Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in ComboFix download???


  • Please log in to reply
12 replies to this topic

#1 BVote

BVote

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 13 February 2014 - 11:55 AM

Help -

I downloaded ComboFix from bleepingcomputer.com/download/combofix/.  My McAfee anti-virus software immediately reported that the downloaded file was infected. McAfee reported:

 

"Virus or threat detected

 Threat name: Artemis!76A35296969E (Trojan)"

 

Anyone else have this problem downloading the executable ComboFix.exe?

 

(The computer used to download ComboFix is not having any problems and McAfee virus detection file is up-to-date.)



BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:12:51 PM

Posted 13 February 2014 - 12:11 PM

Hi BVote

 

and welcome!

 

Its a false positive!!

 

Please take a look here:

 

http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

 

Stelios



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:51 AM

Posted 13 February 2014 - 01:07 PM

Yes, this is a false positive by the anti-virus.

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software. For example, Catchme is a rootkit scanner that detects userland rootkits and is incorporated with some specialized fix tools like Combofix and GMER.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware.
 
"Virus or threat detected
 Threat name: Artemis!76A35296969E (Trojan)"
Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology.

In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "false positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware.

Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious...in this case it is not.

Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored. Either have your anti-virus ignore the detection or temporarily disable it until you download and run the tool.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 TazzyOpz

TazzyOpz

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 13 February 2014 - 02:35 PM

Yes this is a false positive and was brought up on the Mcafee Forums a few years ago.

 

Although apparently from the forum post they had fixed it... But over the years and the frequent updates that Combofix has had... I'm guessing it's having the same issue again.

 

You may just have to wait. It may be fixed later on in the future. Or you could start using a different AntiVirus such as: Avast, AVG, and Kaspersky... I believe those are pretty good when it comes to 3rd party Anti-Virus software.



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:51 PM

Posted 13 February 2014 - 02:51 PM

Hi -

If you think this is silly, wait for the next one .................

 

McAfee has listed Bleeping Computer as an infection :lol: (Like the product is not bad enough already)

 

I do believe Grinler is talking with them currently to fix this false positive -



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:51 AM

Posted 13 February 2014 - 03:22 PM

Hi -

If you think this is silly, wait for the next one .................

 

McAfee has listed Bleeping Computer as an infection :lol: (Like the product is not bad enough already)

 

I do believe Grinler is talking with them currently to fix this false positive -

It's already been fixed :)

 

You can tell antivirus to stop detecting your program, but as soon as you update it then the detection normally comes back again. The detections are normally only generic ones, or based off what is inside the tool (i.e. NirCMD), using heuristics. Some antiviruses detect the tools less than others it seems though...

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:51 AM

Posted 13 February 2014 - 03:26 PM

If you encounter this detection again, be aware that McAfee advises to submit detected Artemis file samples directly to the Avert Lab's Threat Center so they can investigate. To do this, please refer to:
* Submit a Sample To McAfee
* How to submit a possible false or incorrectly classified sample file to McAfee Labs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 BVote

BVote
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 13 February 2014 - 03:33 PM

Thanks to all who answered...with a special nod to quietman7.   I submitted a "false positive" report to McAfee.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:51 AM

Posted 13 February 2014 - 03:45 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 TazzyOpz

TazzyOpz

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 13 February 2014 - 06:19 PM

 

Hi -

If you think this is silly, wait for the next one .................

 

McAfee has listed Bleeping Computer as an infection :lol: (Like the product is not bad enough already)

 

I do believe Grinler is talking with them currently to fix this false positive -

It's already been fixed :)

 

You can tell antivirus to stop detecting your program, but as soon as you update it then the detection normally comes back again. The detections are normally only generic ones, or based off what is inside the tool (i.e. NirCMD), using heuristics. Some antiviruses detect the tools less than others it seems though...

 

xXToffeeXx~

 

Mhmm that's weird... I wonder if all they do is add an exception to a program (via) it's MD5 and or SHA1 Hash? Just a thought... I'm not sure though. However it would make sense.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:51 AM

Posted 13 February 2014 - 06:34 PM

Each anti-virus vendor's methods are different and scanning engines are different...further they are not going to discuss specifics in public for obvious reasons.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 TazzyOpz

TazzyOpz

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 13 February 2014 - 06:43 PM

Each anti-virus vendor's methods are different and scanning engines are different...further they are not going to discuss specifics in public for obvious reasons.

Yeah, It was more of an assumption. I don't really care honestly. I wasn't expecting a response as to how they actually do it.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:51 AM

Posted 13 February 2014 - 07:02 PM

In any event, the detection of CF and other specialized tools is not uncommon and we just have to deal with it each time the issue arises.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users