Author Topic: ===> False Positives <===  (Read 351743 times)

0 Members and 3 Guests are viewing this topic.

Reply #180May 05, 2016, 05:15:39 AM

Germán Pc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #180 on: May 05, 2016, 05:15:39 AM »
Thanks a lot for your help :). I'm going to uninstall it and a will write here how is it going.

Regards ;)

Reply #181May 05, 2016, 07:34:43 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #181 on: May 05, 2016, 07:34:43 PM »
Hi Germán Pc,

You are very welcome. :)

Regards.

Reply #182May 07, 2016, 12:25:12 AM

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #182 on: May 07, 2016, 12:25:12 AM »
F-Secure Antivirus is again coming up as Zeus, as you can see in log attached.

Reply #183May 08, 2016, 07:55:28 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #183 on: May 08, 2016, 07:55:28 PM »
Hi JukkaG,

Thanks for letting us known. It seems the path of the process has changed.
We will whitelist it again as soon as possible.

Regards.

Reply #184September 05, 2016, 08:36:43 AM

gamefan

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #184 on: September 05, 2016, 08:36:43 AM »
Hello

I am here to report false positives.

A scan of rougekiller found 2 potential files

[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\RemoveTresoritTemp.exe -> Found
[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\UninstallTresoritCompletely.exe -> Found

these are leftover uninstall exe's from Tresorit, which is a legit alternative to Dropbox, they've never been detected before on any of my scans.

I uploaded both to virus total

https://www.virustotal.com/en/file/619f1109e826eb98fee8573ee325033d6f6afa37fd94b49817826613cb79dda4/analysis/1473056903/
https://www.virustotal.com/en/file/8c85f3cc07e342cfd7e38870e3af676981c6b0f80d039969a68f7f41c002b369/analysis/1473056917/

what should I do? Are these both legit files? I believe DrWeb ended up labeling the second file as safe a few minutes after I uploaded it.

Reply #185September 05, 2016, 12:51:21 PM

gamefan

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #185 on: September 05, 2016, 12:51:21 PM »
Update:

both detections have diasappeared after running a scan in safe mode after updating RK. Has it alreadybeen whitelisted?

If they still doont show up after running itnagain in normal mode, doesnthat mean im fine?

also they didnt show up on the adwcleaner, JRT, Kaspersky anti root kit, mcaffe anti rootkit, malwarebytes, or hotman scans. none of them found anything malicious

Reply #186September 05, 2016, 01:37:21 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #186 on: September 05, 2016, 01:37:21 PM »
Hi gamefan,

Thanks for your feedback.
These entries were indeed false positives but this if fixed in RogueKiller latest version released today.

Regards.

Reply #187September 27, 2016, 12:16:00 AM

Punit Srivastava

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #187 on: September 27, 2016, 12:16:00 AM »
 
Hi Team,
 
I would like to introduce our product “ReSOLV” , We provide predictive device management software for Tech Support Providers, SMBs, IT Helpdesks, and anyone who wants to manage end-user devices.
We are associated with the well known names of IT sector i.e. HP, DELL, IBM, TOSHIBA & and many more. My concern of writing this email to you is related with the white listing of our product. I am attaching here the exe & dll files of our product which have a 2762 version number. Please verify accordingly. I would request you to white list our product in your database.
 
Your favor in white listing process would be highly appreciable.

Regards,
Punit Srivastava
Sr. Software Engineer-Testing&Support
HFN Inc|Support Automation Delivered

 

Reply #188September 27, 2016, 01:13:18 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #188 on: September 27, 2016, 01:13:18 AM »
Hi Punit,

Welcome to Adlice.com Forum.
Could you please provide a report of RogueKiller detecting your product ?

Regards.

Reply #189October 11, 2016, 04:31:59 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #189 on: October 11, 2016, 04:31:59 PM »
Think I have some false positives here, see log below, The items I feel are false positive are in RED

1. hasplms.exe file is part of the ScanSnap software that comes with my fi-6130Z scanner the virustotal results here: https://www.virustotal.com/en/file/22c58e4bf558420fee5b2d6a8f15531c768f5814a18d5f5b20cdbc8479090319/analysis/1476191969/

2. The 3 reg keys are part of my Symantec Endpoint Protection version 12.1.6 (12.1 RU6 MP5) build 7004 (12.1.7004.6500) (AntiVirus)

3. The slack ones are part of the slack messenger v2.2.1

RogueKiller V12.7.1.0 (x64) [Oct 10 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : firefox [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup 5-26-2016\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V12.7.1.exe
Mode : Scan -- Date : 10/11/2016 08:13:03 (Duration : 00:38:04)

¤¤¤ Processes : 1 ¤¤¤
[Proc.RunPE] hasplms.exe(5536) -- C:\Windows\System32\hasplms.exe[7] -> Found

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\BASHDefs\20160922.001\BHDrvx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\EX64.SYS) -> Found

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Suspicious.Path][File] C:\Users\firefox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slack.lnk [LNK@] C:\Users\firefox\AppData\Local\slack\Update.exe --processStart "slack.exe" -a "--startup" -> Found
[PUP][Folder] C:\Users\firefox\AppData\Roaming\Download Manager -> Found
[PUP][Folder] C:\Users\firefox\AppData\Local\PackageAware -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/"); -> Found


¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #190October 11, 2016, 09:33:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #190 on: October 11, 2016, 09:33:07 PM »
Hi firefoxthebomb,

Thanks for your feedback. These entries are indeed false positives.
Could you please follow the following process in order to help us whitelisting the [Proc.RunPE] one ?
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process hasplms.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
Could you also please attach the file hasplms.exe with your next reply.

Regards.

Reply #191October 11, 2016, 09:55:18 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #191 on: October 11, 2016, 09:55:18 PM »
Followed the instructions however the file size is 0, but I have included a copy of the exe file.

You can download it from here: https://we.tl/oJrPirkfXr (its the WeTransfer site)

Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #192October 12, 2016, 04:42:57 AM

coldi

  • Newbie

  • Offline
  • *

  • 20
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #192 on: October 12, 2016, 04:42:57 AM »
Hi there,
I have a potential false positive. A scan with the latest version showed 15 hidden.ads detections and I think all of them are related to drivers of an older asus xonar audio card and the cmi chip on it I still have.
Obviously not sure if that's the case so I added the detected files and the report.
regards

Reply #193October 12, 2016, 12:39:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #193 on: October 12, 2016, 12:39:07 PM »
Hi firefoxthebomb,

Thanks.
We will analyse the file.

Regards.

Reply #194October 12, 2016, 12:40:28 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #194 on: October 12, 2016, 12:40:28 PM »
Hi coldi,

Thanks for your feedback.
These ADS are indeed false positives. We will fix this as soon as possible.

Regards.