1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

The "false positive" battle continues...

Discussion in 'General Security' started by tomdkat, Dec 23, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. tomdkat

    tomdkat Retired Trusted Advisor Thread Starter

    Joined:
    May 6, 2006
    Messages:
    7,148
    Well, at least it's my battle. :)

    So, the latest incident involves an AVG 2011 detection of an infected file called "curl.exe". AVG reported the file as being infected with a trojan downloader of some kind. Ok fine. I upload the file to VirusTotal.com for confirmation and 13 or 42 virus/malware scanners detected the same kind of trojan downloader infection. AVG 9.0.851, Avast!, AntiVir, and a few others reported the infection. NOD32, Kaspersky, Microsoft Security Essentials, and most others didn't report any infection.

    So, I gathered some data and sent my sample to Grisoft, Avira, and Microsoft for analysis.

    Grisoft support took a look and confirmed the false positive detection I suspected and will update their database. Fine. AVG isn't known for having a 0% false positive detection rate.

    Avira support reported the file as being infected and indicated the detection was added to their database ("way back when") and stand by the reported infection. Ohhhhh-k.

    Microsoft support took a look and confirmed no infection, just like MSE did. Cool.

    So, once again... how does one establish trust of their anti-virus application of choice?

    Next up, on the malware front I had an interesting false positive experience with Malwarebytes. Basically, I scanned a system with the "Total Security" application by Omniquad installed on it. Malwarebytes detected the desktop icon for Total Security as being the "rogue" version of "Total Security". Cool. So, I reported the possible false positive detection to Malwarebytes support and the short version is they stand by their detection of the desktop icon as being for the "rogue" application. Malwarebytes DID NOT detect the rest of the installed app, except for one DLL, as being a threat of any kind, which is why I'm thinking it was an actual false positive detection.

    As a sanity check, I uploaded the DLL Malwarebytes detected to VirusTotal for analysis and NONE of the 42 scanners it used detected anything. Considering the "Total Security" files installed on the hard drive had an install date going back to 2004, I'm thinking this app has been around for a little while. Not scientific analysis, granted, but this is what I'm thinking.

    So, is are the Malwarebytes guys correct in their stance or was this a false positive detection, afterall?

    I'm not looking for any assistance or anything but am seeking your thoughts on this. :)

    Thanks!

    Merry Christmas!

    Peace...
     
  2. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    Well, I can't offer an opinion on curl.exe, but there is a widely used package called cURL whose purpose is to provide easy to use facilities for connecting with and uploading to/downloading from the internet, mostly using HTTP or HTTPS. It exists in the *nix world, mostly, but a version is available for Windows. If this is related to that, and if what you have is legitimate, I would expect it to be a dll and not an exe, though I suppose an exe could be available and you could pipe input to it.

    Actually, an exe would kind of make sense as a downloader. You could specify the page you wanted as a command line argument and that page would be downloaded to a file on your computer. Sort of like what wget does in *nix.
     
  3. tomdkat

    tomdkat Retired Trusted Advisor Thread Starter

    Joined:
    May 6, 2006
    Messages:
    7,148
    Yep, according to the manual, the command line usage you describe is how it is supposed to be used. Now, to make things more interesting, the "curl.exe" that is in question was located in a "svctools-1.4" folder and when I do a search on "svctools 1.4", I get hits relating to malware. Cool. The thing is, both Grisoft AND Microsoft analyzed the sample I sent them and BOTH reported no infection of any kind. Only Avira is standing by their position of the file being infected. To me, this further complicates the ability to verify the results being reported by the tools we want or need to trust.

    Taking a step back, what you think about Avira standing by their position while Grisoft acknowledges the false positive? I have to wonder if the sample I sent to Avira support was actually analyzed or not.

    How you feel about the positions being held about false positives, in general?

    Peace...
     
  4. bp936

    bp936

    Joined:
    Oct 13, 2003
    Messages:
    3,033
    False positives are just as much of a nightmare as real Malware is. I managed several times to mess up my computer by trying to remove the so called infection. Often I find, they are described as a threat but description of how to remove them, is missing.
    I do wonder, if the free scanners want us to get the paid versions? My paid Kaspersky does not seem to find as many as the unpaid scanners.
     
  5. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    What would "infected" mean in this case anyway? If curl.exe is a downloader (among other things) then it can't be "infected" with a downloader unless it is doing something unexpected and nefarious. Thus, Avira is correctly identifying it as a downloader but incorrectly identifying this as a stealth or trojan mechanism...if it is a downloader, then that is what it is and if it isn't concealing the fact then what is the problem?

    False positives happen. Fact of life. Heuristic analysis mechanisms are not free of defect or error. It's why you have to proceed carefully when an "infection" is defined; it might be an infection...or it might not. In this case, looks to me like Avira is wrong.

    As far as that goes, it turns out I have the curl command on my Linux workstation (I didn't realize that, though of course I have the cURL libraries available for C, PHP, Perl, and Python applications). I am quite sure that curl on my system is not malware.
     
  6. tomdkat

    tomdkat Retired Trusted Advisor Thread Starter

    Joined:
    May 6, 2006
    Messages:
    7,148
    This is an interesting observation since I believe the anti-virus comparative reports compare the commercial versions of various products, when a commercial version is available. If this is the case, the numbers of false positives reported in the comparative reports should give some kind of idea of how well the commercial versions do with false positives. I don't know if the free versions would be any more prone to reporting false positives than the commercial versions.

    I believe the free version of AVG uses the same database as the commercial version. I don't know if the scanning engine is any different between the two versions. I don't know about the free versions of AntiVir or Avast!, etc.

    Peace...
     
  7. tomdkat

    tomdkat Retired Trusted Advisor Thread Starter

    Joined:
    May 6, 2006
    Messages:
    7,148
    Good point. If it retrieves remote files from the URL/URI specified, then I would also consider it a "downloader" but not necessarily a malicious one, as you stated above. (I agree with your point :)).

    That's why I sent the sample in for presumably manual analysis. I just wonder if Avira did that analysis or not. Perhaps it's issues like this that result in AntiVir having a higher than desirable false positive detection rate.

    Peace...
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/970300

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice