9 Replies Latest reply on Mar 4, 2011 7:57 AM by TonyK

    False Positive Artemis!9AA35446455B

      Artemis!9AA35446455B is detecting combofix.exe as malware.  this is a false Positive.

        • 1. Re: False Positive Artemis!9AA35446455B
          ConorD62

          Hi,

           

          Unless you are instructed by an Malware Expert, you should not be running ComboFix,

           

          Most experts tell you to disable your Anti Virus, because it will detect ComboFix, because it is a very powerful tool.

           

          Thanks.

           


          • 2. False Positive Artemis!9AA35446455B

            I'm quite aware of combofix's ability, and yes I am a expert in the field.  I understand it's ability, but it's not a trojan as McAfee is detecting it as, so this needs to be resloved by avert.

             

            TK

            • 3. Re: False Positive Artemis!9AA35446455B
              Vinod R

              Dear TonyK,

               

              Since you are an expert . You would have already know why this is triggering a detection. Combofix is a very advanced tool that in its codes use many scirpts and commands -- (not going into those details for obvious reasons) - as ConorD62 indicated there is a very proper disclaimer made for this tool stating that it might be detected as a malware by anti-virus softwares.

               

              Combofix is NOT a software or a usual .exe file and it keeps getting updated frequently. ( meaning it could change as soon as someone flags it as a clean source)---

               

              The detection is due to the way the tool makes changes to the computer- many of which are similiar to what a malware does.

               

              edited words on 4/3/11 2:13:52 AM IST
              • 4. False Positive Artemis!9AA35446455B

                Again, I understand what Combofix is capable of.  Not sure what "combifix is not a software" means, but it is an .exe and the .exe is what Artemis detects as a trojan and this is an INCORRECT DETECTION.  It's NOT a trojan, therefore false positive.  This is a very simple concept.  the binariey  should not be detected as a trojan.

                 

                If AP rules, or other HIPs rules stop combofix from doing it's job, that's something totally different, and we can certianly configure around that, but if the combofix.exe binary is being INCORRECTLY detected as a trojan, that needs to be resolved.

                • 5. False Positive Artemis!9AA35446455B

                  I agree with TonyK. These detections are dangerous. Mislabeling files as trojans because they are potentially dangerous, or potentially unwanted as anything other than what they are is not a good practice. While I expect the scanner to display some message (Maybe one that displays the information Connor or Vinod spoke of), it does not need to flag it as a trojan, as Mcafee is signature based, and to my knowledge, Combofix does not contain a trojan signature.

                   

                  McAfee and other companies are known for flagging many security, and sysadmin tools as malware when they are simply used for other purposes. i.e flagging a sysadmin tool as a virus, when it should be flagged as H.tool.

                   

                  This is not acceptable IMO.

                  • 6. False Positive Artemis!9AA35446455B
                    Vinod R

                    The detection is not a trojan detection by Artemis detection which is like behaviour based detection.  I use and to some extent indirectly contribute to this tool's development to some extent.

                     

                    Most likely reasons are the way this tool behaves on a system---(reason- i did not analyse why there was a detection now)

                     

                    neverthless I had flagged off this as soon as the first post came in- I cannot confirm a suppression but i will do my part to ensure that a good tool gets it's due respect. ---

                    • 8. False Positive Artemis!9AA35446455B
                      vinoo

                      Thanks for reporting. The Combofix executable with md5: 9aa35446455be1dfe4b59b15fddf1cb8 has been whitelisted in the Artemis backend.

                      • 9. False Positive Artemis!9AA35446455B

                        Thanks for the info  vinoo... should be good now.