Author Topic: ===> False Positives <===  (Read 155126 times)

0 Members and 1 Guest are viewing this topic.

Reply #240May 07, 2017, 06:35:52 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #240 on: May 07, 2017, 06:35:52 pm »
Hi GCRaistlin,

Thanks for the reports.
Kerio NetFilter driver will be whitelisted as soon as possible.

nnCron main process is detected as malicious by some anti-virus engines : nncron.exe
Since RogueKiller relies on results from VirusTotal for detection, there is little we can do. Your best bet is to get in touch with the nnCron team and ask them to ask these anti-virus companies to whitelist their product.

Regards.

Reply #241May 08, 2017, 08:29:48 pm

GCRaistlin

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #241 on: May 08, 2017, 08:29:48 pm »
What is the way RogueKiller relies on VirusTotal results? Is one red report there enough for RogueKiller to consider a file as a trojan?

Manually customizable white list would be good for such cases. To be precise, not a white list but ignore list for such non-adequate VirusTotal sources like Baidu.
« Last Edit: May 08, 2017, 08:37:02 pm by GCRaistlin »

Reply #242May 08, 2017, 08:58:43 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #242 on: May 08, 2017, 08:58:43 pm »
Hi GCRaistlin,

Yes, if one vendor detect something malicious, it will be flagged by RogueKiller as well. This choice was made to maximize the detection surface.
Premium users can make custom detections rules using RogueKiller External Scanner.

Regards.

Reply #243May 13, 2017, 03:20:54 pm

Pierre [aka Terdef]

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
    • Assiste.com
Re: ===> False Positives <===
« Reply #243 on: May 13, 2017, 03:20:54 pm »
if one vendor detect something malicious, it will be flagged by RogueKiller as well. This choice was made to maximize the detection surface.

Bonjour, Curson,

Les AV au panel de VT sont de qualités extrêmement variables. Il y en a qui sont écrits avec les pieds et les faux positifs sont légion.
Il serait préférable, et de loin, de ne pas donner d'audience aux AV marginaux afin de réduire la surface d'exposition aux faux positifs, au lieu d'agir en caisse de résonance d'erreurs.
Si RK attrape tout ce qui passe, il va se brûler les ailes. Il n'a plus sa propre existence, mais devient le reflet des autres.
En plus, certains, comme ClamAV, voient presque tout en PUP !
Je pense que, pour agir ainsi, il ne faut pas regarder si le ratio est > à zéro, mais regarder qui parle.
Des Bitdefender ou Kaspersky sont solides, avec Malwarebytes et Emsisoft, TrendMicro... Une petite liste à convenir et un nombre de détections (=> 3 ?) qui ne fait pas risquer le faux positif qui peut être beaucoup plus/trop dommageable.


Hello, Curson,

The AVs at the VT panel are of extremely variable qualities. There are some that are written with the feet and the false positives are legion.
It would be preferable, by far, not to give audience to the marginal AVs in order to reduce the area of exposure to false positives, instead of acting as a sounding board for errors.
If RK catches all that passes, it will burn its wings. It no longer has its own existence, but becomes the reflection of others.
In addition, some, like ClamAV, see almost everything in PUP!
I think that to do so, one should not look at whether the ratio is at zero, but look at who is speaking.
Bitdefender or Kaspersky are strong, with Malwarebytes and Emsisoft, TrendMicro ... A small list to agree and a number of detections (=> 3 ?) that does not risk the false positive that can be much more / too damaging.

Cordialement/Regards
Pierre (aka Terdef)
Assiste.com

Reply #244May 14, 2017, 12:55:12 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #244 on: May 14, 2017, 12:55:12 pm »
Bonjour Pierre,

Bienvenue sur le forum Adlice.
Merci pour le commentaire et les suggestions.

Effectivement, certains AV ne sont pas avares en faux-positifs et cela nous a déjà posé certains problèmes dans le passé.
C'est pourquoi nous sommes en train de développer MalPE, une nouvelle technologie qui se base sur l'analyse de la structure des fichiers PE pour une meilleure détection des malware et qui nous permettra de nous distancer des résultats de VT.

Ton idée de définir une liste des AV de confiance est excellente, je vais voir avec Tigzy pour l'ajouter à la roadmap du projet.

Meilleures salutations.

Reply #245May 16, 2017, 02:12:57 pm

Pierre [aka Terdef]

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
    • Assiste.com
Re: ===> False Positives <===
« Reply #245 on: May 16, 2017, 02:12:57 pm »
Bonjour, Curson,

Merci pour ton accueil.

Puisque nous sommes dans un fil de discussion sur les faux-positifs de RK, voici un truc qui la fou mal, non ?  ;)

Ce qui m'étonne, c'est que personne ne l'ait encore signalé. Je pensais que Malwarebytes Premium était plus utilisé que cela (la version gratuite n'est pas concernée par ce faux-positif).
Depuis combien de temps cela dure ?

Deux analyses, avec deux versions de RK, à 4 jours d’intervalle.
Chaque fois,
RK à jour
MB Premium à jour

Mon MBAMService.exe
SHA1 : aede492d3030e3e64413bf5ba82d751f5d4a6dca
SHA256 : bf1f9b4ac292238fa6ee541e325b220f311977f9d87d5bc7f90ad058fbf0b35a
VT : https://virustotal.com/fr/file/bf1f9b4ac292238fa6ee541e325b220f311977f9d87d5bc7f90ad058fbf0b35a/analysis/1494675157/








Cordialement

Pierre
Malwarebytes Expert
« Last Edit: May 16, 2017, 02:15:55 pm by Pierre [aka Terdef] »
Pierre (aka Terdef)
Assiste.com

Reply #246May 17, 2017, 03:28:19 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #246 on: May 17, 2017, 03:28:19 pm »
Bonjour Pierre,

En fait, RogueKiller detecte la base de données de malware de Malwarebytes comme contenu malveillant, d'où cette détection. Le problème à été résolu dans le cas ou Malwarebytes est installé dans le repertoire par défaut (%programfiles%\Malwarebytes\), mais pas encore si le programme est situé à un autre endroit.

Nous espérons introduire d'ici peu une liste blanche basée sur les certificats de signature de code, ce qui résoudra ce genre de problème.

Meilleures salutations.

Reply #247May 25, 2017, 08:23:07 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: ===> False Positives <===
« Reply #247 on: May 25, 2017, 08:23:07 am »
Hello,

Just to clarify, a VT detection needs at least 5 vendors to be triggered, i.e a file that has 4/55 won't be detected whereas a file with 5/55 will be.
We think 5 is a fair number when it comes to VT detections.

Also, we have a FP mitigation that checks RogueKiller detections on VT: If a file is detected by heuristics and the file is less than 1 on VT the detection will be dropped.



Regarding MBAM (or any other AV), this is a database conflict or database collision. Usually AVs are loading and mapping their definitions in memory, they contain strings (or hex bytes) representing many malware. This is what RogueKiller detects, and you will notice only processes are affected, not files.

This is fixed in most of the case when you install those AVs in their default location because we whitelist by path. Later, we will replace that by Digisig whitelist.
« Last Edit: May 25, 2017, 08:29:08 am by Tigzy »

Reply #248June 02, 2017, 10:47:21 am

Pierre [aka Terdef]

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
    • Assiste.com
Re: ===> False Positives <===
« Reply #248 on: June 02, 2017, 10:47:21 am »
Bonjour,

Merci à vous deux.

Cordialement
Pierre (aka Terdef)
Assiste.com

Reply #249June 02, 2017, 04:24:49 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #249 on: June 02, 2017, 04:24:49 pm »
Bonjour Pierre,

Si tu as d'autres questions/remarques, n'hésite surtout pas.

Meilleures salutations.

Reply #250June 04, 2017, 08:46:56 pm

Jatune

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #250 on: June 04, 2017, 08:46:56 pm »
Hi, today i downloaded last version of RK, 12.11.0.0 x64, and it found 7 MalPE. Are these FP? or i'm really infected?

Reply #251June 05, 2017, 02:47:36 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #251 on: June 05, 2017, 02:47:36 pm »
Hi Jatune,

Thanks for your feedback.
RogueKiller V12.11.0 has a bug on the MalPE engine. This should be fixed in V12.11.1. Could you please give it a try ?

Regards.

Reply #252August 02, 2017, 06:05:09 am

fleks717

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #252 on: August 02, 2017, 06:05:09 am »
Hi Germán Pc,

Welcome to Adlice.com Forum.
Quote
[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe ->  Encontrado
This entry is a false positive. You could safely ignore it.

Quote
[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado
This folder is malware-related. I advice you to delete it.

The rest of your report is clean.
For the issue you encounter with the update of the Nvidia drivers, you could try to completely uninstall them using the Windows control panel, then do a full reinstall with the ones you downloaded from Nvidia's website.

Regards.

How do you know "{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}" is malware? ive googled and other forums says it is mostly jsut junkfiles? care to explain?

Reply #253August 02, 2017, 11:08:16 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #253 on: August 02, 2017, 11:08:16 am »
Hi fleks,

Welcome to Adlice.com Forum.

This folder is part of TuneUp 2014, flagged by antivirus engines as PUP. It's not really malicious in a way this is not part of an active infection (service or driver, linked to RUN or TASK Registry keys, etc.). For more information, please refer to Program.Optimizer by Dr.WEB.
The folder may have been registred as system folder, which are not displayed even when the "Show hidden files, folders, and drives" option is selected.

Regards.

Reply #254December 10, 2017, 03:00:20 am

Twixxin

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #254 on: December 10, 2017, 03:00:20 am »
RogueKiller V12.11.27.0 (x64) [Dec  4 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : DuhBoyKX [Administrator]
Started from : D:\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/10/2017 02:48:02 (Duration : 00:07:52)

¤¤¤ Processes : 1 ¤¤¤
[Adw.Elex|Adw.Wizzcaster] MBAMService.exe(3212) -- D:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[7] -> Found

¤¤¤ Registry : 4 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1023082143-743398584-2786875222-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1023082143-743398584-2786875222-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-00BN5A0 +++++
--- User ---
[MBR] 72d802927eba00916c896a4d2a5b29a4
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: KINGSTON SHFS37A120G +++++
--- User ---
[MBR] 7814cad3328eceaeeee43659e092479c
[BSP] a072cf56184c0e5b3be65f6564f2cf7e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 113857 MB
User = LL1 ... OK
User = LL2 ... OK

MBAMService?