6 Replies Latest reply on Dec 13, 2010 11:47 PM by vinoo

    improve detection rate - decrease false positives

    finkemch

      Hello McAfee GetSusp Team,

       

      I have a question : how does the getsusp work ? Does it use the Artemis technology only to detect the suspicious files or more ?

      I would like to have more features included to find more suspicious files like :

       

      - spoofed Windows system files like winlogon.exe in user data or application data (C:\Users\Username\Application Data\winlogon.exe) or hidden files in these folders,

        here are fixed assignments for winlogon.exe or svchost.exe, spools.exe,....

       

      - suspicious files in recycler folder like  "C:\RECYCLER\S-1-5-21-9178037181-9025717145-078654120-5620\MsMxEng.exe" - not like standard Dc*.exe and hidden mostly

       

      - files with hided extensions like "E:\cache.tmp                                                                                            .exe"

       

      - files with double extensions like *.pdf.exe,*.jpg.exe,*.mp3.vbs,*.mp3.pif,*.txt.exe,*.htm.exe,*.avi.exe,*.doc.exe ,....

       

      - or more suspicious files like *.`exe, _.exe, *~.exe, xxx .exe,....

       

      - wrong written files like svch0st.exe,sp00ls.exe,rund1132.exe,n1detect.com,Exp1orer.exe,aut0run.exe,Pagefile.pif,.....

       

      - illegal used cracks and keygen's like *crack*.exe or *keygen*.exe

       

      - .....

       

      We have blocked many of this suspicious files with Virusscan access protection and improve the detection rate for the virusscan. We get many hits every day !

      The Virusscan miss to much viruses - we close a part of this detection gap

      -> would be needed for Virusscan detection too !!!!

       

      Otherwise we wait for the internal Artemis Server (placed into the company) to fill all used clean files into the white list database to prevent false positives.

       

      Why are so many files tagged as supsicious by getsusp - mcafee files included ? Are they not included in whitelist ?

       

       

      best regards

       

                          Michael

        • 1. Re: improve detection rate - decrease false positives
          vinoo

          Hi Michael,

           

          GetSusp uses the McAfee antivirus engine - so it's going to scan for all the file types and file extension you mentioned.

           

          GetSusp uses a combination of AV technology, cloud lookups and heuristics to eliminate files. If GetSusp cannot do Artemis lookups - the number of suspect files could be on the higher side. It is GTI proxy aware and you can route all cloud lookups via an internal GTI server.

           

          If you could post or send an example GetSusp log files from your machine, we'll be able to whitelist the unknown files. Once we've whitelisted a majority of prevalent files on your network - the noise will be minimal and malware or newly introduced files will stand out.

           

          If you would like to have a call to discuss how GetSusp works in detail - I'll be glad to schedule one.

           

          Best,
          Vinoo Thomas
          Technical Product Manager, McAfee Labs

          • 2. Re: improve detection rate - decrease false positives
            finkemch

            Suspicious Files

            Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type Scan Error
            UNKNOWN 59c5d220c77e49316dd88b4f544c9593 C:\Program Files\SECUDE\OfficeSecurity secidea.dll A 49,152 11/22/2010 12:55 07/26/2004 14:49 Module
            UNKNOWN 0ff77b3579fe8d431615a48ef35ab867 C:\Program Files\Usersettings SaveUserSettings.exe A 77,824 11/12/2010 16:32 05/20/2010 13:35 Process
            UNKNOWN 6fa9b5c81a2144ff816d19c8a0c0e67e C:\Program Files\Avira\AntiVir Desktop aecore.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.19.0 8.1.19.0 196,984 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN ee0477f95aaf614c5cb14f324ca48c3d C:\Program Files\Avira\AntiVir Desktop aeemu.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.3.0 8.1.3.0 393,589 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN 8c7eaaf14505bd51475968db20fae592 C:\Program Files\Avira\AntiVir Desktop aegen.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.5.0 8.1.5.0 397,685 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN ea75b506f1f9b76f86f7dc5a986a9fd2 C:\Program Files\Avira\AntiVir Desktop aehelp.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.16.0 8.1.16.0 246,136 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN 483687233e0ecd5564113c2aa933907d C:\Program Files\Avira\AntiVir Desktop aeheur.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.2.54 8.1.2.54 3,113,335 12/02/2010 14:18 12/08/2010 08:15 Module
            UNKNOWN a8dc0daebc3d50aacfa4d0388bed1f21 C:\Program Files\Avira\AntiVir Desktop aeoffice.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.1.10 8.1.1.10 201,084 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN 962eb73f3c0dc86b8ba316ef4ed0a8e6 C:\Program Files\Avira\AntiVir Desktop aepack.dll A Avira GmbH AntiVir Engine Module for Windows 8.2.4.1 8.2.4.1 512,375 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN bd8e5b4b16db2a53709ea74df7b22282 C:\Program Files\Avira\AntiVir Desktop aesbx.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.3.2 8.1.3.2 254,324 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN 864e4cec9f60c25a8a93ad3784da2e64 C:\Program Files\Avira\AntiVir Desktop aescn.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.7.2 8.1.7.2 127,349 12/02/2010 14:18 12/03/2010 08:12 Module
            UNKNOWN b66bf3704d614fb0f0cf183176b9cf57 C:\Program Files\Avira\AntiVir Desktop aescript.dll A Avira GmbH AntiVir Engine Module for Windows 8.1.3.48 8.1.3.48 1,286,524 12/02/2010 14:18 12/03/2010 08:12 Module

            Unknown Files

            Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
            UNKNOWN b63abbb24f4c0a7b3b73f659e1466475 C:\Program Files\ActivIdentity\ActivClient accsp.dll A ActivIdentity ActivClient Cryptographic Service Provider 5,1 5,1,0,22 258,048 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN 611aebea7a78ea3f1ddd2b0eee00a101 C:\Program Files\ActivIdentity\ActivClient acevtbrdcst.dll A ActivIdentity ActivIdentity Event Broadcaster DLL 4,4 4,4,0,27 16,384 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN f3541a4d22f3b07b1b50c522c7b5a06d C:\Program Files\ActivIdentity\ActivClient acevtsub.dll A ActivIdentity ActivIdentity Event Subscriber DLL 4,4 4,4,0,27 158,720 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN d5c04bc06ac1aa5899c5093a6614e934 C:\Program Files\ActivIdentity\ActivClient aipingui.dll A ActivIdentity Common Application GUI resources 6,2,1 6,2,1,40 284,160 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN 18c72f877ffeb8c96ee6483303c3cafc C:\Program Files\ActivIdentity\ActivClient aiwinext.dll A ActivIdentity Windows generic functions 1,5 1,5,0,19 89,088 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN aa6e67c4c09d8d3f4266f759630d2738 C:\Program Files\ActivIdentity\ActivClient\resources acCobAPIlrc.dll A ActivIdentity acCobAPI resources DLL 3,2 3,2,0,53 58,880 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN 62cf08debaf0dfa87a9a2e902eb0d2a7 C:\Program Files\ActivIdentity\ActivClient\resources acCobAPIrc.dll A ActivIdentity acCobAPI resources DLL 3,2 3,2,0,53 206,848 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN 8604431e0ad850bfe17c5eba69da809f C:\Program Files\ActivIdentity\ActivClient\Resources accsprc.dll A ActivIdentity ActivClient Cryptographic Service Provider 5,1 5,1,0,22 67,584 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN cb48ec4fa080db110c9340e005cba179 C:\Program Files\ActivIdentity\ActivClient\Resources aipinguirc.dll A ActivIdentity Common Application GUI resources 6,2,1 6,2,1,40 516,608 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN f9502b87268ad41b83cead3c2604615a C:\Program Files\ActivIdentity\ActivClient\Resources asphatrc.dll A ActivIdentity asphat32 3,2 3,2,0,50 42,496 12/21/2009 12:23 12/21/2009 12:23 Module
            UNKNOWN c55ee924474044ca64b473b356e9d080 C:\Program Files\Avira\AntiVir Desktop avesvc.dll A Avira GmbH Antivirus Engine Service Dynamic Link Library 10.00.02.02 10.00.02.02 122,216 12/02/2010 14:18 06/17/2010 16:10 Module
            UNKNOWN 77cf51df00905f2312f41d181056cdcd C:\Program Files\Avira\AntiVir Desktop avesvcr.dll A Avira GmbH avesvc.dll 10.00.02.00 10.00.02.00 10,088 12/02/2010 14:18 06/17/2010 16:10 Module
            UNKNOWN 567b193a2c34c7cd39feb693d8b5c163 C:\Program Files\Avira\AntiVir Desktop avevtlog.dll A Avira GmbH Event Logger 10.00.00.08 10.00.00.08 203,112 12/02/2010 14:18 07/12/2010 14:57 Module
            UNKNOWN 872853a296dd0c446955cb5daee7c588 C:\Program Files\Avira\AntiVir Desktop AVPREF.DLL A Avira GmbH Prefix DLL 10.00.00.00 10.00.00.00 44,904 12/02/2010 14:18 07/12/2010 14:57 Module
            UNKNOWN 8c05c68fedfcbf400093a0e232315bc2 c:\program files\avira\antivir desktop ccgenrc.dll A Avira GmbH Control Center General Plugin Resources 10.00.33.00 10.00.33.00 39,784 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN d17e73d08d3f9bf86778ca32bafea292 c:\program files\avira\antivir desktop cclicrc.dll A Avira GmbH Control Center License Plugin Resources 10.00.09.00 10.00.09.00 5,480 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN 05be6a994e936dc58ee3940e0bb46e70 c:\program files\avira\antivir desktop ccmainrc.dll A Avira GmbH Control Center Resources 10.00.11.00 10.00.11.00 8,552 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN d201762816e297d0eed3b7cf00d64c93 c:\program files\avira\antivir desktop ccmsgrc.dll A Avira GmbH Control Center MSG Plugin Resources 10.00.09.00 10.00.09.00 5,480 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN 6bb82348cc5c8d0ac51090f2bf7e0a92 c:\program files\avira\antivir desktop ccupdrc.dll A Avira GmbH Control Center Updater Plugin Resources 10.00.29.00 10.00.29.00 25,448 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN fbaeb95721e7b68f99ba57fa347403bd c:\program files\avira\antivir desktop ccwgrd.dll A Avira GmbH Control Center WebGuard Plugin 10.00.22.15 10.00.22.15 500,072 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN ac5b7ad060844b1bf3bddf624f68a545 c:\program files\avira\antivir desktop ccwgrdrc.dll A Avira GmbH Control Center WebGuard Plugin Resources 10.00.22.00 10.00.22.00 20,840 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN d41a02871f992a2c47b84a95c2a78b40 c:\program files\avira\antivir desktop ccwgrdw.dll A Avira GmbH Control Center WebGuard Worker Plugin 10.00.07.23 10.00.07.23 75,112 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN 4a3fa0dbe6af6d56945ae2f6aa409c15 C:\Program Files\Avira\AntiVir Desktop cfgprofile.dll A Avira GmbH Configuration Profile Library 10.00.01.08 10.00.01.08 94,056 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN d710a6d072bfb305ec0a92b9c79b7a32 C:\Program Files\Avira\AntiVir Desktop guardmsg.dll A Avira GmbH AVGuard Messages (Deutsch) 10.00.07.00 10.00.07.00 37,224 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN 80f411340696a3ebc90a47a5c0bcd70d C:\Program Files\Avira\AntiVir Desktop onlcfg.dll A Avira GmbH Online protection configuration dll 1.00.00.03 1.00.00.03 16,744 12/02/2010 14:18 07/12/2010 14:58 Module
            UNKNOWN 28f28f529341c26270888df5835286ed C:\Program Files\Avira\AntiVir Desktop rcimage.dll A Avira GmbH Avira AntiVir Windows Workstation Image Master Resource File (English) 10.00.00.32 10.00.00.32 2,856,808 12/02/2010 14:18 04/01/2010 14:58 Module
            UNKNOWN 11f5a7193b32e6d7d8efe0c17271916c C:\Program Files\Avira\AntiVir Desktop schedr.dll A Avira GmbH avschdr Dynamic Link Library 10.00.04.00 10.00.04.00 8,552 12/02/2010 14:18 01/18/2010 10:36 Module
            UNKNOWN 86fa1ecde6424cf93befd20ba4f2bc55 C:\Program Files\Avira\AntiVir Desktop webcat.dll A Avira GmbH Web Catigorization Library 10.00.06.00 10.00.06.00 167,784 12/02/2010 14:18 02/19/2010 15:54 Module
            UNKNOWN 6ea6b32f0732d75f0b840f5a4c00c345 C:\Program Files\Mindjet\MindManager 6 BCGCBPRO730u.dll AR BCGSoft Ltd / Mindjet LLC BCGControlBar Professional DLL for MindManager 6.2.399 6.2.399 2,301,952 12/13/2006 23:52 12/13/2006 23:52 Module
            UNKNOWN b7591b8e89577665707c4e05f7ee7e52 C:\WINNT\system32 BiEMonNT.dll A Black Ice Software Black Ice Port Monitor for Windows 95 4.0 1.3 245,760 09/01/2004 07:42 09/01/2004 07:42 Module
            UNKNOWN 96e57e85d996043c7ed96268139bbf84 C:\WINNT\System32\spool\DRIVERS\W32X86\2 BiEUifNT.dll A Black Ice Software Black Ice Metafile Printer Driver User Interface 2.02 2.00 123,904 09/01/2004 07:42 09/01/2004 07:42 Module
            UNKNOWN 36d75f58a9cc521e6ca7d664411ae03d C:\WINNT\System32\spool\PRTPROCS\W32X86 BiEProNT.dll A Black Ice Software Windows Print Processor DLL for Black Ice Metafile Printer Driver 2.02 2.00 14,488 09/01/2004 07:42 09/01/2004 07:42 Module
            UNKNOWN a147cb5b9d77040ba2cd8d23109e3f17 C:\Program Files\CheckPoint\SecuRemote\bin addreg.dll A Check Point Software Technologies 6.0 63,0,0010,52 49,242 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 64fe7e7ffed9e7073776a6c8fbc1d29a C:\Program Files\CheckPoint\SecuRemote\bin CAEnroll_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 32,875 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 218bcb1db676b7dd212a3b03c7033cb9 C:\Program Files\CheckPoint\SecuRemote\bin capiProv.dll A Check Point Software Technologies 6.0 63,0,000,008 73,832 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 650ebdc18aff58f0e2bc8da7ab166343 C:\Program Files\CheckPoint\SecuRemote\bin CapiUserIS.dll A Check Point Software Technologies 6.0 63,0,000,008 32,874 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 09873cb789495e3ecd8cac494458552f C:\Program Files\CheckPoint\SecuRemote\bin ckp_scv.dll A Check Point Software Technologies 6.0 63,0,0010,52 36,955 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN e3c2ef89cfcb9792fcdbac9a6cc44af7 C:\Program Files\CheckPoint\SecuRemote\bin CKPGINA.dll A Check Point Software Technologies 6.0 63,0,0010,52 192,603 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 99444c91a3b8e8eac3d551fd613d40b9 C:\Program Files\CheckPoint\SecuRemote\bin ckpssl.dll A Check Point Software Technologies 6.0 63,0,000,008 69,734 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 54b8235c18e7f560220c22a5ed2e12c9 C:\Program Files\CheckPoint\SecuRemote\bin clientProviders.dll A Check Point Software Technologies 6.0 63,0,000,008 24,687 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 2ca1666d75bb7ac2ef3991b6c313e719 C:\Program Files\CheckPoint\SecuRemote\bin ConnMgr.dll A Check Point Software Technologies 6.0 63,0,0010,52 98,395 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 890e96a5e239f1629327c7cc7f2776c2 C:\Program Files\CheckPoint\SecuRemote\bin cp_bdb.dll A Check Point Software Technologies 6.0 63,0,000,001 401,516 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN a720450dd98d6109a3743c8c2666e90c C:\Program Files\CheckPoint\SecuRemote\bin cp_policy.dll A Check Point Software Technologies 5.0 54,8,2000,03 32,879 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN a40cbd02b4d5cd2d8b0e4f2d7da508cf C:\Program Files\CheckPoint\SecuRemote\bin cpauth.dll A Check Point Software Technologies 6.0 63,0,0010,04 41,053 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN c0de3b0f5b4732e92fee349c8b4bce1e C:\Program Files\CheckPoint\SecuRemote\bin cpca.dll A Check Point Software Technologies 6.0 63,0,000,008 118,884 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 6820d0698ed439aedf2bdf8438d9a6df C:\Program Files\CheckPoint\SecuRemote\bin cpdag.dll A Check Point Software Technologies 6.0 63,0,0010,04 24,661 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN c2ac207d54e2422421979c2344971bab C:\Program Files\CheckPoint\SecuRemote\bin CPDtRegSvr.dll A Check Point Software Technologies 6.0 63,0,0010,52 32,862 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN f48760264e3d52bc3209ee66fb9fc492 C:\Program Files\CheckPoint\SecuRemote\bin CPLogKlogUnify.dll A Check Point Software Technologies 6.0 63,0,000,001 69,736 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 813002f008ed70e219aff6abb757900f C:\Program Files\CheckPoint\SecuRemote\bin CPLogLUUID.dll A Check Point Software Technologies 6.0 63,0,000,001 24,676 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 33da603d4918f59eddfc28650e31b21d C:\Program Files\CheckPoint\SecuRemote\bin CPLogLuuidDatabase.dll A Check Point Software Technologies 6.0 63,0,000,001 32,876 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 87e706ad76a4a43deba9bcb1aa90ca51 C:\Program Files\CheckPoint\SecuRemote\bin CPLogRepository.dll A Check Point Software Technologies 6.0 63,0,000,001 172,137 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 2920e980c35bc6f7e29a04103e65ec38 C:\Program Files\CheckPoint\SecuRemote\bin cpP11Modules.dll A Check Point Software Technologies 6.0 63,0,000,008 41,068 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN a0e2728479165df399072f91c025944d C:\Program Files\CheckPoint\SecuRemote\bin cprti.dll A Check Point Software Technologies 6.0 63,0,0010,04 24,661 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 866d71c2ae9335fbf00c23657c99dc18 C:\Program Files\CheckPoint\SecuRemote\bin cpsic.dll A Check Point Software Technologies 6.0 63,0,000,001 57,435 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 8bf88aa14fb3f7c302591c245c93820e C:\Program Files\CheckPoint\SecuRemote\bin cpstatlib.dll A Check Point Software Technologies 6.0 63,0,000,001 24,675 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 9caea097a816492e54fb908b3bc949ca C:\Program Files\CheckPoint\SecuRemote\bin cpstatreg.dll A Check Point Software Technologies 6.0 63,0,000,001 28,771 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 71bc2f6af480b9c1ee26f3c011c8dbb7 C:\Program Files\CheckPoint\SecuRemote\bin DBObjects.dll A Check Point Software Technologies 6.0 63,0,0010,52 86,109 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN cbb3662df3bda494e95692b673353225 C:\Program Files\CheckPoint\SecuRemote\bin dtftpclient.dll A Check Point Software Technologies 6.0 63,0,000,010 24,675 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN ecb4dc1c5932fa1c52d70ec809a70175 C:\Program Files\CheckPoint\SecuRemote\bin dtmessage.dll A Check Point Software Technologies 6.0 63,0,0010,52 45,149 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN f6ed65076772accaf007f7af8294a692 C:\Program Files\CheckPoint\SecuRemote\bin dtrtm.dll A Check Point Software Technologies 6.0 63,0,000,010 49,245 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN e566f9004315d2550b6ef471d7e07abc C:\Program Files\CheckPoint\SecuRemote\bin entProv.dll A Check Point Software Technologies 6.0 63,0,000,008 36,967 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 5f71561decfb008ca697d17454db59e7 C:\Program Files\CheckPoint\SecuRemote\bin exm_objlib.dll A Check Point Software Technologies 6.0 63,0,000,001 28,776 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 797716dc58ebc4cc15367a7f41cdfbf9 C:\Program Files\CheckPoint\SecuRemote\bin HAPolSrv.dll A Check Point Software Technologies 6.0 63,0,0010,52 32,860 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 50f0155a4cbd308fe5a0d97eed895af8 C:\Program Files\CheckPoint\SecuRemote\bin ieproxy_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 53,354 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 654bdfe589cf889e721b38b6583c11bb C:\Program Files\CheckPoint\SecuRemote\bin ikessl_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 24,681 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 43f3a3ce3c138d1b6f982cc61d507f81 C:\Program Files\CheckPoint\SecuRemote\bin keydb_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 102,504 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 40cad137e37a86ff89a9cb096a98c3ef C:\Program Files\CheckPoint\SecuRemote\bin LogMgr.dll A Check Point Software Technologies 6.0 63,0,0010,52 53,338 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 35468dd96ee7fed8f88e3faed8062852 C:\Program Files\CheckPoint\SecuRemote\bin LogonISReg.dll A Check Point Software Technologies 5.0 63,0,000,010 77,824 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 6aca818f2c4e7b5dbb390dbc06a7f74f C:\Program Files\CheckPoint\SecuRemote\bin messaging.dll A Check Point Software Technologies 6.0 63,0,000,001 41,055 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 08c2d4c7139b4a543c71deb893da8f66 C:\Program Files\CheckPoint\SecuRemote\bin ocsp_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 24,679 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN dfc843d5a95f21aac2b35c3a0968ab98 C:\Program Files\CheckPoint\SecuRemote\bin om_services.dll A Check Point Software Technologies 6.0 63,0,0010,03 102,501 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 26dcef646ebecea67d8987ba91a0ef2f C:\Program Files\CheckPoint\SecuRemote\bin p11Prov.dll A Check Point Software Technologies 6.0 63,0,000,008 69,735 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN b85d428313b8ff57d2791540a010c132 C:\Program Files\CheckPoint\SecuRemote\bin p12Prov.dll A Check Point Software Technologies 6.0 63,0,000,008 24,679 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 8cec9b442eb568c3288f456c9488e1e7 C:\Program Files\CheckPoint\SecuRemote\bin PolClnt.dll A Check Point Software Technologies 6.0 63,0,0010,52 69,723 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 4f32a293733a9ac1708e6c888f1b858a C:\Program Files\CheckPoint\SecuRemote\bin PolMgr.dll A Check Point Software Technologies 6.0 63,0,0010,52 172,122 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 37bf0403fde9c503cc53edaa566795ba C:\Program Files\CheckPoint\SecuRemote\bin Resolver.dll A Check Point Software Technologies 6.0 63,0,000,002 82,016 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 76b02214a9644b1cf876d009b7b10d1e C:\Program Files\CheckPoint\SecuRemote\bin scc.exe A Check Point Software Technologies 6.0 63,0,0010,52 45,143 01/29/2008 16:15 01/29/2008 16:15 Windows-Firewall
            UNKNOWN 1f81d545b12c6d2c8d6bd0827bcf2fe0 C:\Program Files\CheckPoint\SecuRemote\bin ScvMgr.dll A Check Point Software Technologies 6.0 63,0,0010,52 102,490 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 40635a31231febd942318c4c8265f975 C:\Program Files\CheckPoint\SecuRemote\bin sic.dll A Check Point Software Technologies 6.0 63,0,000,001 53,331 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 40d4cdc9cf603941b04b624c88deb730 C:\Program Files\CheckPoint\SecuRemote\bin sicauth.dll A Check Point Software Technologies 6.0 63,0,000,001 86,103 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 9eaa7d9ced839998107d0207b9e2de06 C:\Program Files\CheckPoint\SecuRemote\bin sicobj.dll A Check Point Software Technologies 6.0 63,0,000,001 24,672 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN c1d1106839608ee75e3155efc34a3119 C:\Program Files\CheckPoint\SecuRemote\bin SiteMgr.dll A Check Point Software Technologies 6.0 63,0,0010,52 110,683 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 77a6bb45040e445fe19b95a4bcc1b8ce C:\Program Files\CheckPoint\SecuRemote\bin SR_Diagnostics.exe A Check Point Software Technologies 6.0 63,0,0010,52 1,134,690 01/29/2008 16:15 01/29/2008 16:15 Windows-Firewall
            UNKNOWN 99b08f7e3092b25cc76e7f36c52e0ace C:\Program Files\CheckPoint\SecuRemote\bin SR_SDS.exe A Check Point Software Technologies 6.0 63,0,0010,52 147,546 01/29/2008 16:15 01/29/2008 16:15 Windows-Firewall
            UNKNOWN 9041f4837d4a51be800bacc249ff2055 C:\Program Files\CheckPoint\SecuRemote\bin srcert.dll A Check Point Software Technologies 6.0 63,0,000,010 57,438 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 7a3aef63cbf5958c5c2fcbbc4d279425 C:\Program Files\CheckPoint\SecuRemote\bin srcln_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 565,352 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 34733b540e850994c86b2fc23ca722fe C:\Program Files\CheckPoint\SecuRemote\bin SwInst.dll A Check Point Software Technologies 6.0 63,0,0010,52 32,858 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 6d96f09d328e539b752626ce06f4e152 C:\Program Files\CheckPoint\SecuRemote\bin tunnel_test_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 45,166 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN adf6abd9d35af5c79abc4717a93b3a0d C:\Program Files\CheckPoint\SecuRemote\bin userc.dll A Check Point Software Technologies 6.0 63,0,000,010 139,357 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN d705a5e7ca96c73b8744ad5e64d4b1eb C:\Program Files\CheckPoint\SecuRemote\bin verify.dll A Check Point Software Technologies 6.0 63,0,000,001 258,144 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 36febbe43fd742d106a83b1c8734bfff C:\Program Files\CheckPoint\SecuRemote\bin VPN.DLL A Check Point Software Technologies 6.0 63,0,0010,52 311,383 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 761df6f3a2cbd923e68a7181f3ab1fd5 C:\Program Files\CheckPoint\SecuRemote\bin vpninfo_usersr.dll A Check Point Software Technologies 6.0 63,0,0010,02 82,026 01/29/2008 16:14 01/29/2008 16:14 Module
            UNKNOWN 2c4e9c2c4179d65208f9e02c252938d0 C:\PROGRA~1\NetInst\NETREF~1\Client Sisal.dll A enteo Software GmbH SI Simple Access Library 5.80.5 5.80.5.1769 241,735 11/12/2010 16:32 07/04/2008 13:45 Module
            UNKNOWN 9b5b283914498e1e3847963a2acfeace C:\Program Files\NetInst fdam.dll FrontRange Solutions Deutschland GmbH File Data Access Manager 5.80.6 5.80.6.2132 643,142 11/12/2010 16:13 07/28/2010 09:17 Module
            UNKNOWN d4f59d6ee1db6b1de78f0b12b10a3902 C:\Program Files\NetInst NiApmgnt.dll FrontRange Solutions Deutschland GmbH NetInstall Application Management Hook DLL 5.80.6 5.80.6.2110 217,162 11/12/2010 16:13 01/26/2010 14:32 Module
            UNKNOWN 142a82317eb96a740d66c4514ccf661f C:\Program Files\NetInst NiCfgPrv.dll FrontRange Solutions Deutschland GmbH NetInstall Config Provider Interface 5.80.6 5.80.6.2134 327,754 11/12/2010 16:13 08/05/2010 17:22 Module
            UNKNOWN 47c925c22f9c83c1e9ac8ef637a852f7 C:\Program Files\NetInst NiNetIP.dll FrontRange Solutions Deutschland GmbH TCP/IP Network Protocol Driver for NetInstall 5.80.6 5.80.6.2100 131,145 11/12/2010 16:13 09/04/2009 12:51 Module
            UNKNOWN 112c4d064887e24cb124a33db3c07a8a C:\Program Files\NetInst NiNetIPX.dll FrontRange Solutions Deutschland GmbH IPX Network Protocol Driver for NetInstall 5.80.6 5.80.6.2100 98,378 11/12/2010 16:13 09/04/2009 12:51 Module
            UNKNOWN ea23e88b203a30819ca1de9ecc0ed66f C:\Program Files\NetInst NiNetNT.dll FrontRange Solutions Deutschland GmbH NT Domain Network Protocol Driver for NetInstall 5.80.6 5.80.6.2100 98,377 11/12/2010 16:13 09/04/2009 12:54 Module
            UNKNOWN 195478cefa46973ad92586af476626aa C:\Program Files\NetInst siClnt32.dll FrontRange Solutions Deutschland GmbH NetInstall Client API DLL 5.80.6 5.80.6.2115 221,258 11/12/2010 16:13 04/09/2010 11:56 Module
            UNKNOWN b1cca02c2dece6b902e86ff3bf8edc7f C:\Program Files\NetInst siCsm.dll FrontRange Solutions Deutschland GmbH Client State Manager DLL 5.80.6 5.80.6.2100 241,735 11/12/2010 16:13 09/04/2009 12:50 Module
            UNKNOWN d620fdcbcaf8d0bd84ad0dbedb77161f C:\Program Files\Java\j2re1.4.2_19\bin npjpi142_19.dll A JavaSoft / Sun Microsystems, Inc. Java Plug-in 1.4.2_19 for Netscape Navigator (DLL Helper) 1, 4, 2, 190 1, 4, 2, 190 65,650 11/09/2008 23:34 11/09/2008 23:34 Download-Program-Files
            UNKNOWN d53825bb55b59b7ccd4ca9067e540cbc C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG PDM.DLL A Microsoft Corporation Process Debug Manager 7.00.9466 7.00.9466 180,224 01/05/2002 15:05 01/05/2002 15:05 Module
            UNKNOWN 2861e50d305c71868246e1b1edc96988 C:\Program Files\SMART Board Software MFC71LU.DLL A Microsoft Corporation MFCDLL Shared Library - Retail Version 7.10.3077.0 7.10.3077.0 1,046,016 07/08/2005 16:19 07/08/2005 16:19 Module
            UNKNOWN 3f9a3232e5f942874488981f3242c989 C:\Program Files\UPHClean uphclean.exe A Microsoft Corporation User Profile Hive Cleanup Service 1.6.30.0 1.6.30.0 241,725 04/27/2005 15:59 04/27/2005 15:59 Process
            UNKNOWN 24d1f80ea6f15b9bf18014887d4ed736 C:\WINNT\assembly\NativeImages_v2.0.50727_32\PresentationCore\272333746e83762af8 01b8863c698754 PresentationCore.ni.dll A Microsoft Corporation PresentationCore.dll 3.0.6920.1427 3.0.6920.1427 built by: SP 12,215,296 11/12/2010 16:52 11/12/2010 16:52 Module
            UNKNOWN 82dbf3ae7713607bdda58eb13903257a C:\WINNT\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\9aa589e82d88fc c4dc74ed0d8c96b5da PresentationFramework.ni.dll A Microsoft Corporation PresentationFramework.dll 3.0.6920.1427 3.0.6920.1427 built by: SP 14,323,200 11/12/2010 16:52 11/12/2010 16:52 Module
            UNKNOWN 41cf26bb36019c3bcf6d9f35633241c0 C:\WINNT\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a70bea63820fdc 9c65c689b79539618a PresentationFramework.Classic.ni.dll A Microsoft Corporation PresentationFramework.Classic.dll 3.0.6920.1427 3.0.6920.1427 built by: SP 224,768 11/12/2010 16:52 11/12/2010 16:52 Module
            UNKNOWN 7825f543da83d25c4f68c370820d14be C:\WINNT\assembly\NativeImages_v2.0.50727_32\System.Core\79b51897ef91e69987acd96 6b6ab86d6 System.Core.ni.dll A Microsoft Corporation .NET Framework 3.5.30729.1 3.5.30729.1 built by: SP 2,295,296 11/12/2010 16:52 11/12/2010 16:52 Module
            UNKNOWN 67fa5ee0b65946dc7aa25ab3accdb0ae C:\WINNT\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\06b728c1e4ea29 1d4febee5ca33db4b4 System.Windows.Forms.ni.dll A Microsoft Corporation .NET Framework 2.0.50727.3053 2.0.50727.3053 (netfxsp.050727-3000) 12,430,848 11/12/2010 16:52 11/12/2010 16:52 Module
            UNKNOWN b73d7b953afd2be460a88dc5d30679a3 C:\WINNT\assembly\NativeImages_v2.0.50727_32\WindowsBase\80be477cdbf6bbaa2eb4711 a3bb33181 WindowsBase.ni.dll A Microsoft Corporation WindowsBase.dll 3.0.6920.1427 3.0.6920.1427 built by: SP 3,312,128 11/12/2010 16:50 11/12/2010 16:50 Module
            UNKNOWN dc4b1408d1496a050c7f852132eca332 C:\Program Files\Mindjet\MindManager 6 Mm5OutlookMapMinderLinker.dll AR Mindjet Outlook Linker Add-In 6.2.399 6.2.399 106,496 12/14/2006 00:21 12/14/2006 00:21 Module
            UNKNOWN e36fab5701fed1e8edb6efe505e5c973 C:\Program Files\Mindjet\MindManager 6 Mm5OutlookMapMinderLinkerEnglish.dll AR Mindjet Outlook Linker English Resources 6.2.399 6.2.399 4,096 12/14/2006 00:21 12/14/2006 00:21 Module
            UNKNOWN 43856c39f0cbeed4da03d5940390e32c C:\Program Files\Mindjet\MindManager 6 Mm6InternetExplorer.dll AR Mindjet Internet Explorer add-in for MindManager 6 6.2.399 6.2.399 65,536 12/14/2006 00:23 12/14/2006 00:23 Module
            UNKNOWN 04f59281bdbb04206e6b05c6fb2d4334 C:\Program Files\Mindjet\MindManager 6 Mm6OutlookLinker.dll AR Mindjet Outlook Linker Add-In 6.2.399 6.2.399 380,928 12/14/2006 00:21 12/14/2006 00:21 Module
            UNKNOWN 5b573858fa83a0497583586f109c651b C:\Program Files\Mindjet\MindManager 6 Mm6OutlookLinkerEnglish.dll AR Mindjet Outlook Linker English Resources 6.2.399 6.2.399 15,360 12/14/2006 00:20 12/14/2006 00:20 Module
            UNKNOWN b973cfcabd1f330d694482fa4d18c4b7 C:\Program Files\Mindjet\MindManager 6 MmServiceUtilities.dll AR Mindjet Service Utility Library 6.2.399 6.2.399 208,896 12/13/2006 23:55 12/13/2006 23:55 Module
            UNKNOWN 1cc62ba868ad45d3407a0bef2003c7ec C:\Program Files\Mindjet\MindManager 6 MmUtilities.dll AR Mindjet Utility Library 6.2.399 6.2.399 1,146,880 12/13/2006 23:55 12/13/2006 23:55 Module
            UNKNOWN a1b40e889db4968080b87dff4ede3979 C:\Program Files\SMART Board Software BugslayerUtil.dll A MSDN Magazine Bugslayer Column and the book "Debugging Applications" Bugslayer Utility Routines 3.3.1.000 3.3.1.000 30,720 12/17/2004 06:45 12/17/2004 06:45 Module
            UNKNOWN af2e5a5e7caddbdf02d3c5b40c339500 C:\WINNT\system32\drivers Fasttra_.sys A Promise Technology, Inc. Promise FastTrak Series Driver for WindowsXP 2.30.140.8 2.30.140.8 73,600 11/12/2010 16:59 05/12/2002 03:30 Service
            UNKNOWN 34a245b425ad0b83c784322eb842c87e C:\WINNT\system32\drivers fttxr52P.sys A Promise Technology, Inc. Promise FastTRAK TX4200/TX4300 Driver for Windows family 2.6.0.326 2.6.0.326 built by: WinDDK 155,032 11/12/2010 16:59 02/15/2007 04:42 Service
            UNKNOWN 47c1268f3dd495d2854368c5de60ae03 C:\Program Files\SMART Board Software MSLUP71.dll A Sample Corporation User-Generated Microsoft (R) C/C++ Runtime Library 7.10.0000 7.10.0000 503,808 07/08/2005 16:19 07/08/2005 16:19 Module
            UNKNOWN 8a94c33e5d450d062e52aaf50e4011b0 C:\Program Files\SMART Board Software MSLUR71.dll A Sample Corporation User-Generated Microsoft (R) C/C++ Runtime Library 7.10.0000 7.10.0000 352,256 07/08/2005 16:19 07/08/2005 16:19 Module
            UNKNOWN 88e11ca16be1ee24ac11a69f360bb6b0 C:\Program Files\SMART Board Software NotebookPlugin.dll A SMART Technologies Inc. Notebook Download Plugin 9.1.4.51 9.1.4.51 589,824 10/26/2005 07:46 10/26/2005 07:46 Module
            UNKNOWN 08fe5c0b38a8c0c3800911f5468ec05b C:\Program Files\SMART Board Software SBSDK.dll A SMART Technologies Inc. SMART Board SDK 9.1.3.46 9.1.3.46 278,528 07/08/2005 14:43 07/08/2005 14:43 Module
            UNKNOWN 7b6ca698b04f4df5f2ea49b1b9e59ede C:\Program Files\SMART Board Software SMARTBoardService.exe A SMART Technologies Inc. SMART Board Service 9.1.4.51 9.1.4.51 880,640 10/20/2005 06:22 10/20/2005 06:22 Process
            UNKNOWN dc2fa263c4ed11d648f5c81d7cd1d9e3 C:\Program Files\Enterprise Vault\EVClient OfflineVaultPH3x_de.dll A Symantec Corporation WDS Protocol Handler 7, 5, 4, 0 7.5.4.2568 192,512 11/12/2008 14:00 11/12/2008 14:00 Shell-Extensions
            UNKNOWN 4eeaddf31e0d5b9cdd395dbe1013ca0c c:\program files\enterprise vault\evclient valkyrie_de.dll A Symantec Corporation Enterprise Vault Outlook Addin 7, 5, 4, 0 7.5.4.2568 741,376 11/12/2008 14:00 11/12/2008 14:00 Module
            UNKNOWN e5ef88db77af36420abea268f55677d4 C:\Program Files\NetInst libexpatw.dll Thai Open Source Software Center Ltd and Clark Cooper libexpatWD 1, 95, 3, 0 1, 95, 3, 0 94,208 11/12/2010 16:13 09/04/2009 12:52 Module
            • 3. Re: improve detection rate - decrease false positives
              finkemch

              Hi Vinoo,

               

              Thank you for the fast answer.

               

              " so it's going to scan for all the file types and file extension you mentioned" -> but it is not enough to scan all with this extensions - it is needed to detect it as suspicious

              That's - why the tool was created ?

               

              I am glad to have a second way now to detect viruses. Here are more false positives accepted as the real virusscan .
              I would like to have a switch like "paranoid scan - ultra high"

              The bad point is - we miss so much infected files on systems today (every AV-vendors), but I like to find 100 % to protect our business environment.

              There are to much infected files running on our systems ! We need additional to the GTI a behavior-based detection to find files like I have blocked manually !

              Does the getsusp uses the very high level to scan the system ?

               

              I have seen you are responsible for cleanboot - does it is available again at next ? We use the Rescue CD's from other AV vendors since McAfee has ended it.

               

              best regards

               

              Michael

               

               

              on 13.12.10 12:46:23 MEZ
              • 4. Re: improve detection rate - decrease false positives
                vinoo

                Those were a lot of unknown files!! All of them have been validated and whitelisted. If you have more - please post them. After a couple of such iterations - only malicious files should show up in your GetSusp reports. A rescan of the same system will now report very minimal files.

                 

                GetSusp runs in paranoid mode by default. Which means every process, module or executable file that is actively running or is referenced at startup during boot is scanned. Give it a try on an infected system that you come across.

                 

                I'll contact you offlist for your email address to provide a copy of CleanBoot. It's currently in beta and a consumer version of CleanBoot will be made available in first half of 2011.

                 

                Best,

                Vinoo

                • 5. Re: improve detection rate - decrease false positives

                  vinoo wrote:

                   

                  I'll contact you offlist for your email address to provide a copy of CleanBoot. It's currently in beta and a consumer version of CleanBoot will be made available in first half of 2011.

                   

                   

                  Looking forward to the re-release of Cleanboot! I've also been using competitor's products for this task at times due to McAfee not having a current solution. If you're able to release the beta, I'd also be interested in having a look.

                  • 6. Re: improve detection rate - decrease false positives
                    vinoo

                    Sure thing

                     

                    The consumer version does not support encrypted hard drives. Am waiting on a newer build from engineering and will reach out to you soon.