Author Topic: Meu software sempre é vítima de falsos positivos  (Read 10220 times)

0 Members and 1 Guest are viewing this topic.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Meu software sempre é vítima de falsos positivos
« Reply #15 on: February 15, 2017, 02:02:15 PM »
1. I haven't used a digsig myself yet, so I cannot be of much help with signing :( But I do know that we can then whitelist the signature, which will make all behav shield detections, as well as most other detections, go away.
2. FileRepMalware means that the exact file (based on sha256) was classified as malicious. Now that might have been becuase of behav shield detection previously, or because of many different reasons. If you paste the SHA here (or if you upload the file to virustotal, which also computes the hash, and post the result link here), I can tell you why it was blocked and whitelist it.

REDACTED

  • Guest

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Meu software sempre é vítima de falsos positivos
« Reply #17 on: February 15, 2017, 07:52:05 PM »
I did the following:
- Whitelisted the file (8F789AABCDBE2A56977883188991066E28C62484E8DFF855F87290185AECC0F1), so it will not be detected any more
- Added isaerp.com.br to clean cybercapture class, meaning all files should be classified as clean when they go to cybercapture
- Found that there is a detection (Sf:GenMalicious-C [Trj]) on the file when it is executed in sandbox, so I contacted the author of the detection for it to be altrered (if possible)

Hopefully these steps can prevent some of the false positives, but digitally signing the files is still considered the safest bet ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Meu software sempre é vítima de falsos positivos
« Reply #18 on: February 16, 2017, 02:40:41 AM »
Added isaerp.com.br to clean cybercapture class, meaning all files should be classified as clean when they go to cybercapture
Hmmm... That shouldn't be a final solution as it is an open door for anything wrong/malicious that get into the site.
Am I wrong?
The best things in life are free.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Meu software sempre é vítima de falsos positivos
« Reply #19 on: February 16, 2017, 07:26:11 AM »
Added isaerp.com.br to clean cybercapture class, meaning all files should be classified as clean when they go to cybercapture
Hmmm... That shouldn't be a final solution as it is an open door for anything wrong/malicious that get into the site.
Am I wrong?
It is not as strong as I (might have) made it sound, which is why I also said that it might only prevent "some" of the FPs and that digsig is still the preferred way.

Firstly, this rule I made could only trigger on files that go to cybercapture. This means that it must be a PE file that is downloaded from a certain domain, and the user who downloads it must be the very first person in the world (with Avast) to execute it, and there must be no detection on the file yet. If the file is non-PE (HTML, JS, PDF), or if it is known (prevalence > 1), or if the file is similar to other malware (so the detections, such as trojangens or evogens would trigger), it would not go to cybercapture at all.

Secondly, even within cybercapture there are many (what we call) boxes, which each tests one thing. One might check the URL, one might run the sample in sandbox, one might check similarity to other files, you get the idea. These boxes all produce results (clean, unknown, malware) and based on these results, Decision Maker decides. Even with some boxes reporting "clean", cybercapture might still say "do not allow this program to run".

I hope I made myself clear that there is very little security risk when I add the URL to clean class ;) If not, I will be happy to elaborate, ask away! 8)

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #20 on: February 16, 2017, 01:25:45 PM »
Added isaerp.com.br to clean cybercapture class, meaning all files should be classified as clean when they go to cybercapture
Hmmm... That shouldn't be a final solution as it is an open door for anything wrong/malicious that get into the site.
Am I wrong?

And if the isaerp.com.br been a ssl cert? It helps for it do not be a FP?

Anyway am i talking about the code digsig with my team.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Meu software sempre é vítima de falsos positivos
« Reply #21 on: February 16, 2017, 01:36:37 PM »
And if the isaerp.com.br been a ssl cert? It helps for it do not be a FP?
Not much - we do not check what SSL cert the domain has that the downloaded file came from.

Anyway am i talking about the code digsig with my team.
Cool!

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #22 on: February 16, 2017, 01:47:01 PM »
Not much - we do not check what SSL cert the domain has that the downloaded file came from.

But if the domain is ssl cert, it's reliable, doesn't?

By the way, thank's! If i need more help, i back on this post ou open another referencing this?

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Meu software sempre é vítima de falsos positivos
« Reply #23 on: February 16, 2017, 01:57:51 PM »
No, it only means that data traffic encrypted.
It doesn't say anything about the reliability of a site.

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #24 on: February 16, 2017, 02:08:31 PM »
No, it only means that data traffic encrypted.
It doesn't say anything about the reliability of a site.

Cool, tks

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Meu software sempre é vítima de falsos positivos
« Reply #25 on: February 16, 2017, 02:17:18 PM »
If i need more help, i back on this post ou open another referencing this?
When you have the digsig, let us know here. If there is a completely unrelated issue, you may of course start a new thread ;)

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #26 on: February 16, 2017, 02:19:09 PM »
When you have the digsig, let us know here. If there is a completely unrelated issue, you may of course start a new thread ;)

Fine, tks HonzaZ, are you helped me a lot. If i answer an NPS Query now, are you receive a 10 from me, hahaha
« Last Edit: February 16, 2017, 02:21:11 PM by Houshi Sennin »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Meu software sempre é vítima de falsos positivos
« Reply #27 on: February 16, 2017, 03:21:33 PM »
Hi Lisandro,

I think your remarks are valid ones. I also find that infrastructure there quite questionable.
isaerp dot com dot br redirecting to asseinfo and in particular fake Googlebot activity (that means in a lot of cases cloaking activity) on for instance: htxps://d335luupugsy2.cloudfront.net/http://www.asseinfo.com.br/wp-content/themes/asseinfo/js/loader-scripts/6901f2e6-ce31-4235-9af7-012e51dd524a-loader.js

Re: https://sritest.io/#report/2fc3e274-c7f1-49e6-a280-693d7257691c

Scan info: https://aw-snap.info/file-viewer/?tgt=https%3A%2F%2Fd335luupugsy2.cloudfront.net%2Fhttp%3A%2F%2Fwww.asseinfo.com.br%2Fwp-content%2Fthemes%2Fasseinfo%2Fjs%2Floader-scripts%2F6901f2e6-ce31-4235-9af7-012e51dd524a-loader.js&ref_sel=GSP2&ua_sel=ff&fs=1
While it comes up as forbidden, does not mean we have to take the hidden activities going on there at face value!

See C status here with a subroutine  aka same origin script issue here: https://d335luupugsy2.cloudfront.net/http://www.asseinfo.com.br/wp-content/themes/asseinfo/js/loader-scripts/6901f2e6-ce31-4235-9af7-012e51dd524a-loader.js
Also consider the issues here: (1 error and 5 warnings): https://mxtoolbox.com/domain/isaerp.com.br/

Then we have this to consider: Certificate is not installed correctly
isaerp.com.br
You have 1 error
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
*.websiteseguro.com, websiteseguro.com THAWTE SHA256 SSL CA
Strict Transport Security (HSTS):
 Not Enabled
SSL/TLS compression:
 Not Enabled
RC4:
 Not Enabled
OCSP stapling:
 Not Enabled

Amazon Seattle - Cloudfront know exactly what is going on on their servers, but they only provide the service and not interested on what they transport, from the configurations I assume the traffic could be open to abuse, also in the light of above scan results and insecurity detected.

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #28 on: February 16, 2017, 06:00:30 PM »
Hi Polonus.

Say to me if am i wrong.

Reading what you been wrote here, the both domains needs an ssl sig to be trusted? And the fix the "htxps://d335luupugsy2.cloudfront.net/http://www.asseinfo.com.br/wp-content/themes/asseinfo/js/loader-scripts/6901f2e6-ce31-4235-9af7-012e51dd524a-loader.js" content?

If am i saying any nonsense thing, sorry, my english not so good. Haha

REDACTED

  • Guest
Re: Meu software sempre é vítima de falsos positivos
« Reply #29 on: March 14, 2017, 08:57:40 PM »
Hello HonzaZ, Lisandro and Polunus

I'm from ISA devel team, with Houshi and, for a while, I got the ISA vs Avast saga.
After reading all your support in this subject (tanks for that), we found that the best solution is the digital signature, but the main question here is, "is this the definitive solution?". As I couldn't answer this question to the whole team, I'm here to respectfully make YOU this question.
So, If we sign our products (ISA.EXE and ISA_PDV.exe), it will be the definitive solution? Remembering that we release new versions of those products at least once a week and sometimes twice or three times a week, and every time our costumers update it, we have Avast block.
Thank you again for all your help, and I'll wait for your answer, to then acquire a digsig properly.