Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Quarantines AmazonCloudDrive.exe... false positive?


  • Please log in to reply
12 replies to this topic

#1 engxladso

engxladso

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 November 2014 - 10:52 AM

Ran Combofix to check for malware after 0xd1 BSOD caused by Intel Wireless driver.

 

Was surpised when the log said that AmazonCloudDrive.exe had been quarantined. I went into Qoobox to have a look at the file. Its signatures looked correct to me. Its original location was in appdata/local/etcetc.

 

My gut feeling is that this detection is a false positive. Can someone confirm?

 

Thanks,

 

Adam



BC AdBot (Login to Remove)

 


#2 engxladso

engxladso
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 November 2014 - 11:25 AM

Just uploaded the file to virus total. Score 0/54: https://www.virustotal.com/en/file/bbe7028bfe05fa78c123f4c0a4af5f40c0a87d05a1719fa826dd8d9adbd3bcc6/analysis/1415377443/



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 07 November 2014 - 12:34 PM


The developer (sUBs) will need to see the log and a sample of the file so he can investigate. Please submit (upload) a copy of ComboFix.txt and the file(s) to this Submit Malware Sample page.
  • Fill in the requested information, comments and any further information.
  • Zip the file(s) using a zipping program (i.e. 7-zip, WinRAR).
  • Click the Browse... button and navigate to the location of the file.
  • Click on the file to highlight it and choose Open.
  • Click the Send File button.
  • You will not be able to view the files that have been uploaded as they only show to the authorized users who can download them.
  • sUBs will be able to collect the file(s) from there and examine them.
  • Let me know when you have done this so I can advise the developer.
Thanks
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 engxladso

engxladso
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 10 November 2014 - 04:31 AM

The developer (sUBs) will need to see the log and a sample of the file so he can investigate. Please submit (upload) a copy of ComboFix.txt and the file(s) to this Submit Malware Sample page.

  • Fill in the requested information, comments and any further information.
  • Zip the file(s) using a zipping program (i.e. 7-zip, WinRAR).
  • Click the Browse... button and navigate to the location of the file.
  • Click on the file to highlight it and choose Open.
  • Click the Send File button.
  • You will not be able to view the files that have been uploaded as they only show to the authorized users who can download them.
  • sUBs will be able to collect the file(s) from there and examine them.
  • Let me know when you have done this so I can advise the developer.
Thanks

 

I have submitted the file as requested. Sorry to not do it quicker. Your email arrived after I had left the office for the weekend.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 10 November 2014 - 04:47 AM

From what I see on VT, I would say FP. But let's see what sUBs says.


Edited by Didier Stevens, 10 November 2014 - 04:51 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 10 November 2014 - 04:55 AM

Update: I checked the signature with my ANalyzePESig tool: nothing suspicious.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 10 November 2014 - 08:19 AM

sUBs has been a advised of your report and provided with a link to this topic. He may reply here or just advise me as to what he has to say about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 10 November 2014 - 11:42 AM

Fixed with ver_14-11-10.02

sUBs said to thank you for bring it to his attention.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 rp88

rp88

  • Members
  • 3,016 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:01 PM

Posted 10 November 2014 - 12:53 PM

I can't comment on whether the file is a true virus or a flase positive, i know neither way. But it calls itself amazonclouddrive, i guess you intend to use the exe file to install the program based version of the amazon cloud backup service, i would advise just using the wbe interface instead, backing up is best done through the browser via uploading files in the way one would upload attachments to a gmail email rather than via installed programs.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 10 November 2014 - 02:38 PM

It's a false positive, engxladso can safely use it.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 10 November 2014 - 04:49 PM

If the file wasn't a FP, sUBs would not have fixed its removal from CF.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 engxladso

engxladso
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 11 November 2014 - 03:43 AM

Fixed with ver_14-11-10.02

sUBs said to thank you for bring it to his attention.

Glad to help. Thanks for the rapid clarification.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 11 November 2014 - 08:36 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users