Kitz Forum
Broadband Related => Router Monitoring Software => Topic started by: Oldjim on February 02, 2016, 07:07:29 PM
-
I assume it is a false alarm but you may want to look into it
-
It's certainly a false alarm. The only function of upload**.exe is to upload data to MyDSLWebStats. If you don't use MDWS you can delete that file and DSLstats will continue to work normally.
-
The best thing you can do is submit the file to Kaspersky, they will then check it and white list it or whatever they do to stop it being picked up incorrectly again.
-
Thanks for the suggestion. I'll see what I can do.
-
I think Ronski's post was directed to Jim.
-
Oh right, yes. I wasn't sure what to do anyway because I don't use Windows.
-
To be honest it applies to both Jim and Roseway, the more people that submit false positives for testing the more likely the problem will get resolved, although in theory it should only take one person to submit it.
It seems this can be done online.
https://virusdesk.kaspersky.com
PS. As a programmer it would also be worth using www.virustotal.com to scan files and then submit to any that show problems.
-
Thanks again Ronski.
-
It also was unhappy with an Autodesk download dated 2001 - make of that what you will
(It does show the garbage I still have on my hard drive)_
-
Virus detection is a black art, usually based on the content of a file rather than its age or name.
False positives from McAfee and ClamAV have caused severe problems at $JOB when they made some executables unavailable, causing service outages and necessitating whitelisting and restoration.
I have had some problems at home too.
Then there is the vast amount of effort expended in patching software bugs which would trivial in effect but for their being exploitable.
Home computer users probably do not realise how big a task this can be for organisations.
I wish the penalties for malware authors were far more severe.
Share something copyrighted by the media with a relatively few and you are likely to have to pay a lot.
Spread malware around the world and you appear to be unlikely to be caught, let alone punished.
Sometimes I even wish that the punishment for malware authors was capital, with world-wide scope.
/rant=off
-
I have had occasion myself to submit a 'false positive' to Kaspersky,they duly 'whitelisted' it.
Unfortunately it appeared that their whitelisting process is machine-specific, the file in question no longer triggered an alert on my system, but it still showed as a threat on everybody else's system, just not mine. As I already knew it was false-positive, the process was rather pointless.
Even on my own PC, after copying the harmless file to another location on the same HDD, it was once again wrongly flagged as a virus.
That did not surprise me. If AV vendors were to globally whitelist, just on the say-so of an individual user, obviously, they would soon come to grief.
-
7LM you'll probably find you white listed it when your system detected it. AV companies don't take an EU word, they analyse the file. I believe this is why common programs have little or no problems because there are lots of users who submit false positives, but with programs like DLStats and Hg612 stats there are not many users.
I often have problems with software we use at work when I upgrade it, I have to remember to completely disable AVG because it takes a dislike to the downloaded update files which are always different.
-
I submitted upload14.exe to Kasperski as a false positive, and received this reply:
This message has been generated by an automatic message response system. The message contains details about verdicts that have been returned by Anti-Virus in response to the files (if any are included in the message) with the latest updates installed.
upload14.exe - Trojan-Ransom.Win32.CryFile.wtx
New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.
Best Regards, Kaspersky Lab
"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com http://www.viruslist.com"
So where do I go from here? They're wrong, but upload14.exe does contain some encrypted information which I guess could by pure chance produce a string of characters corresponding to one of their virus signatures. How on earth do I prove it?
-
I submitted upload14.exe to Kasperski as a false positive, and received this reply:
This message has been generated by an automatic message response system. The message contains details about verdicts that have been returned by Anti-Virus in response to the files (if any are included in the message) with the latest updates installed.
upload14.exe - Trojan-Ransom.Win32.CryFile.wtx
New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.
Best Regards, Kaspersky Lab
"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com (http://www.kaspersky.com) http://www.viruslist.com (http://www.viruslist.com)"
So where do I go from here? They're wrong, but upload14.exe does contain some encrypted information which I guess could by pure chance produce a string of characters corresponding to one of their virus signatures. How on earth do I prove it?
a) Tell them their grasp of the English language is as inaccurate as their virus detection mechanism
b) Don't use Kaspersky.
Seriously, don't they have a sandbox they can actually test it in and confirm there is an active virus in there, or in this case that there is not?
Ask them if they physically tested it, tell them you are the author and what it does within your software suite. I submitted multiple versions of upload*.exe yesterday as false positives but didn't ask for a response.
-
Thanks, but it's not clear where I could address such argumentative points, and to be honest, I don't have the energy for that sort of argument. As to (b), that's not in my power of course, I'm the author, not the user.
-
info@kaspersky.com (info@kasperky.com)
is one possibility.
Seem to remember the HG612 Modem Stats has a similar problem?
-
7LM you'll probably find you white listed it when your system detected it.
No, I did not whitelist it. I submitted it for analysis, they agreed it was false positive and would be fixed in the next update.
After the next update, the exact file that I had submitted no longer triggered an alert. But other copies of the same file, elsewhere on the same PC, still moaned.
It was a while ago now, but as far as I recall, the submission process included the full pathname of the errant file. I'm guessing they possibly generate some kind of 'hash' of that pathname, and that perhaps a list of such exclusion 'hashes' are distributed with updates?
It was a very long time indeed later, before it stopped moaning about the other copies of that file.
I would hazard a guess that the sheer volume of 'submissions' they receive might be quite overwhelming, whereas the number of true 'virus gurus' that they employ will be finite.
-
So far as I recall, the submission and analysis required some kind of user ID, ie it would only be available to a licensed user of the Kaspersky product.
If you are a major international software vendor the no doubt you'd be able to get their attention in other ways, but under the circumstances... Wouldn't it be simpler if anybody reading this thread, who is using dslstats and Kaspersky, would be willing to submit it?- see edit
BTW, my own incident was vaguely similar. It was a file that we had authored and published on our website, been there and unchanged since several years earlier, suddenly started triggering.
edit: Sorry, you have already been around the submission process, my comment was not helpful. A bit early for me, these days. Remainder of post may be helpful, so leaving in place.
-
@Roseway, I've just submitted HG612 version of upload.exe to Virus Total and it came up totally clean, even Kaspersky said it was clean. Not sure if you're using the same file though.
-
Just downloaded and checked again
-
I have raised this on the Kaspersky forums and will report back
I have also reported it to Kaspersky as a false positive
-
Reply received
Hello,
This message has been generated by an automatic message response system. The message contains details about verdicts that have been returned by Anti-Virus in response to the files (if any are included in the message) with the latest updates installed.
upload14.exe - Trojan-Ransom.Win32.CryFile.wtx
New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.
Best Regards, Kaspersky Lab
-
I have replied saying that it is a false positive - will keep you informed
This is the thread over at Kaspersky Forums http://forum.kaspersky.com/index.php?showtopic=344319
-
Thanks Jim, I've joined the Kaspersky forum and added a comment to your thread.
-
Seem to remember the HG612 Modem Stats has a similar problem?
It did/has, but not necessarily with Kapersky
e.g. VirusTotal reports that one or two AV programs detect that IsRunningVB.exe that is located in the Apps folder contains a Trojan/adware.
This program is simply used to check for already running instances of HG612_stats.exe, HG612_current_stats.exe & dslstatssampling.exe.
The latter of those programs runs if DSLStats.exe is also running & sampling data from the modem at the same time that HG612_stats.exe attempts to do so.
The oddity is that the VB script IsRunningVB.vbs that was compiled to create that exe is not reported to contain anything untoward.
The original exe was provided by Ronski, yet I have compiled the script myself with the same wrong result.
I haven't released it yet, but an update to HG612_stats.exe now checks for the presence of IsRunningVB.vbs in the Apps folder & if it can't find it, it will be created there & then & used from then on in preference to the exe version.
04/02/2016 18:45:47.55 - ONGOING-ISRUNNING-184546-941.TXT - **** [C:\HG612_Modem_Stats\Apps\IsRunningVB.vbs] did *NOT* exist, so it was created
The exe version can then be deleted if required.
Some AV programs also falsely detect that HG612_Run.exe, located in the Scripts folder contains a Trojan.
This program is simply used via Task Scheduler to run HG612_stats.exe in the background every minute.
Again, a VB script (HG612_stats.VBS) can be run via Task Scheduler every minute instead that is flagged as containing a Trojan.
I'll have to ask Ronski to amend his GUI to set the scheduled task to use the VB script instead of the exe for that purpose.
It really is annoying/disgraceful though that some AV programs wrongly detect issues that simply don't exist, thus causing completely unnecessary suspicion from users of programs such as DSLStats and HG612 Modem Stats.
-
Good news
Just received this from Kaspersky Hello,
Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.
Sincerely yours,
Alexey Vishnyakov, Kaspersky Lab
-
Good news
Just received this from Kaspersky Hello,
Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.
Sincerely yours,
Alexey Vishnyakov, Kaspersky Lab
That's good news.
May I suggest you wait til the update that fixes, confirm it is now OK, and then try this test...
...copy the same file to elsewhere on the disk, and scan again... is it still OK?
If the file always installs to the same place of course, then that may not be an issue. In my case, being a file I had authored myself, and my habit of taking regular snapshots, it was in many places.
-
7LM, I really don't think it works that way, it just wouldn't make sense as they'd be repeatedly white listing the same file for every different user that reports it, but it will be interesting to see the out come. I've also noticed that when downloading a file Avast will complain about it, but when I ask Avast to scan the file on the disk it's quite happy ???
-
7LM
That isn't relevant since the file is tested by manually extracting it from the downloaded zip file and then getting Kaspersky to check it
I will of course check once I get another updated virus definition
-
7LM, I really don't think it works that way, it just wouldn't make sense as they'd be repeatedly white listing the same file for every different user that reports it, but it will be interesting to see the out come. I've also noticed that when downloading a file Avast will complain about it, but when I ask Avast to scan the file on the disk it's quite happy ???
Agreed it's a hard way of doing things. Trouble is, whilst I have not the slightest idea how the underlying detection algorithms might work, I would speculate that AV vendors would not want to change these algorithms lightly. That is why I can believe that the first step in responding to a false-detection might be, effectively, a specific whitelist. Longer term, the algorithms might change.
But as already confessed, these thoughts are all just based on personal experience of some years ago. It's possible I reached the wrong conclusions at the time. It's also possible my recollection is less than perfect. :)
Verging off-topic, I was interviewed for a job with one of the AV vendors. The job I applied for was nothing to do with AV, but I did ask, out of curiosity, what sort of qualifications were expected of the gurus that do the nitty-gritty virus detection an analysis? Highly specialised it seemed, more than just an alternative vocation for the average programmer.
-
Now showing as clean on Kaspersky
-
Excellent. :)
-
:thumbs: