Is this a FP?

Re: http://wepawet.iseclab.org/view.php?hash=785fd1266898c2a7d69aa28cf958f8f5&t=1304172762&type=js [benign]
VT file analysis: http://www.virustotal.com/file-scan/report.html?id=d9f85f79b4a9a1b80c00d1281d9fb479aa0ace84ea222a42af3ec8248d8450a7-1304119550

According to me just the packer being flagged, but clean URL…
see:
http://monkeywrench.de/result.html?id=3736117&displaykey=42aux420

polonus

I have to wonder about the value of chasing what might be a ClamAV FP (in the avast forums) when no other AVs detect it and it is a packer based detection ???

Well it has to do with avast, because they had several issues concerning PUA.Script.Packed malware in the sphere of right detects or FP’s and even non-detects. When I actually followed up the PUA.Script related malware at clean-mx I found some examples that avast does not detect. But I will generalize the question to “is this a FP?”.

polonus

I will state my case here with a couple of VT results of PUA.Packed malware. re:
http://www.virustotal.com/file-scan/report.html?id=7d0bf6f7f2260d9150db3b8e74d7bbfac8c95f14b8ca5761a6c323b5d02d5930-1303582151
&
http://www.virustotal.com/file-scan/report.html?id=fe156f32a3bfa7713c705643ca3d0e5ed2820ad571bce04a4f2fab6312ac3293-1300702286
&
http://www.virustotal.com/file-scan/report.html?id=1faa41fc5ac02618a613129e696942e0fdb6c37b29770c4ba01d615304d30ad7-1301228095

All detetctions, and this list is not complete, that avast does not flag. The detection are for fake av cryptors,
I have reported about this to virus AT avast dot com before,

polonus

The real problem being the malware name given and it has two elements PUA, Potentially Unwanted Application (Not what you are stating PUE) and the Packed element. There are some AVs that alert on all indications of certain packers, regardless of content and in some cases don’t even unpack it or can’t.

Avast has probably the best packer support of most AVs so it would I believe be likely to have unpacked the script, given the web shield is very hot on the packed script detections.

Also considering this is a PUA, akin to the avast PUP, which is off by default in scans, so I don’t know if that is also the case in the VT scan.

Not to mention the original VT results are 1/42, which isn’t conducive to it being a good detection, especially when coming from just ClamAV.

And now? Do they answer your queries? What did they say or do? Do they add the detection?

Hi Tech,

Well what DavidR says in his reaction about the PUA detection actually has answered a lot of questions for me,
and has set my mind more at ease. PUP detection may be available!
I agree with DavidR also that the detection of packers and wrappers in the case of avast is of an excellent standard, as one of the mods here has explained to me. So I was aware of that fact. Whenever I see the use of “commercial on the fly online wrappers and obfuscation tools” I am afraid it is being used to get malware under the av-radar.
I immediately have reported the use of it to avast via mail, we see it as big clusters of obfuscated (obfuscation scrambling) code on webpages and especially one should be cautious whenever so-called “DNA scan” and “low quality scanner software” is concerned. To decide if something should be considered a PUP (when installed by the owner of the computer full knowing what the risks are, and where it is a risktool that the user has no knowledge of, is a difficult one. My advice would be to all avast users have PUP scanning and sandbox on by default and leave it on,

polonus

Thanks for helping improving detection.
I also have PUPs detection and autosandbox on.

What could be three criteria to make a commercial packed program benign and not be a PUP:

  1. The user has installed the program knowing it was a risktool;
  2. The program was being downloaded from a trusted source;
  3. The user has used the program over a considerable time before it became flagged

All other software with commercial packers that does not fit these 3 criteria should be send to avast for analysis,

polonus

Norman analysis

tabs_ajax_js.js : Clean!

Sophos

SophosLabs has analyzed the submitted file(s) and determined they are not malicious and can safely be authorized.

tabs_ajax_js.js – can be authorised

Hi Pondus,

Thanks for the final word on this,

polonus