Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tbailey2]

info@kaspersky.com

is one possibility.

Seem to remember the HG612 Modem Stats has a similar problem?

[sevenlayermuddle]

7LM you'll probably find you white listed it when your system detected it.

No, I did not whitelist it.  I submitted it for analysis, they agreed it was false positive and would be fixed in the next update.

After the next update, the exact file that I had submitted no longer triggered an alert.  But other copies of the same file, elsewhere on the same PC, still moaned.

It was a while ago now, but as far as I recall, the submission process included the full pathname of the errant file.   I'm guessing they possibly generate some kind of 'hash' of that pathname, and that perhaps a list of such exclusion 'hashes' are distributed with updates?

It was a very long time indeed later, before it stopped moaning about the other copies of that file.

I would hazard a guess that the sheer volume of 'submissions' they receive might be quite overwhelming, whereas the number of true 'virus gurus' that they employ will be finite.

[sevenlayermuddle]

So far as I recall, the submission and analysis required some kind of user ID, ie it would only be available to a licensed user of the Kaspersky product.

If you are a major international software vendor the no doubt you'd be able to get their attention in other ways, but under the circumstances...  Wouldn't it be simpler if anybody reading this thread, who is using dslstats and Kaspersky, would be willing to submit it?- see edit

BTW, my own incident was vaguely similar.   It was a file that we had authored and published on our website, been there and unchanged since several years earlier, suddenly started triggering.

edit:  Sorry, you have already been around the submission process, my comment was not helpful.  A bit early for me, these days.  Remainder of post may be helpful, so leaving in place.

[Ronski]

@Roseway, I've just submitted HG612 version of upload.exe to Virus Total and it came up totally clean, even Kaspersky said it was clean. Not sure if you're using the same file though.

[Oldjim]

Just downloaded and checked again

[Oldjim]

I have raised this on the Kaspersky forums and will report back
I have also reported it to Kaspersky as a false positive

[Oldjim]

Reply received

Hello,

This message has been generated by an automatic message response system. The message contains details about verdicts that have been returned by Anti-Virus in response to the files (if any are included in the message) with the latest updates installed.   

upload14.exe - Trojan-Ransom.Win32.CryFile.wtx

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Best Regards, Kaspersky Lab

[Oldjim]

I have replied saying that it is a false positive - will keep you informed
This is the thread over at Kaspersky Forums http://forum.kaspersky.com/index.php?showtopic=344319

[roseway]

Thanks Jim, I've joined the Kaspersky forum and added a comment to your thread.

[Bald_Eagle1]

Seem to remember the HG612 Modem Stats has a similar problem?

It did/has, but not necessarily with Kapersky

e.g. VirusTotal reports that one or two AV programs detect that IsRunningVB.exe that is located in the Apps folder contains a Trojan/adware.

This program is simply used to check for already running instances of HG612_stats.exe, HG612_current_stats.exe & dslstatssampling.exe.
The latter of those programs runs if DSLStats.exe is also running & sampling data from the modem at the same time that HG612_stats.exe attempts to do so.

The oddity is that the VB script IsRunningVB.vbs that was compiled to create that exe is not reported to contain anything untoward.

The original exe was provided by Ronski, yet I have compiled the script myself with the same wrong result.

I haven't released it yet, but an update to HG612_stats.exe now checks for the presence of IsRunningVB.vbs in the Apps folder & if it can't find it, it will be created there & then & used from then on in preference to the exe version.

04/02/2016 18:45:47.55 - ONGOING-ISRUNNING-184546-941.TXT - **** [C:\HG612_Modem_Stats\Apps\IsRunningVB.vbs] did *NOT* exist, so it was created

The exe version can then be deleted if required.


Some AV programs also falsely detect that HG612_Run.exe, located in the Scripts folder contains a Trojan.
This program is simply used via Task Scheduler to run HG612_stats.exe in the background every minute.

Again, a VB script (HG612_stats.VBS) can be run via Task Scheduler every minute instead that is flagged as containing a Trojan.

I'll have to ask Ronski to amend his GUI to set the scheduled task to use the VB script instead of the exe for that purpose.

It really is annoying/disgraceful though that some AV programs wrongly detect issues that simply don't exist, thus causing completely unnecessary suspicion from users of programs such as DSLStats and HG612 Modem Stats.

[Oldjim]

Good news
Just received this from Kaspersky

Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

Sincerely yours,
Alexey Vishnyakov, Kaspersky Lab

[sevenlayermuddle]

Good news
Just received this from Kaspersky

Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

Sincerely yours,
Alexey Vishnyakov, Kaspersky Lab

That's good news.

May I suggest you wait til the update that fixes, confirm it is now OK, and then try this test...

...copy the same file to elsewhere on the disk, and scan again... is it still OK?

If the file always installs to the same place of course, then that may not be an issue.   In my case, being a file I had authored myself, and my habit of taking regular snapshots, it was in many places.

[Ronski]

7LM, I really don't think it works that way, it just wouldn't make sense as they'd be repeatedly white listing the same file for every different user that reports it, but it will be interesting to see the out come. I've also noticed that when downloading a file Avast will complain about it, but when I ask Avast to scan the file on the disk it's quite happy 

[Oldjim]

7LM
That isn't relevant since the file is tested by manually extracting it from the downloaded zip file and then getting Kaspersky to check it
I will of course check once I get another updated virus definition

[sevenlayermuddle]

7LM, I really don't think it works that way, it just wouldn't make sense as they'd be repeatedly white listing the same file for every different user that reports it, but it will be interesting to see the out come. I've also noticed that when downloading a file Avast will complain about it, but when I ask Avast to scan the file on the disk it's quite happy 

Agreed it's a hard way of doing things.  Trouble is, whilst I have not the slightest idea how the underlying detection algorithms might work, I would speculate that AV vendors would not want to change these algorithms lightly.   That is why I can believe that the first step in responding to a false-detection might be, effectively, a specific whitelist.  Longer term, the algorithms might change.

But as already confessed, these thoughts are all just based on personal experience of some years ago.   It's possible I reached the wrong conclusions at the time.  It's also possible my recollection is less than perfect.   

Verging off-topic, I was interviewed for a job with one of the AV vendors.  The job I applied for was nothing to do with AV, but I did ask, out of curiosity, what sort of qualifications were expected of the gurus that do the nitty-gritty virus detection an analysis?   Highly specialised it seemed, more than just an alternative vocation for the average programmer.