Author Topic: Possible false positive.  (Read 9261 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Possible false positive.
« on: February 09, 2006, 02:04:44 AM »
I may have found a false positive in a download for Windows X Boot CD (UltimateBootCD) the download is a zip file containing I believe an iso image to burn to CD. It is 4.4MB and the link is http :// www dot docsdownloads.com/download/xpbootcd.zip.

The strange thing is that part way through the download avast web shield alarmed and reported:
Quote
Sign of "KillCMOS-J [Trj]" has been found in "http :// www dot docsdownloads.com/download/xpbootcd.zip\XPBOOT.ISO" file. 

The reason I say strange is the download hadn't completed and the internal file is an iso file, which I thought that avast couldn't scan ?

So it would appear that this is a false positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #1 on: February 09, 2006, 02:27:24 AM »
Update, paused web shield to allow for download that went OK. The file isn't 4.4MB as reported on the web site.

No auto scan by Standard Shield on zip file as expected, ashQuick.exe scan returned two alerts (so it looks like avast can look inside .iso files)

Quote
Sign of "KillCMOS-J [Trj]" has been found in "D:\Downloads\xpbootcd.zip\XPBOOT.ISO\ZEROCMOS\KILLCMOS.COM" file. 
and
Sign of "KillCMOS-J [Trj]" has been found in "D:\Downloads\xpbootcd.zip\XPBOOT.ISO" file. 

So it is alerting on both the iso and the killcmos.com inside the ISO.

There are a number of tools inside the ISO to use in the event you can't get into windows and need to use the BOOTCD, so this would appear to be one of the tools that although has a legitimate use it could also have a malicious use.

I elected to send the file (KILLCMOS.COM) to the chest but that ultimately (excuse the pun) failed unable to process that file type. So it sent the xpboot.iso to the chest and it appeared to delete the zip wrapper file.

I will try and upload it to Jotti and see what that makes of it and ultimately (I know ;D) send it to avast to investigate.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #2 on: February 09, 2006, 02:36:27 AM »
Me again, talking to myself ;D

Jotti has avast and two other AVs BitDefender and Kaspersky detect it as effectively the same trojan (Trojan.KillCMOS.), the rest don't find anything.

I still think it is the instance of a tool that can be used for legitimate purposes being detected as malicious since an AV can't forecast its use or intent.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Possible false positive.
« Reply #3 on: February 09, 2006, 06:48:34 PM »
***

As for me, I would rather it be detected as it is in this case than to not be detected at all. Like keyloggers that could be used for good but are often used for bad, you noted that could also be the case with this. I would want neither of these on my computer without my knowledge.    >:(

As I see it, Avast did you (or maybe someone else some other time) a favor. You may have already known what you were downloading but there are those who would not have known.   :)


***

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #4 on: February 09, 2006, 07:39:56 PM »
I too would rather err on the side of safety and hopefully anyone downloading these tools would have enough nounce to know what they are about and realise it is an FP when in this context as a tool to reset cmos, etc.

Interestingly this is obviously a known issue as it is mentioned in the documentation, the problems is unless you disable web shield/standard shield it won't let you complete the download. So you can investigate or read the documentation.

Quote
Some of the antivirus programs will "detect" these program as trojans.
This was coded into their programs long ago to prevent newbies from
accidentally wiping out their hard drive settings in the time before
auto-detect hard drives became standard in most bios's.
Relating to some of the boot tools, KillCmos, WipeCmos and ClrCmos

Quote
What is it?

KillCMOS basically "resets" your computer's CMOS settings to the factory defaults. Works with ALL CMOS.  KiLLCMOS only changes checksums & values that makes the motherboard CMOS revert back to factory defaults.

  **  IT DOES NOT ReProgram your CMOS like a FLASH ROM Writer does.

  ** IT DOES NOT DAMAGE Hardware.  KiLLCMOS reads/writes to areas of the
      CMOS that gets written to everyday, the difference is the VALUES that
      we give it(cmos).

WipeCMOS is simply designed to clear all CMOS settings to recover from lost
passwords or corrupt BIOS settings.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Possible false positive.
« Reply #5 on: February 09, 2006, 07:56:03 PM »
Hi DavidR,

If it is for real, see here:
http://www.tenebril.com/src/info.php?id=126165318 this can be considered  as one of the the most dangerous malware around, while it could render your hardware (computer) completely useless. These so-called "nukers" are reckoned to be among the most dangerous malware that exist at this time. They are used by genuine hackers that "go for the kill".
Even if it is a FP, you have to investigate this very thoroughly, to make sure what you have aboard.

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #6 on: February 09, 2006, 08:06:16 PM »
Polonus, I don't doubt that it can be used for harm (or that is the same one as this one is a dos .com application), but when it is a part of a set of boot tools in the Ultimate Boot CD the only one using it will be me if it is ever required.

You can rest assured I have investigated it fully.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Possible false positive.
« Reply #7 on: February 11, 2006, 06:16:35 AM »
so this would appear to be one of the tools that although has a legitimate use it could also have a malicious use.
I still think it is the instance of a tool that can be used for legitimate purposes being detected as malicious since an AV can't forecast its use or intent.
I too would rather err on the side of safety
Polonus, I don't doubt that it can be used for harm

so ...  not a false positive, then??
« Last Edit: February 11, 2006, 06:26:39 AM by mauserme »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #8 on: February 11, 2006, 03:10:41 PM »
The jury is still out as it can't be determined what the purpose is. The group of programs is downloaded to do specific tasks, one of those tools allows for the resetting of the CMOS should it be required. It makes clear in the accompanying documentation that some AVs may pick this up, unfortunately web shield detected it before you ever got to the HDD, so you couldn't check the documentation.

The other issue is that the file is inside an .iso disk image that is effectively inert until you burn it to disk and then run the CD you burned and execute the suspect file. Now had web shield been paused (as I did to get the download), standard shield doesn't even scan it. Presumably because it is a form of archive file (inert), even though it is a newly created file having been downloaded. So why would the web shield scan it if standard shield doesn't is my question.

This is very similar to avast detecting key loggers that have been installed by the user to monitor activity by those on the system (parents watching over kids for instance) and used for this legitimate purpose isn't harmful/malicious. The same can be said of this tool when intentionally downloaded and used for legitimate purposes.

The problem stems from the AV not being able to determine that purpose.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Possible false positive- wolves in sheepskin
« Reply #9 on: February 11, 2006, 03:43:36 PM »
HiDavid,

I think this is very, very good policy by Avast. If a program is legit and it also can be used for malicious purposes by third parties, and then to flag it as possibly malicious is right. Better be forewarned in these cases. A lot of malware goes unnoticed because it is "dressed up" as a legit program. Legit keyloggers and spyware are good examples. I can only applaud an AV application that keeps me informed that this is on my or my boss's computer. How to treat it later is a second concern upon finding it.

greets,

polonus
« Last Edit: February 11, 2006, 03:45:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mauserme

  • Guest
Re: Possible false positive.
« Reply #10 on: February 11, 2006, 04:03:29 PM »
If a program is legit and it also can be used for malicious purposes by third parties, and then to flag it as possibly malicious is right

I think that's the commonly expected action, as it should be.  There's always the option to ignore the detection, add the program to the exclusions, etc if its something you want.  But for those of that didn't install and don't want it, there should be some warning.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: Possible false positive.
« Reply #11 on: February 11, 2006, 04:39:33 PM »
If a program is legit and it also can be used for malicious purposes by third parties, and then to flag it as possibly malicious is right

I think that's the commonly expected action, as it should be.  There's always the option to ignore the detection, add the program to the exclusions, etc if its something you want.
I'm not arguing that this is a commonly accepted action.

When the web shield detects it there is no ignore option, even clicking the x to close the window aborts the connection and kills the download. So you can't get it to investigate or add it to the exclusions unless you disable web shield.

That is the whole point there is an anomaly between Web Shield that doesn't give the option to ignore and standard shield does; Web Shield that scans the zip file containing an .ico file and standard shield that doesn't scan it if Web Shield is disabled.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Possible false positive.
« Reply #12 on: February 11, 2006, 06:04:00 PM »
Ah - I see your point about Web Shield.  An option to ignore the warning and download the file could be useful.

CharleyO

  • Guest
Re: Possible false positive.
« Reply #13 on: February 11, 2006, 11:01:31 PM »
***

Yes, I also did not see that point at first.    :-\

Sorry about that, David.    :-[  


***

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Possible false positive.
« Reply #14 on: February 11, 2006, 11:16:06 PM »
We don't plan to provide an "Ignore"-type button to WebShield anytime soon... The reason is, if you absolutely feel that you want to download the infected file (or you're 100% sure it's a false positive), you can always pause/stop the provider. But as soon as the protection is ON, there should basically be no WRONG answer in the dialog, because 90% of the users simply don't know what it's all about, and they just click a (more or less random) button just to make the noisy dialog go away...

BTW the "Ignore" button in the Standard Shield provider is only available when malware is detected ON WRITE (never ON READ). That is, NO HARM can be done by pressing it, unless you pause/stop the Standard Shield provider, the infected file cannot be opened in any way.


Hope this helps,
Vlk
If at first you don't succeed, then skydiving's not for you.