system
August 29, 2013, 6:31pm
2
hello
generally , when there’s just one detected it’s a FP
Hi g3n-h@ckm@n,
Probably you are right. I think it is a wrong packer identification: http://urlquery.net/report.php?id=2014360
i.e. Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected which DrWeb may flag here…
see: http://f.virscan.org/biosagentplus_36.exe.html
see: http://systemexplorer.net/file-database/file/biosagentplus_36-exe
pol
system
August 29, 2013, 9:18pm
4
Antiviruses detect a little bit anything
look at that !! I sent my tool Pre_scan renamed winlogon
http://r.virscan.org/report/7b7930676a3f04fa452d35711b8bfc4a.html
but what comes from esupport.com is obsolete
here’s usbfix ( version Pro integrated (not in line it’s a beta version))
https://www.virustotal.com/en/file/d79e98f0e2189db2ee74e939e36d72dc3d61822c2115020bc297f92b2f02bbf0/analysis/1377813745/
Pondus
August 29, 2013, 10:12pm
5
i say a FP from Dr.Web
First submission 2013-07-12 16:12:45 UTC ( 1 month, 2 weeks ago )
system
August 29, 2013, 10:43pm
6
packages UPX are often detected as infections by antiviruses:)
system
September 5, 2013, 3:04am
7
Sent both files to the virus laboratory with a note of false positives, in the near future I think will be corrected.
Came the reply:
Your request has been analyzed. This operation is false. The error was corrected. (Virus Monitoring Service Doctor Web Ltd.)
Original file name: UsbFix.exe
File size: 1144645
MD5: 5d2328d28ed0861ba66c9ab4e8f35582
Original file name: biosagentplus_1218.exe
File size: 633360
MD5: 9a723001055ac806b73d97f2e2092a88
polonus
September 5, 2013, 9:41pm
8
Hi Dimitrij,
Good you sorted that one out with the folks from St. Petersburg. Mutual FP reports and non-detect reports help.
I think at the root of the false detection was the too strict snort/emerging threats IDS rule, see:
http://urlquery.net/report.php?id=1902578 alerting ET POLICY PE EXE or DLL Windows file download & FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected -
For an explanation see: http://www.snort.org/search/sid/16435 as a “a packer that is commonly used by malware authors
and may indicate a possible malware transfer to the target host”.
Also see: http://urlquery.net/report.php?id=4832442 (snort speaks of “no false negatives” for sid/16435!
Here we see the discrepancy between IDS alerts and actual av detection: https://www.virustotal.com/nl/file/fd2949d5c96554421104baecc0662effd54cacf4254c6030f46056cfea1c11ea/analysis/
In this case the av detection is correct and the IDS alerts needs more precision…
Damian