Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Check by screen317 and VirusTotal - 8 detections !


  • Please log in to reply
7 replies to this topic

#1 Pierre (aka Terdef)

Pierre (aka Terdef)

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris (France)
  • Local time:09:41 PM

Posted 03 January 2014 - 06:28 AM

Hi,

 

Analyse of Security Check by screen317

 

https://www.virustotal.com/fr/file/9cec0510099cf5cf00bdd32240be6b9d1e74f3e52d96b3c81a5651170f008def/analysis/1388747918/

Antiy-AVL                   Trojan/Win32.Agent       20140103
Jiangmin                    Trojan/Generic.birzy     20140103
Kingsoft                    VIRUS_UNKNOWN            20130829
McAfee                      Artemis!F2B0A7E1148A     20140103
McAfee-GW-Edition           Artemis!F2B0A7E1148A     20140103
Rising                      PE:Malware.XPACK/RDM!5.1 20140103
Symantec                    WS.Reputation.1          20140103
TrendMicro-HouseCall        TROJ_GEN.F47V0101        20140103

What to think ?


Edited by Pierre (aka Terdef), 03 January 2014 - 06:31 AM.


BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:41 PM

Posted 03 January 2014 - 07:06 AM

Extract the contents of Security Check by screen317 and you'll find it contains the file nircmd.exe created by Nir Sofer. Check his blog post titled Antivirus companies cause a big headache to small developers. You have to make your own decision  who is trustworthy or not. Personally I have used many of NirSoft's utilities for years and have been a member of and had complete trust in BC for about 5 years now. AV's like McAfee, Norton, Kingsoft, Rising, Trend... not so much.

The choice is ultimately yours.


Edited by Union_Thug, 03 January 2014 - 09:52 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 03 January 2014 - 11:41 AM

False detections by anti-virus programs for specialized fix tools are not uncommon.

Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

* Nirsoft: Antivirus "False Positive" Problems

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with the tools themselves. We can inform the developers but they have encountered this issue many times before and in most cases there isn't much they can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Pierre (aka Terdef)

Pierre (aka Terdef)
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris (France)
  • Local time:09:41 PM

Posted 03 January 2014 - 05:11 PM

Hello you two and thank you.

I know all that.

However, in this particular case, it is the high number of "false positives" that concerns me. This number is rather unusual (but the number of tools available on the VT services also increases.)

 

Pierre Pinard - Pierre (aka Terdef)
Assiste.com depuis (since) 1997
Sécurité et vie privée (Security and privacy)
Malwarebytes Expert - ASAP - 01Net Security team - Zebulon Security team



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 03 January 2014 - 06:18 PM

As I explained there is not much we can do about the FP detections even if there are a higher than usual detection. SecurityCheck is a safe tool and does not contain maleare. screen317, the developer who created Security Check, is a member of our Malware Response Team and a Global Moderator at SpywareInfo. In fact, most of the well known specialized tools we use as malware fighters are written by known experts at various security forums like Bleeping Computer, TechSupport, GeeksToGo, SypwareInfo and others so they can be trusted.

Unforutunately, many of these tools are repeatedly falsely detected by various anti-virus programs from time to time.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:41 PM

Posted 03 January 2014 - 06:31 PM

Hi,

Please also take into account that these are generic or heuristics detections. This means these are not based on what someone has added to the definitions, but a detection based on the program's behaviour and how the antivirus is programmed to detect "malware". You can get AV companies to whitelist one version, but as soon as it is updated or the file changes in any way the AV will most likely detect it again.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 03 January 2014 - 10:15 PM

Exactly.

For example, with this detection.
 

McAfee   Artemis!F2B0A7E1148A     20140103
McAfee-GW-Edition    Artemis!F2B0A7E1148A     20140103


Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to  Symantec's Bloodhound Technology.

Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Artemis detections may or may not be malicious and McAfee advises to submit detected file samples directly to the Avert Lab's Threat Center if you think it was a false detection so they can investigate further.

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:41 AM

Posted 04 January 2014 - 05:24 AM

Hello -

Just to add a minor note -

"Chris Fistonich" (A.K.A. screen317) is a member of Malwarebytes Research Team, and also a  Moderator on their forum.

I understand he graduated Malware School from the well respected SWI Forum (Spyware Information Forum) and still leaves an open contact as screen317.spywareinfoforum.org
 

This is not to mention the work he has done on this forum.

 

I have known him for quite a few years, and I have also used the program he developed for many years.

 

Each time I post the program I finish with this line =>
"Note:: If any security program requests permission to access the Internet, allow it to do so."

 

This is due to the fact that as a diagnostic tool it needs to access the computers memory to produce the report.

 

 

Thank You -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users