Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix and Trend Micro Threat Encyclopedia


  • Please log in to reply
4 replies to this topic

#1 stevenabanks

stevenabanks

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 11 July 2016 - 01:40 PM

Hi,

 

Came across an end user who downloaded ComboFix from the BC site, and then it was snagged by our Trend Micro AV software. In checking the Trend Threat Encyclopedia, I came across 72 hits in the keyword search. Are folks seeing it being integrated into other malware packages, or is it a bad apple to start with? I hadn't ran across it until this past week when our Trend logs brought it (and the oembios.exe it was trying to drop onto the workstation) to my attention. :-)

 

Date/Time Computer Name Subject Target Attempt 2016-07-07 15:13 --removed-- C:\ComboFix\CF30136.3XE C:\Users\--removed--\AppData\Roaming\oembios.exe Create 2016-07-07 15:13 --removed-- C:\ComboFix\CF32079.3XE C:\Users\--removed--\AppData\Roaming\oembios.exe Create 2016-07-07 15:11 --removed-- C:\ComboFix\CF10525.3XE C:\Users\--removed--\AppData\Roaming\oembios.exe Create

 

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/search/combofix/

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/search/oembios

http://www.bleepingcomputer.com/startups/oembios.exe-23775.html

 

Thanks,
Steve



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 11 July 2016 - 02:09 PM

Hi stevenabanks :)

ComboFix.exe is a legitimate tool developped by sUBs. The reason is it listed so many times in the Trend Micro Threat Encyclopedia is because many malware will look for processes named "ComboFix.exe" and terminate it, or add IFEO entries in the Registry to prevent it from running. It isn't malicious, and it must be a false positive from Trend Micro, which I would report to them.

On a side note...

ComboFix is a very powerful reporting and scripting tool that was developped by sUBs, used by members of the malware removal team here on BleepingComputer (and also on other forums). This tool can easily break a Windows installation if poorly and/or wrongly used. It can make the whole system unbootable and also delete everything present on your drives (leaving you with close to no chance of recovery) or damage your Windows installation so badly that you would be forced to reinstall it. Therefore, you should not be using ComboFix unless you are in one of the two situation listed below:
  • You have been trained in an online malware removal forum to use ComboFix;
  • You are using it under the supervision and instructions of a trained malware removal professional on BleepingComputer or another recognized malware removal forum (UNITE forums for example);
If you already ran ComboFix on your system and need assistance with the log, you will have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section of BleepingComputer, where a trained helper will assist you.

If you have any questions or concerns about ComboFix, quietman7 wrote a FAQ on it and you'll find all your answers in it.

ComboFix usage, Questions, Help? - Look here

Also be aware that BleepingComputer doesn't provide any advice on how to use ComboFix on your own, due to the nature of the tool and how dangerous it can be when used without supervision or proper training.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 ATY

ATY

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 11 July 2016 - 02:44 PM

Hi stevenabanks :)

ComboFix.exe is a legitimate tool developped by sUBs. The reason is it listed so many times in the Trend Micro Threat Encyclopedia is because many malware will look for processes named "ComboFix.exe" and terminate it, or add IFEO entries in the Registry to prevent it from running. It isn't malicious, and it must be a false positive from Trend Micro, which I would report to them.

On a side note...

ComboFix is a very powerful reporting and scripting tool that was developped by sUBs, used by members of the malware removal team here on BleepingComputer (and also on other forums). This tool can easily break a Windows installation if poorly and/or wrongly used. It can make the whole system unbootable and also delete everything present on your drives (leaving you with close to no chance of recovery) or damage your Windows installation so badly that you would be forced to reinstall it. Therefore, you should not be using ComboFix unless you are in one of the two situation listed below:

  • You have been trained in an online malware removal forum to use ComboFix;
  • You are using it under the supervision and instructions of a trained malware removal professional on BleepingComputer or another recognized malware removal forum (UNITE forums for example);
If you already ran ComboFix on your system and need assistance with the log, you will have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section of BleepingComputer, where a trained helper will assist you.

If you have any questions or concerns about ComboFix, quietman7 wrote a FAQ on it and you'll find all your answers in it.

ComboFix usage, Questions, Help? - Look here

Also be aware that BleepingComputer doesn't provide any advice on how to use ComboFix on your own, due to the nature of the tool and how dangerous it can be when used without supervision or proper training.

 

I never realize that this tool is dangerous to run without supervisor until now. I did ran this tool back in 2015 to check for some malware and it delete something on my Windows 8.1 gaming PC and somehow make my PC unbootable afterward which make me upset a lot, and I have to reinstall the OS to make it works normal again. But thanks for the information, and if this tool dangerous to run without supervisor, than you should put download link into private rather than public for a good sake. 


Edited by ATY, 11 July 2016 - 02:45 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 11 July 2016 - 04:06 PM

Bleeping Computer's hosted programs for download are trustworthy, safe and malware-free.

Certain embedded files that are part of legitimate programs and specialized fix tools (like ComboFix), may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools are falsely detected by various anti-virus programs from time to time for the reasons noted above. This in turn sometimes results in an inaccurate site rating/warning of potentially dangerous software when that is not the case.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with the tools themselves. We can inform the developers but they have encountered this issue many times before and in most cases there isn't much they can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 11 July 2016 - 04:12 PM

...I never realize that this tool is dangerous to run without supervisor until now...and if this tool dangerous to run without supervisor, than you should put download link into private rather than public for a good sake.

It's not so much that ComboFix is dangerous or harmful, but that it is a powerful and complex tool.

ComboFix was created as a specialized first responder tool for malware removal experts who assist others as it has the ability to deal with multiple malware infections and has built in removal functionality which makes it very powerful. ComboFix is intended by its creator to do two things: 1) automatically remove known infections and 2) provide a detailed system report similar to DDS that a trained expert can use to further investigate and remove malicious files and registry entries. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware, AdwCleaner or Malwarebytes' Anti-Malware which scan individual drives, different folders, the registry, etc on a computer for malware...nor was it designed to be a remote support tool.

With ComboFix there is always a risk that something legitimate on a computer could be erroneously changed or removed when running the tool. These issues are able to be quickly resolved by those trained in its usage. For those who have no training, there is a chance they could be left with an unusable computer. Further, when issues arise due to complex malware infections, problems running ComboFix (i.e. stalling, hanging, crashing) or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users