Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with latest ComboFix


  • Please log in to reply
7 replies to this topic

#1 Escondido

Escondido

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 February 2011 - 02:25 PM

Hi,

FYI - as a follow-up to http://www.bleepingcomputer.com/forums/topic372224.html, it appears as though 6 different anti-malware packages detect the latest ComboFix.exe as malware.

In my case, our SonicWall firewall's gateway anti-virus software is blocking it. It will get about 1,878,056 bytes through the transfer, then give an error.

My SonicWall log file shows this:
Gateway Anti-Virus Alert: Downloader.HA_4 (Trojan) blocked


The six anti-malware packages that detect ComboFix.exe as malware are:


SOFTWARE DETECTED AS...
~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ClamAV - PUA.Tool.Nirsofer.NirCmd
Emisoft - Trojan-Ransom.Win32.PinkBlocker!IK
eSafe - Virus in password protected archive
Ikarus - Trojan-Ransom.Win32.PinkBlocker
Jianmin - Trojan/Agent.dwsp
Sophos - NirCmd


If you upload ComboFix.exe to virustotal.com, you will see the above results.

So I don't know if something changed in this release of ComboFix.exe, but it is being blocked.

Edited by Escondido, 01 February 2011 - 02:29 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:59 PM

Posted 01 February 2011 - 02:40 PM

Hi Escondido,
Thank you for reporting this; I will inform Combofix's developer about this.

As a general remark: it is not recommended to run combofix unsupervised, unless you are trained to use it. This is a powerful tool and can do quite some damage in some cases.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Escondido

Escondido
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 February 2011 - 02:44 PM

That was super fast! Thanks Elise025!! :thumbsup:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:59 PM

Posted 01 February 2011 - 02:47 PM

You are most welcome. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 01 February 2011 - 03:06 PM

If you look closely most of the detections are related to NirCmd, a command-line utility that allows writing to and deletion of values and keys in the registry and is used (embedded) in some specialized fix tools like Combofix. Other common detections include process.exe, pev.exe, and catchme.exe.

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be encrypted or password protected do not allow access for scanning but can be detected as a threat.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive".

The problem is really with the anti-vendors who keep targeting these embedded files and NOT with ComboFix. As elise025 said, we can inform the developer but he has encountered this issue before and in most cases there isn't much he can do about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Escondido

Escondido
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 February 2011 - 04:25 PM

Hi Bleepin' Janitor,

Thanks for the reply. Great information. I have contacted both Sophos and SonicWall; SonicWall says I can either disable checking for that trojan, or I can put a rule in to allow the file from bleepingcomputer.com. Hopefully Sophos' response is better. :)

#7 Escondido

Escondido
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 February 2011 - 05:36 PM

Here is the response from Sophos:


Hello, Escondido.

Thank you for the samples.

It looks like Combofix is using NirCmd as one of its tools. The detection of NirCmd as a Potentially Unwanted Application (PUA; Hacktool/Systemtool) is
correct.

NirCmd is classified as such as it can be abused by malware authors. If the use is intended please authorize, either via the quarantine or the
Authorization section in the local Sophos client or the anti-virus and HIPS policy in the console.

http://www.sophos.com/security/analyses/adware-and-puas/


Details on the other files submitted:


ComboFix.exe: can be authorized

   {----- details deleted -----}



Regards,

Sabrina Wyns
Sophos Technical Support
http://www.sophos.com/support/services/technical.html


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 01 February 2011 - 06:46 PM

Yes, you would either have your anti-virus ignore the detection or temporarily disable it.

However, I ask that you read the pinned topic ComboFix usage, Questions, Help? - Look here about using this tool on your own.

BTW, I'm impressed by the Support Team's speed in answering you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users