[FP] www.hoverdesk.net Regseeker 4.0

system · 2017-08-20T01:45:07.000Z

http://www.hoverdesk.net/download/RegSeeker_4.0.zip detected as Sf:Gamarue-A [Trj]

https://www.virustotal.com/#/url/adb71890d78cf22ed1a09e4d1613022a02947bcd8f503d8ce9d9e30a2d0f9a88/detection - 0 detected

Sorry my bad not sure if its because of the comment mentioned at the end of this page w.r.t delta toolbar https://www.nsanedown.com/?request=187466697

DavidR · 2017-08-20T07:44:00.000Z

First you aren’t actually scanning sites using VT to check a URL all it is doing is checking it against a list of blacklists. You would need to upload the file to have it scanned.

I have just scanned the file and it is 3/59 so a possibility of a false positive. Even more so as AVG and Avast detect it they are both using the same virus signature database. So you could say 2 of 58 detections.
https://virustotal.com/en/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/analysis/1503214812/

EDIT: I have extracted RegSeeker.exe and submitted it to avast for analysis.

polonus · 2017-08-20T09:04:37.000Z

We see a confirmation here: http://www.download3k.com/Antivirus-Report-RegSeeker.html
with avast detecting RegSeeker_4.0.zip|>RegSeeker\RegSeeker.exe|>[UPX] Sf:Gamarue-A [Trj]
On the rise again as part of the Zeus banking trojan botnetwork.
Re: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Gamarue.A
But a typical avast detection here: http://v.virscan.org/Sf:Gamarue-A%20[Trj].html

Wait for an Avast Team Member to explain and give a verdict on this detection.
All versions of RegSeeker being flagged of having this malcode.

My hunch is a falsely flagged UPX packed exe detection! But IP had other malware: https://urlquery.net/report/5519bb86-8f3d-44dc-9397-587e997259eb and that might have a reason to take no chances on that packed UPX executable as well or file was not signed proprerly. But still could well be a FP.

polonus

DavidR · 2017-08-20T09:35:59.000Z

@ polonus
The Microsoft link is pretty old Published Sep 18, 2011 | Updated Mar 23, 2012, so I’m not sure how relevant it might be.

The v.virscan.org link is coming up 404.

polonus · 2017-08-20T10:25:20.000Z

Hi DavidR and threadstarter,

Well the UPX packed file controversy (FPs versus genuine detections) has been around ongoing since 2011.
It is not the first time a packed UPX executable was found to be a FP and it certainly will not be the last.

Kaspersky warned av-vendors not to automattically flag all, but to better discriminate between FPs and the real McCoy.
All avast detection with regseeker are for all of 2017. Remember, avast has some reputation here of serving up FP’s.
Wonder what the final verdict will be then?.

Also it should be taken into the bargain that that same IP was abused for serving malcode.
One and one counts up to two in suh a case. Anyway, let us wait and see…

As for that 404, the link was not being given properly: http://v.virscan.org/Sf:Gamarue-A%20[Trj].html (take all to the end of it into the searchbar then press enter)…

polonus

DavidR · 2017-08-20T12:31:16.000Z

Its, those pesky square brackets in their URL get in the way in forums that use square brackets in the code tags.

Perhaps AV Comparatives should throw in some UPX files into there clean set to check for FPs, that would certainly make the virus labs pat attention

Pondus · 2017-08-20T13:49:24.000Z

DavidR post:2:

First you aren’t actually scanning sites using VT to check a URL all it is doing is checking it against a list of blacklists. You would need to upload the file to have it scanned.

I have just scanned the file and it is 3/59 so a possibility of a false positive. Even more so as AVG and Avast detect it they are both using the same virus signature database. So you could say 2 of 58 detections.
https://virustotal.com/en/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/analysis/1503214812/

EDIT: I have extracted RegSeeker.exe and submitted it to avast for analysis.

IF there is a file at the URL, VT will download and scan it.
To see the file scan result, click the icon after the hash at > Downloaded file

see attached screenshot below

Be aware that if the file is in a zip, then the hash and additional file info will not be correct, it will be for the zip and not the file inside

In this case it seems the zip containe multiple files.
If you upload the file to metadefender.com it will unpack and list scan result for all files inside the zip. I think the limit is 500 files inside the zip

DavidR · 2017-08-20T16:02:56.000Z

If it did download the file, then I would have to ask why there was no alert by avast or the other two that detected it ?

Yet my upload to be scanned of the actual RegScanner_4.0.zip did list the detections, yet the SHA256 is the same as in your image, yet it doesn’t appear to have been scanned.

Pondus · 2017-08-20T16:56:26.000Z

DavidR post:8:

If it did download the file, then I would have to ask why there was no alert by avast or the other two that detected it ?

Yet my upload to be scanned of the actual RegScanner_4.0.zip did list the detections, yet the SHA256 is the same as in your image, yet it doesn’t appear to have been scanned.

There is if you click the icon (in the link posted by the OP) you will see the file scan result
https://www.virustotal.com/#/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/detection

Same SHA-256 hash as in your link

DavidR · 2017-08-20T17:04:27.000Z

Ah, I had never noticed that tiny icon, much less what it was for

I went into what I thought was the obvious, the Details Tab only to find it wanting. I would have thought that would been the logical location or a link to the file scan.

polonus · 2017-08-20T21:26:33.000Z

Hi Pondus - Heia Norge,

Thanks for that explanation on the inner workings of VT.
You know Virus Total scan outlay like the inner lining of your pocket. 8)
Good to have you around in such discussions.

Damian

system · 2017-08-21T04:32:14.000Z

@Pondus, DavidR - Many thanks glad to have learnt something new today (w.r.t VT)

At the time of raising this thread also raised it to hoverdesk and received the below
[i]
Hello

Yes it’s a false positive from Avast because RegSeeker executable is compressed with upx.
Next version won’t be no longer compressed though upx has nothing to do with some kind of virus…

Best regards
Thibaud[/i]

So if needed we could defer adding exclusion signatures until next version is released.

DavidR · 2017-08-21T08:03:58.000Z

You’re welcome.

You could try that, but personally I would stick with your existing older version of RegSeeker (I’m still using version 2.7 on my XP System) until Avast do remove the detection. Because Avast is alerting on the Zip file when you try to download it, you would have to set a URL exclusion or disable the web shield, neither I feel worthy of what is just another registry cleaner. CCleaner also has a registry cleaner function.

There was also something I read about unwanted add-on also on installation that would make me wait and or ensure you did a custom install and deselect any unwanted extras.

Currently avast is still alerting on it, bu it is still early for a likely FP.

polonus · 2017-08-21T10:13:19.000Z

But there is still room for some fundamental discussion on the ongoing problem of UPX packed proggies and false positives.

Re: https://autohotkey.com/board/topic/49032-enough-with-the-upx-packed-virus-false-alarms-enough/
Re: https://forums.spybot.info/showthread.php?47483-UPX-packed-executables&p=311376
Re: http://www.virtualdub.org/blog/pivot/entry.php?id=245
Re: https://reverseengineering.stackexchange.com/questions/198/what-different-upx-formats-exist-and-how-do-they-differ

Could not developer signing and authorative certification come to the rescue to discriminate between benign and benevolent UPX packed and malicious and reverse engineered UPX to go under the malware detection radar.

I can understand one often would take ‘the better safe than sorry’ route and question UPX packed code completely…but not like Norton did and remove it without any notice beforehand.

polonus

jl747 · 2017-09-06T10:59:40.000Z

Regseeker just posted a new version (4.50) and it it also is showing the same problem when you try to download and install.

adam.pavlat · 2017-09-06T14:01:34.000Z

Good day,

I whitelisted the files. It will be released in aprox. 2 hours.

Thank you.

Adam

Dale35 · 2017-11-28T05:49:09.000Z

Hello. I just read the post where you said you whitelisted RegSeeker. Did you only whitelist RegSeeker 4.0? I tried to download both 4.0 and 4.5 and my Avast blocked my access to the URL on both versions. Please advise. Thanks.

Asyn · 2017-11-28T06:04:59.000Z

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

adam.pavlat · 2017-11-29T12:27:24.000Z

Good day,

I’am able to download and install every version of Regseeker without blocking from Avast. Please, can you share the file which is detected + name of the detection?

Thank you.

Adam

Announcements