sys -> Trouvé(e)

Analyse Virus Total de

C:\Windows\System32\drivers\SWDUMon.sys  ==> https://www.virustotal.com/fr/file/b0746d93a46812608faf84167a178c118fa6318996e15c17df170e7b6b2d69f5/analysis/1546800717/

Fichier signé, signature verifiée , Propriétaire: AVG Technologies

Puis je avoir confirmation ?

« Last Edit: January 07, 2019, 01:47:16 PM by Pierre95 »

Reply #306January 08, 2019, 09:07:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #306 on: January 08, 2019, 09:07:18 PM »
Bonjour Pierre,

Bonne année à toi aussi.
SlimWare a été racheté par AVG Technologies et possède donc maintenant un certificat AVG. Cependant, il est toujours considéré comme PUP par de nombreux éditeurs, ce n'est donc pas à proprement parlé un FP.

Je te conseille de le faire désinstaller.

Meilleures salutations.

Reply #307January 09, 2019, 08:51:52 PM

Pierre95

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #307 on: January 09, 2019, 08:51:52 PM »
Bonjour Curson,
merci pour l'information

Reply #308January 10, 2019, 10:10:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #308 on: January 10, 2019, 10:10:47 PM »
Bonjout Pierre,

Mais de rien.

Reply #309January 22, 2019, 08:00:47 PM

garioch7

  • Jr. Member

  • Offline
  • **

  • 85
  • Reputation:
    0
  • Personal Text
    Phil
    • View Profile
Re: ===> False Positives <===
« Reply #309 on: January 22, 2019, 08:00:47 PM »
I am working topic over at Bleeping Computer where RogueKiller has identified some Intuit 2018 QuickBooks files as malicious.  Please see this link.  I think that these are false positives.

I purchased a 2-year subscription for RogueKiller Premium today and scanned my computer.  It is detecting a legitimate Cyberlink file as malicious and is also going after a Bitdefender uninstaller file, some detections that it is reporting as missing.  There is also a folder detection (C:\Program Data\Filter that I regard as a possible false positive.  Scan report attached.  See these URLs for analysis of the detections:

https://www.systemlookup.com/Drivers/10335-000_fcl.html
https://www.hybrid-analysis.com/sample/401cd6a87b9bec1f027c081ad23320c91d668dc5dc7a11226493e6aa387be6b7?environmentId=100

I run Bitdefender 2019 Total Security and Malwarebytes Anti-Malware Premium, and neither program has detected any of these files.

I just registered on your Forums today.  Thank you and have a great day.

Regards,
-Phil
Bleeping Computer Malware Response Instructor

Reply #310January 22, 2019, 11:18:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #310 on: January 22, 2019, 11:18:18 PM »
Hi Phil,

Welcome to Adlice.com Forum and thanks for supporting us.
It's always a pleasure to see a fellow malware fighter.

The QuickBooks were detected with the [VT.Unknown] tag because they were not present in VirusTotal database at the time of the scan. This should not happen again if the user has allowed the files to be uploaded.

BitDefender uninstaller is detected since it's run from a temporary folder, RogueKiller detects it as [Suspicious.Path] because numerous malware are run from there.

What is the content of the Filter folder ?
Could you please upload the 000.fcl file with your next reply ? Please zip it first, otherwise the upload form will reject it.

Regards.

Reply #311January 23, 2019, 07:06:03 PM

garioch7

  • Jr. Member

  • Offline
  • **

  • 85
  • Reputation:
    0
  • Personal Text
    Phil
    • View Profile
Re: ===> False Positives <===
« Reply #311 on: January 23, 2019, 07:06:03 PM »
Curzon:

Thank you for your explanations, but if a file is tagged as [VT.Unknown], should RogueKiller default to removing it, if the user selects the clean?  Many users are going to think that RogueKiller has detected the file(s) as malware and be inclined to accept the default.

The content of the C:\ProgramData\Filter folder is one file: images, 12 bytes.  It is marked read-only and hidden.  The content of the file in hex is below
Code: [Select]
03 99 4B D4 20 A6 F1 7D    62 87 46 C4

I am attaching the 000.fcl file in zipped format as requested.

Thank you and have a great day.

Regards,
-Phil
Bleeping Computer Malware Response Instructor

Reply #312January 25, 2019, 07:17:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #312 on: January 25, 2019, 07:17:58 PM »
Hi Phil,

Thanks for your feedback.
Quote
Thank you for your explanations, but if a file is tagged as [VT.Unknown], should RogueKiller default to removing it, if the user selects the clean?  Many users are going to think that RogueKiller has detected the file(s) as malware and be inclined to accept the default.
I asked Tigzy's opinion about that and we are probably going to change this behaviour.

Additionally, the "Filter" folder and "000.fcl" file will be whitelisted shortly.

Regards.

Reply #313January 25, 2019, 07:22:22 PM

garioch7

  • Jr. Member

  • Offline
  • **

  • 85
  • Reputation:
    0
  • Personal Text
    Phil
    • View Profile
Re: ===> False Positives <===
« Reply #313 on: January 25, 2019, 07:22:22 PM »
Curzon:

Thank you for your reply.  Now that I have purchased RogueKiller Premium, I will be poking around and I will also be monitoring my Malware Removal Log topics even more closely, since, as a part of my standard anti-malware scans, I ask my users to run RogueKiller.  You can expect see me around in your Forums now that I am registered.

Thank you for looking into these issues for me.  Have a great weekend.

Regards,
-Phil
Bleeping Computer Malware Response Instructor

Reply #314January 25, 2019, 07:28:16 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #314 on: January 25, 2019, 07:28:16 PM »
Hi Phil,

You are very welcome.
Please don't hesitate to report things that RogueKiller did not detect correctly.

Have a great weekend, too.

Regards.