I may have found a false positive in a download for Windows X Boot CD (UltimateBootCD) the download is a zip file containing I believe an iso image to burn to CD. It is 4.4MB and the link is http :// www dot docsdownloads.com/download/xpbootcd.zip.
The strange thing is that part way through the download avast web shield alarmed and reported:
Sign of "KillCMOS-J [Trj]" has been found in "http :// www dot docsdownloads.com/download/xpbootcd.zip\XPBOOT.ISO" file.
The reason I say strange is the download hadn’t completed and the internal file is an iso file, which I thought that avast couldn’t scan ?
Update, paused web shield to allow for download that went OK. The file isn’t 4.4MB as reported on the web site.
No auto scan by Standard Shield on zip file as expected, ashQuick.exe scan returned two alerts (so it looks like avast can look inside .iso files)
Sign of "KillCMOS-J [Trj]" has been found in "D:\Downloads\xpbootcd.zip\XPBOOT.ISO\ZEROCMOS\KILLCMOS.COM" file.
and
Sign of "KillCMOS-J [Trj]" has been found in "D:\Downloads\xpbootcd.zip\XPBOOT.ISO" file.
So it is alerting on both the iso and the killcmos.com inside the ISO.
There are a number of tools inside the ISO to use in the event you can’t get into windows and need to use the BOOTCD, so this would appear to be one of the tools that although has a legitimate use it could also have a malicious use.
I elected to send the file (KILLCMOS.COM) to the chest but that ultimately (excuse the pun) failed unable to process that file type. So it sent the xpboot.iso to the chest and it appeared to delete the zip wrapper file.
I will try and upload it to Jotti and see what that makes of it and ultimately (I know ;D) send it to avast to investigate.
Jotti has avast and two other AVs BitDefender and Kaspersky detect it as effectively the same trojan (Trojan.KillCMOS.), the rest don’t find anything.
I still think it is the instance of a tool that can be used for legitimate purposes being detected as malicious since an AV can’t forecast its use or intent.
As for me, I would rather it be detected as it is in this case than to not be detected at all. Like keyloggers that could be used for good but are often used for bad, you noted that could also be the case with this. I would want neither of these on my computer without my knowledge. >:(
As I see it, Avast did you (or maybe someone else some other time) a favor. You may have already known what you were downloading but there are those who would not have known.
I too would rather err on the side of safety and hopefully anyone downloading these tools would have enough nounce to know what they are about and realise it is an FP when in this context as a tool to reset cmos, etc.
Interestingly this is obviously a known issue as it is mentioned in the documentation, the problems is unless you disable web shield/standard shield it won’t let you complete the download. So you can investigate or read the documentation.
Some of the antivirus programs will "detect" these program as trojans.
This was coded into their programs long ago to prevent newbies from
accidentally wiping out their hard drive settings in the time before
auto-detect hard drives became standard in most bios's.
Relating to some of the boot tools, KillCmos, WipeCmos and ClrCmos
What is it?
KillCMOS basically “resets” your computer’s CMOS settings to the factory defaults. Works with ALL CMOS. KiLLCMOS only changes checksums & values that makes the motherboard CMOS revert back to factory defaults.
** IT DOES NOT ReProgram your CMOS like a FLASH ROM Writer does.
** IT DOES NOT DAMAGE Hardware. KiLLCMOS reads/writes to areas of the
CMOS that gets written to everyday, the difference is the VALUES that
we give it(cmos).
WipeCMOS is simply designed to clear all CMOS settings to recover from lost
passwords or corrupt BIOS settings.
If it is for real, see here: http://www.tenebril.com/src/info.php?id=126165318 this can be considered as one of the the most dangerous malware around, while it could render your hardware (computer) completely useless. These so-called “nukers” are reckoned to be among the most dangerous malware that exist at this time. They are used by genuine hackers that “go for the kill”.
Even if it is a FP, you have to investigate this very thoroughly, to make sure what you have aboard.
Polonus, I don’t doubt that it can be used for harm (or that is the same one as this one is a dos .com application), but when it is a part of a set of boot tools in the Ultimate Boot CD the only one using it will be me if it is ever required.
You can rest assured I have investigated it fully.
The jury is still out as it can’t be determined what the purpose is. The group of programs is downloaded to do specific tasks, one of those tools allows for the resetting of the CMOS should it be required. It makes clear in the accompanying documentation that some AVs may pick this up, unfortunately web shield detected it before you ever got to the HDD, so you couldn’t check the documentation.
The other issue is that the file is inside an .iso disk image that is effectively inert until you burn it to disk and then run the CD you burned and execute the suspect file. Now had web shield been paused (as I did to get the download), standard shield doesn’t even scan it. Presumably because it is a form of archive file (inert), even though it is a newly created file having been downloaded. So why would the web shield scan it if standard shield doesn’t is my question.
This is very similar to avast detecting key loggers that have been installed by the user to monitor activity by those on the system (parents watching over kids for instance) and used for this legitimate purpose isn’t harmful/malicious. The same can be said of this tool when intentionally downloaded and used for legitimate purposes.
The problem stems from the AV not being able to determine that purpose.
I think this is very, very good policy by Avast. If a program is legit and it also can be used for malicious purposes by third parties, and then to flag it as possibly malicious is right. Better be forewarned in these cases. A lot of malware goes unnoticed because it is “dressed up” as a legit program. Legit keyloggers and spyware are good examples. I can only applaud an AV application that keeps me informed that this is on my or my boss’s computer. How to treat it later is a second concern upon finding it.
I think that’s the commonly expected action, as it should be. There’s always the option to ignore the detection, add the program to the exclusions, etc if its something you want. But for those of that didn’t install and don’t want it, there should be some warning.
I’m not arguing that this is a commonly accepted action.
When the web shield detects it there is no ignore option, even clicking the x to close the window aborts the connection and kills the download. So you can’t get it to investigate or add it to the exclusions unless you disable web shield.
That is the whole point there is an anomaly between Web Shield that doesn’t give the option to ignore and standard shield does; Web Shield that scans the zip file containing an .ico file and standard shield that doesn’t scan it if Web Shield is disabled.
We don’t plan to provide an “Ignore”-type button to WebShield anytime soon… The reason is, if you absolutely feel that you want to download the infected file (or you’re 100% sure it’s a false positive), you can always pause/stop the provider. But as soon as the protection is ON, there should basically be no WRONG answer in the dialog, because 90% of the users simply don’t know what it’s all about, and they just click a (more or less random) button just to make the noisy dialog go away…
BTW the “Ignore” button in the Standard Shield provider is only available when malware is detected ON WRITE (never ON READ). That is, NO HARM can be done by pressing it, unless you pause/stop the Standard Shield provider, the infected file cannot be opened in any way.
Thank you for the insight Vlk. That does make sense for most users. Possibly additional options could be made available in an “expert mode” for users who feel they need them at some point in the future (time and resources permitting, of course).
And to polonus - welcome back. I hope you’re feeling better.
I agree you have to look out for the average user so they don’t come to harm.
However, I doubt whether anyone can be totally confident to state that something is totaly 100% a false positive, especially as they wouldn’t have any way of investigating this unless they pause the web shield to allow for download and investigation.
The question remains why would the web shield scan a .zip file (when standard shield doesn’t) the contents of which are an .iso file and buried in side a folder is a killcmos.com file, when there is absolutely no way of a one click or auto execution. You would need to unzip the .iso file, burn it on to a CD, run the newly burned CD, open the sub folder and then execute the killcmos.com file (that I’m not sure would work in 32 bit environment, tried a basic test which failed).
Yet with web shield paused to enable it to be download the file doesn’t get scanned by Standard Shield set to Normal because it is a zip file (inert). So why the difference between files that web shield would scan Vs files that standard shield scans when the file type .zip is the same. So same degree of threat/risk from what is an inert file.
That is what concerns me more than any the detection of killcmos.com, a 16 bit MSDOS program, inside a folder, inside an .iso file, that is inside a zip file.
Well we always considered the WebShield’s ability to scan inside archives as a big PLUS. The rationale behind is that Web downloads are relatively slow, and so the extra overhead taken by uncompressing of the contents is more or less negligible compared to the time it took to download the file.
Of course, in your particular case, it is questionable whether we should be detecting the file or not (no matter if it’s inside an archive or not) but generally, I’d say it’s a very advanced (and powerful) feature.
Yes is it an advanced and powerful feature, because many AVs can’t scan inside .iso files only three including avast picked it up on Jotti, possibly because it was inside an iso file. However, like all advanced features should it not be selectable ?
Should Web Shield use the same logic as Standard Shield that doesn’t consider .zip files (and by that logic, .iso/inert files too) an immediate threat/risk, they aren’t scanned by default (Normal, only if you use some of the advanced features/increased scan level). So should Web Shield act in the same way ?
Yes downloads are slow, even more so when using dial-up so for the download to fail on virtually the last packets is extremely frustrating and you have to then pause web shield and download it again to investigate.