cancel
Showing results for 
Search instead for 
Did you mean: 
hkisit
Level 8

False Artemis!9A1ED0A5F625

Jump to solution

Hi,

I have submitted a sample for analysis and waiting the reply. Analysis ID: 9188294.

I downloaded a command line calculator program (calc.exe) from SourgeForge.net "Command Line Calculator".

Manual scan by McAfee is clean. I have another program "A" that will call this calculator.

When program "A" gives error result, I find the calculator program disappears and is actually quarantined as suspected Trojan.

It just keeps periodically quarantined even I restore it.


It is disturbing ! If it is bad, why manual scan tells me it is clean every time ?

I submitted the file to Metascan-online.com, and only 3/41 scan engines (incl. McAfee) find a threat.

My question is in the Quarantine Item Details, it also show some registry key.

Does that means it is caught when it attempts to change those keys ?

Screenshot as below. Thanks for any help !

mcafee.png

Message was edited by: nil nil
Remove URL

0 Kudos
1 Solution

Accepted Solutions
hkisit
Level 8

Re: False Artemis!9A1ED0A5F625

Jump to solution

After further web search, I found AutoIt compiled exe is quite well known for false positive by AntiVirus.

In AutoIt Wiki it reads "The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's."

http://blogs.mcafee.com/mcafee-labs/autoit-and-malware-whats-the-connection

The Labs seem to have no concern about false positive though ...

Some other forum members mentioned it could have a different AntiVirus detection result for different AutoIt compile options used. I decompiled the original calc.exe. The script has no obfuscation and clearly it just does a simple task of passing an arithmetic expression for calculation and return the result. I then compile the exe with different options (compression level, pack / no pack with UPX, ...). Now I have a few candidates and pitifully wait to see who can "survive".

Scan on demand (Artemis sensitivity: Very high) reports Artemis detection for one or two exe (I do not remember which and may be those packed with UPX) and no detection for the others. Interestingly, they all report a higher detection ratio by virustotal.com than the original calc.exe ( 4/53 or 5/53 against 2/53).

One or two days later, they (including the original calc.exe) are quarantined by background scan. Re-scan states they are all actually clean. I speculate Artemis detection does not care about definition file update. What's the use of appeal for false positive indeed?

mcflow.png

mcafee7620.png

mcafee7621.png

mcafee7624.png


Now I have only one candidate (look "nice" enough?) that is not ever detected by Artemis yet.

Still the same source script but this one I assign an icon to it when compiled ... Yes this silly thing makes a difference!

I will wait for one week and if this candidate is never quarantined, I deem my problem solved.


Information written above for reference to folk who meet similar trouble.

0 Kudos
10 Replies
Peacekeeper
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

You should get a tech popin here soon if not ask and I will stir him up. best to give it a couple days till you ask.

Your original name was unsuitable it was renamed to hkisit to avoid the censors.

You will need to logout and relogin

Ok see this is a corporate program detection as well as you have safeboot installed you will have enterprise as well i assume.

0 Kudos
catdaddy
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

,

                The file (calc.exe) can be a legitimate Windows file. However can also be disguised as Malware depending on where you have Downloaded from. See this Site and the detections, scroll down to where the different Anti-Virus engines have detected it, to include McAfee.  calc.exe | ThreatExpert statistics

                  As with all Malware/PUPS they have different variants. I recommend running the Latest McAfee Stinger/McAfee Rootkit Remover (Read how to use). Followed up by Malwarebytes (Free) for a second opinion.

                 To keep Malwarebytes (Free) DO NOT accept any Free Trial Offers/or Activate the Pro Version all throughout the Download/Installation Process. The Free Version will suffice.

                  You can obtain these Free Superb Tools here: 

                   You may find the following articles most informative, as to how this may have arrived on your system:

                    

All the very best,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer
0 Kudos
catdaddy
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

Just noticed that you are possibly running Enterprise Software,if so they have different methods compared to the Consumer Software to  address these certain Detections. The above recommendations are for the Consumer McAfee Applications.

Cliff
McAfee Volunteer
0 Kudos
catdaddy
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

You may try uploading the file to www.virustotal.com also.

Cliff
McAfee Volunteer
0 Kudos
hkisit
Level 8

Re: Re: False Artemis!9A1ED0A5F625

Jump to solution

Thanks for your reply.

Yes, I have been aware of potential infected / disguised file issue.

The file checksum is the same with file from sourceforge.net.

On the same date of submission (5-Nov), I got reply from "Virus_Research(at)avertlabs.com" that automated analysis is not able to determine it.

So I wait.


Still on the same date (5-Nov) I downloaded GetSusp. After scan, a few files (including calc.exe) were submitted with WorkItemID: 1496085.

3 minutes later, I received a email attached EXTRA.DAT saying that "ID Number:  1496085  Identified: Generic.TRA" and only calc.exe is listed.

Does that mean the file calc.exe confirmed malicious ? Or I need to wait ?

Today (11-Nov) I just found manual Scan On Demand will detect it as Artemis Trojan if I set Artemis sensitivity to "very high".

If the sensitivity is "high" or lower, no detection is found. (DAT version 7618.0000)

The detection ratio from virustotal.com is 2/53. Database update is on 20141110 or 20141111.

McAfee and McAfee-GW-edition both state not detected.

- F-Prot : W32/AutoIt.BQ.gen!Eldorado

- Thehacker : Trojan/Dropper.gen

The file calc.exe was compiled by Microsoft AutoIt. The author has also include the source code in sourgeforge.net (just around 10 lines of code).

I suspect that by default AutoIt may include some sensitive dll not actually called in calc.exe, which may be considered "dangerous" by some engine?

I will try to compile it again myself and see any unnecessary resources linkage I can eliminate. See if this will make any difference.

Thanks for reading this long story!

0 Kudos
Peacekeeper
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

Asked a tech to comment

0 Kudos
SafeBoot
Level 21

Re: False Artemis!9A1ED0A5F625

Jump to solution

Artemis means it's a behavioural detection, not a known/unknown condition. So, you need to submit it as a false if indeed the file has no malicious behaviour.

It's triggering on a number of detections which usually are only seen in malware (don't ask what, I am not going to tell) - this might just be bad luck, or it might be an indication that things are not what they seem.

0 Kudos
catdaddy
Level 20

Re: False Artemis!9A1ED0A5F625

Jump to solution

,

               As Safeboot suggested, I would resubmit just in case. I might add ,I have contacted a McAfee Labs Technician/Engineer to take a look at your Work Item ID # after your submittal through Getsusp. To include your Analysis ID # as well.

All the best,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer
0 Kudos
hkisit
Level 8

Re: False Artemis!9A1ED0A5F625

Jump to solution

After further web search, I found AutoIt compiled exe is quite well known for false positive by AntiVirus.

In AutoIt Wiki it reads "The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's."

http://blogs.mcafee.com/mcafee-labs/autoit-and-malware-whats-the-connection

The Labs seem to have no concern about false positive though ...

Some other forum members mentioned it could have a different AntiVirus detection result for different AutoIt compile options used. I decompiled the original calc.exe. The script has no obfuscation and clearly it just does a simple task of passing an arithmetic expression for calculation and return the result. I then compile the exe with different options (compression level, pack / no pack with UPX, ...). Now I have a few candidates and pitifully wait to see who can "survive".

Scan on demand (Artemis sensitivity: Very high) reports Artemis detection for one or two exe (I do not remember which and may be those packed with UPX) and no detection for the others. Interestingly, they all report a higher detection ratio by virustotal.com than the original calc.exe ( 4/53 or 5/53 against 2/53).

One or two days later, they (including the original calc.exe) are quarantined by background scan. Re-scan states they are all actually clean. I speculate Artemis detection does not care about definition file update. What's the use of appeal for false positive indeed?

mcflow.png

mcafee7620.png

mcafee7621.png

mcafee7624.png


Now I have only one candidate (look "nice" enough?) that is not ever detected by Artemis yet.

Still the same source script but this one I assign an icon to it when compiled ... Yes this silly thing makes a difference!

I will wait for one week and if this candidate is never quarantined, I deem my problem solved.


Information written above for reference to folk who meet similar trouble.

0 Kudos