polonus
8
Hi Dimitrij,
Good you sorted that one out with the folks from St. Petersburg. Mutual FP reports and non-detect reports help.
I think at the root of the false detection was the too strict snort/emerging threats IDS rule, see:
http://urlquery.net/report.php?id=1902578 alerting ET POLICY PE EXE or DLL Windows file download & FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected -
For an explanation see: http://www.snort.org/search/sid/16435 as a “a packer that is commonly used by malware authors
and may indicate a possible malware transfer to the target host”.
Also see: http://urlquery.net/report.php?id=4832442 (snort speaks of “no false negatives” for sid/16435!
Here we see the discrepancy between IDS alerts and actual av detection: https://www.virustotal.com/nl/file/fd2949d5c96554421104baecc0662effd54cacf4254c6030f46056cfea1c11ea/analysis/
In this case the av detection is correct and the IDS alerts needs more precision…
Damian