Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives in antivirus-programs


  • Please log in to reply
98 replies to this topic

#76 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,106 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 16 July 2015 - 05:19 AM

Kapersky constantly removing program from whitelist.

What program would that be?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#77 midimusicman79

midimusicman79

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:35 AM

Posted 27 July 2015 - 08:41 AM

Hi all!

 

I just downloaded the new version of MiniToolBox by Farbar from 07/25/2015, and EAM flagged this as malware: Gen:Variant.Graftor.218022 ( B ); surely this must be a FP!

 

https://www.virustotal.com/en/file/e81b5dd7018bfaaafe8ebedc3fd66f9e2ec0aa0bc3ae401d1085bda19033bdc4/analysis/1438003408/

 

Thank you!

 

Regards,

midimusicman79


Edited by midimusicman79, 27 July 2015 - 08:46 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Premium, WPP, SWB, HMP.A with CryptoGuard, CryptoPrevent Free, SIRI? and Unchecky, WFW, FFQ with µBO, Ghostery, HTTPS Ew and VTzilla. Acronis TI 2017, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 22 Years of PC Experience. Bold = effective.


#78 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:35 AM

Posted 27 July 2015 - 09:04 AM

On top of that, even Google Chrome flagged the page as malicious.

8mhVE8S.png

I'll check the other downloads.

Edit: DDS, OTL, FRST, AdwCleaner, JRT, TFC and RKill are fine. Looks like it's just MiniToolBox so Grinler might want to contact Google about it.

Edited by Aura, 27 July 2015 - 09:05 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#79 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:35 AM

Posted 27 July 2015 - 10:17 AM

It's a detection by the BitDefender engine in Emsisoft products... I've sent it to Emsisoft, they will forward it to BitDefender.

#80 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,390 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:35 PM

Posted 27 July 2015 - 12:56 PM

I have forwarded it to Bitdefender, I expect it to be fixed within 24 hours.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#81 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:35 AM

Posted 27 July 2015 - 01:37 PM

On top of that, even Google Chrome flagged the page as malicious.

I would think that Google Chrome relies on VT results (since they own it). This version of MiniToolbox has a lot of detections so Google thought it was malware, and blocked the download link.

#82 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,106 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 27 July 2015 - 04:46 PM

As I have noted before...The problem is really with the anti-virus vendors who keep targeting these programs for various reasons and NOT with the tools themselves. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#83 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:35 AM

Posted 27 July 2015 - 04:49 PM

It's still rare to see a program from BleepingComputer detected by so many Antivirus vendors at the time. Usually, it's less than 5. Even more weird is that avast! (for once) doesn't detect it. Well, I just hope the warning message from Google Chrome gets taken down quickly since the helpers here uses MiniToolBox a lot and it could scare a few users that would attempt to download it. Of course explaining False Positives is one thing but now when you get a big red warning page from Google Chrome, it starts to be something else.

Edit: Just scanned it again, it's now at 17 detections (+2 from one Musicman posted).

https://www.virustotal.com/fr/file/e81b5dd7018bfaaafe8ebedc3fd66f9e2ec0aa0bc3ae401d1085bda19033bdc4/analysis/1438033897/

Edited by Aura, 27 July 2015 - 04:52 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#84 cfrobw

cfrobw

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 27 July 2015 - 07:05 PM

Could it be a virus creator is trying to make it harder for people to use the bleepingcommputer tools to recover from their demolition and thieving by reporting falsely that these tools are viruses?

Rob

#85 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,106 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 27 July 2015 - 07:15 PM

Not likely. Certain embedded files that are part of legitimate programs and specialized fix tools may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by known experts at various security forums like Bleeping Computer, TechSupport, GeeksToGo, SypwareInfo and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools are repeatedly falsely detected by various anti-virus programs from time to time for the reasons noted above.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#86 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:35 AM

Posted 27 July 2015 - 08:02 PM

Could it be a virus creator is trying to make it harder for people to use the bleepingcommputer tools to recover from their demolition and thieving by reporting falsely that these tools are viruses?

Rob


I honestly that that any malware creator do that. The success rate of this method is pretty close to 0%. If you submit a file for being malicious, it'll be analyzed by the Antivirus company and if legitimate files are being submitted, they'll see it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#87 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:35 AM

Posted 27 July 2015 - 08:08 PM

BitDefender fixed the FP, vendors using their engine should also remove the detection of MiniToolbox in the next hour.

I'm going to submit it to McAfee and Symantec, see if they fix it.

#88 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:35 AM

Posted 27 July 2015 - 08:09 PM

I don't know if Symantec ever bothered to fix their FP on MiniToolBox. After all, it comes from their reputation system, it's not a "real" detection if you ask me :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#89 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:03:35 AM

Posted 14 August 2015 - 12:09 PM

Hitman Pro shows svchost as a suspicious program, but it is codesigned by Microsoft. It is considered "suspicious" because it runs at startup, and most programs can not detect them. It is a false positive. (It started showing svchost when I upgraded to Windows 10)


Edited by CKing123, 14 August 2015 - 12:16 PM.

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#90 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:35 AM

Posted 15 August 2015 - 12:52 AM

Hitman Pro shows svchost as a suspicious program, but it is codesigned by Microsoft. It is considered "suspicious" because it runs at startup, and most programs can not detect them. It is a false positive. (It started showing svchost when I upgraded to Windows 10)

 

There are many Microsoft processes that are often false positives, yet one must be aware that Malware can disguise itself as such processes. It's best to go to the process folder & check it with VirusTotal. 

 

https://www.virustotal.com/en/documentation/desktop-applications/virustotal-uploader

 

You may also install System Explorer & when it installs, will offer to run a default scan, you should run it, the results will show in your default browser (if you're running Firefox with the NoScript add-on, be sure to allow the page). It's often referred to as a Task Manager on steroids because it shows a lot more detail. Just click the Download tab for the latest version, and be sure to select the installer (top link). Runs on Windows 2000 through Windows 10. 

 

http://systemexplorer.net/

 

When you run a scan with System Explorer, there's a link to the right of each file, that you can check with VirusTotal & when closing, it'll show in the notification area, one can monitor some items with this software just by hovering over that icon. Click on the icon anytime you wish to run a scan, or see the processes in more detail. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users