1 2 Previous Next 12 Replies Latest reply on Dec 17, 2010 9:25 AM by vinoo

    ASSUMED_DIRTY False Positive

      I have a (likely) false positive on a Novell Netware utility:

       

      <removed file listing>

       

      No hits on VirusTotal:

      http://www.virustotal.com/file-scan/report.html?id=875dbc8f70f6b25ad89e054ed4d76 bdad52ec87621133dde37b34296d9dca7fa-1264883008

       

       

      Message was edited by: mjmurra on 15/12/10 12:53:03 PM
        • 1. Re: ASSUMED_DIRTY False Positive
          vinoo

          Thanks for reporting. The file has been validated and added to our whitelist.

           

          Give it ~30 mins for the Artemis detection to go away.

          • 2. Re: ASSUMED_DIRTY False Positive

            So ASSUMED_DIRTY equals an Artemis detection? Out of curiosity, which level of Artemis sensitivity is used with Getsusp?

            • 3. Re: ASSUMED_DIRTY False Positive
              vinoo

              The mappings used in VirusScan to trigger Artemis based detection are:

               

              Very high sensitivity level                              assumed_dirty

              High sensitivity level                                      assumed_dirty2

              Medium sensitivity level                                assumed_dirty3

              Low sensitivity level                                       assumed_dirty4

              Very low sensitivity level (VIRUS)                         virus

              Very low sensitivity level (TROJAN)                     trojan

              Very low sensitivity level (APPLICATION)             pup

              Very low sensitivity level (APPLICATION)             app

               

              For example, if the response bit corresponds to an assumed_dirty3, only if the product setting was set to Medium sensitivity level or higher will a detection occur. Since GetSusp is a reporting only tool - we can afford to run it with the highest sensitivity by default. This allows it to report detections across all levels.

              1 of 1 people found this helpful
              • 4. Re: ASSUMED_DIRTY False Positive

                Thanks for the info Vinoo. It's good to know what the various responses are.

                • 5. Re: ASSUMED_DIRTY False Positive

                  This one is a little strange:

                   

                  <removed file listing>

                   

                  Any suggestions why VSE wouldn't get the same Artemis detection?

                   

                   

                  Message was edited by: mjmurra on 15/12/10 11:50:52 AM
                  • 6. Re: ASSUMED_DIRTY False Positive
                    vinoo

                    Thanks for reporting. The files have been validated and whitelisted.

                     

                    GetSusp runs in server mode which means every file gets a cloud lookup. VSE is an endpoint product so we try to limit the number of cloud lookups for performance reasons.

                     

                    On endpoints, Artemis lookups won't happen for every executable file unless it meets a certain selection criteria like the file was recently created or modified, was present in the temp folder, file attributes etc etc. Tbhelper.dll did not meet the selection criteria for a lookup in VSE.

                    1 of 1 people found this helpful
                    • 7. Re: ASSUMED_DIRTY False Positive

                      Here's a few more I've discovered. As far as I can tell, all are legitimate programs and aren't malicious.

                       

                      <file listing removed>

                       

                       

                      Message was edited by: mjmurra (removed files) on 15/12/10 11:48:14 AM
                      • 8. Re: ASSUMED_DIRTY False Positive
                        vinoo

                        Thanks for reporting. The files have been validated and whitelisted.

                        1 of 1 people found this helpful
                        • 9. Re: ASSUMED_DIRTY False Positive

                          And some more:

                           

                          ASSUMED_DIRTY36ee10af258aca9e7a26a838bc1090c1C:\Program  Files\INRO\Emme\Emme 3.2\Emme-3.2.2\programsiks.exeA291,84006/04/2009  08:2806/04/2009  08:28Process

                          <Removed other files>

                           

                          If I submitted these through the Platinum portal, would they be whitelisted ? (I've had issues before with some Artemis detections not being able to be replicated by McAfee Labs due to the way Artemis works)

                           

                           

                          Message was edited by: mjmurra on 17/12/10 1:32:19 PM
                          1 2 Previous Next