Author Topic: Falso positivo en JPG ?  (Read 5488 times)

0 Members and 1 Guest are viewing this topic.

gabrielcoronel

  • Guest
Falso positivo en JPG ?
« on: May 07, 2012, 02:24:31 PM »
Hola
Las ultimas definiciones me indican virus (TML:Framer-D [Trj]) en archivos de imagenes.
pero estoy seguro que estos archivos no tienen virus, pues comprove con una copia historica en otra PC i son identicos.
que opinan?

Online CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Falso positivo en JPG ?
« Reply #1 on: May 07, 2012, 02:33:52 PM »
Please post in english or ask your question in the spanish forum section http://forum.avast.com/index.php?board=25.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37532
  • Not a avast user
Re: Falso positivo en JPG ?
« Reply #2 on: May 07, 2012, 02:38:44 PM »
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners

gabrielcoronel

  • Guest
Re: Falso positivo en JPG ?
« Reply #3 on: May 07, 2012, 03:01:46 PM »
OK
Gracias
thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89056
  • No support PMs thanks
Re: Falso positivo en JPG ?
« Reply #4 on: May 07, 2012, 03:17:35 PM »
Given that there is a 23/40 detection rate in the other topic you were asked to create, http://forum.avast.com/index.php?topic=98115.0, I rather doubt it is a false positive.

It wouldn't hurt to send it for further analysis, but given the VT results, it is more likely it is a good detection, why do you feel it is an FP ?

Though it would have been good to post the URL for the VirusTotal results page so we can see what other scanners detect it as.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: Falso positivo en JPG ?
« Reply #5 on: May 07, 2012, 03:36:12 PM »
I already asked for the VT URL result and which Avast! shield or scan detected the files.

http://forum.avast.com/index.php?topic=98115.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89056
  • No support PMs thanks
Re: Falso positivo en JPG ?
« Reply #6 on: May 07, 2012, 05:55:45 PM »
Yes, they all seem to be detecting the same type of thing iframe malware within the jpg; so it 'seems overwhelming' that the detection is good given so many detections mostly relating to iframe and or redirection.

Also since there are quite a lot in the list of detections in his image of the avast scan results, is a bit strange.

I have checked out the page link given in the other topic and avast alerts on the 3804.jpg (image1) and that is mist certainly infected (image2, shows the inserted iframe and script tags at the end of the file), these certainly shouldn't be in a ,jpg file.

The VT results on that 3804.jpg (captured via avasts proxy) shows a high detection rate 21/41, https://www.virustotal.com/file/9a643d101d5f60cf14f20e8ae9a20e0981e7ddbca3c8688ebc45ed78fedf4e8b/analysis/1336405692/.

So it looks very like this site has been hacked and that code may well be in many or all of the jpg files on the site.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: Falso positivo en JPG ?
« Reply #7 on: May 07, 2012, 05:59:39 PM »
I already informed him of the fact that it is hardly a F/P. Also gave him information passed to me that the web site seems a bit shady. He told me that he is the coauthor of the site and it could not be. I told him to report it to Avast! virus lab and let them decide.

Thanks DavidR.
« Last Edit: May 07, 2012, 06:07:19 PM by iroc9555 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89056
  • No support PMs thanks
Re: Falso positivo en JPG ?
« Reply #8 on: May 07, 2012, 06:07:06 PM »
You're welcome.

Yes, the proof is in the content of the .jpg that I captured and examined and (even if not totally malicious, but I can't see that), as far as I'm concerned there really is no legitimate reason to put iframe and script tags embedded into a jpg file. This no doubt is the feeling of the 21 scanners.

So the co-author needs to remove that code if placed there by him or other author, if not then the site has been hacked and the iframe and script tags inserted into the .jpg/s.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: Falso positivo en JPG ?
« Reply #9 on: May 07, 2012, 06:10:27 PM »
..... if not then the site has been hacked and the iframe and script tags inserted into the .jpg/s.

That is what Populous told him when explaining why Avast! was detecting the images.

http://forum.avast.com/index.php?topic=98115.msg782386#msg782386