Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Logging Combofix as a Trojan


  • Please log in to reply
3 replies to this topic

#1 NickJG

NickJG

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 March 2012 - 09:58 AM

Good Morning:

I work for a large enterprise, where we use combofix as our 3rd party tool to remove malware from systems. The product works great, very happy with it, but for the past three weeks, Symantec has been blocking the executable as a trojan.

I've been submitting the file every time it's blocked to be whitelisted, but it seems that anytime a new version is uploaded, combofix is blocked again. This process repeats itself and we go through a day where Symantec continues to block the application.

I'm hoping that the author reads these forums, and can help out a bit to see if we can have him submit new compiled executables to their whitelist site. That site is https://submit.symantec.com/whitelist

By submitting the file as you publish, this should limit the amount of time that we spend without being able to use combofix while our Symantec AV product is running.

Thanks for your time, hopefully this is the right area to post in.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 07 March 2012 - 10:50 AM

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive".

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.

But as you have discovered a new version of ComboFix often encounters the same false detection and the cycle begins again. sUBs frequently updates ComboFix and much of his time is involved with doing that in order to keep ahead of the malware writers. The remainder is spent addressing bugs, issues and questions by forum experts helping others with infected computers. He simply does not have the time to submit samples every time he releases a new version of ComboFix.

I understand your frustration but please don't take my reply personal; the developer never intended ComboFix to be used in a large enterprise or business environment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 NickJG

NickJG
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 March 2012 - 11:10 AM

Thanks for all the info. I'm very familiar with how virus definitions and heuristics scanning works. I also respect your status here on these forums, and understand I'm just a new signup posting about my woes.

However, I'm simply asking that the author spends a few minutes while publishing to submit this file to Symantec. It's a very painless proces and helps him partner with Symantec to allow his product to be used.

This has a higher impact than just for my company. It's not just the corporate product that would block this, it's all consumer grade products, too.

Finally, I'm very thankful that someone like the author has taken the time to make the product, and appreciate the amount of time he spends to maintain it. Without his dedication, we'd still be using inferior products in combination with more intensive manual efforts to remove malware. I too spend most of my day dealing with malware releases in our enterprise, which has nearly 30,000 endpoints. I'm mainly interested to try and partner as much as I can with the author to see if a very simple process can be followed to prevent this from happening going forward.

Edited by NickJG, 07 March 2012 - 11:21 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 07 March 2012 - 11:20 AM

If sUBs were to do that with Symantec, he would have to do the same with every other anti-virus vendor since many other products also detect ComboFix as a threat from time to time. And that can be time consuming if it must be done every few days.

In any case, sUBs does look through and read such topics relating to his tool and reported issues. Whether he will consider your suggestion rests entirely with him.

BTW, Welcome to BC NickJG. I should have said that in my first reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users