5 Replies Latest reply on Jun 29, 2012 7:15 AM by Peter M

    False Positive? W32/Pinkslipbot.as!a

      I'm posting in regards to a file that can be found here: http://sourceforge.net/projects/file-transfer/files/file-transfer/File%20Transfe r%201.2j/

      In particular the 32 bit version though I'd imagine the 64 bit version suffers the same issue.

       

      I've used this program on rare occasions for over a year with NO problems. However after someone else downloaded it they claimed to have gotten a virus. I scanned it with 3 different AV programs and after finding nothing, I loaded it up to an online scanner. https://www.virustotal.com/file/e88dbdab55d680f08282588267a255f81525755f02910115 f6edd47943eca56f/analysis/


      According to them, ONLY McAfee products detect it as a virus. Sure enough I found that the person who downloaded this at my request  uses McAfee. (I'm sure they now think I'm trying to hack them) So I submitted the sample (twice now) and recieved this response:

       

      McAfee Labs - Beaverton                                                   

      Current Scan Engine Version:5400.1158                                     

      Current DAT Version:6755.0000                                             

      Thank you for your submission.                                            

       

      Analysis ID: 7097469

       

      File Name            Findings                       Detection                   

      Type         Extra

      --------------------|------------------------------|----------------------------

      |------------|-----

      filetransfer.exe    |current detection             |w32/pinkslipbot.as!a       

      |Virus       |no

       

      current detection [filetransfer.exe]                                      

       

         The file submitted is malware that can be detected with curred DAT files. It

      is

      recommended that you update your DAT and engine files and scan your computer

      again.

       

       

       

      I already knew the McAfee database flagged it as a Virus, so I re-submitted the file with the above information as well as explaining that:

      I'm aware that the database currently detects it...however I believe this is a

      false positive. Could you confirm that this is *actually* an infected file and

      not just triggered by the UPX packer?

       

       

       

       

       

       

      Then I recieved this:

       

      McAfee Labs - Beaverton                                                   

      Current Scan Engine Version:5400.1158                                     

      Current DAT Version:6752.0000                                             

      Thank you for your submission.                                            

       

      Analysis ID: 7099199

       

      File Name            Findings                       Detection                   

      Type         Extra

      --------------------|------------------------------|----------------------------

      |------------|-----

      filetransfer.exe    |current detection             |w32/pinkslipbot.as!a       

      |Virus       |no

       

      current detection [filetransfer.exe]                                      

       

         The file submitted is malware that can be detected with curred DAT files. It

      is

      recommended that you update your DAT and engine files and scan your computer

      again.

       

      I then submitted the file to other vendors so that they could add it to their database.

      Thus far I've gotten two responses:

       

      One from Kaspersky:

      KLAN-333014241

      No malicious software was found in the attached file.

       

      &


      One from ESET

      4FED46C22DD8

      Thank you for your submission.

      The file(s) you submitted is/are clean and therefore not subject to detection.

       

      So either they are both wrong or McAfee is indeed comming up with a false positive. As both responses from McAfee were identical, I'm assuming it may have been an automatic scan/response or something. Regardless, I'd like to have this resolved one way or the other. Infected or not??!!

        • 1. Re: False Positive? W32/Pinkslipbot.as!a
          Peter M

          Check the following out for steps to take:  https://community.mcafee.com/thread/2016

          • 2. Re: False Positive? W32/Pinkslipbot.as!a

            Umm...did you not see the two pasted responses I got from ALREADY sending the file in? My point is that I'm getting conflicting answers from different vendors so I believe there may be an issue on your end....I know I put False Positive in the header in the second email, I'll recheck, I may not have added it at the start though....

             

            Yup, I put it at the end last time. Thanks, maybe this time an actual person will look at it

             

            Message was edited by: syrinx13 on 6/29/12 6:46:11 AM CDT
            • 3. Re: False Positive? W32/Pinkslipbot.as!a
              Peter M

              Yes, and the link I gave explains what to do when they send you negative responses.  Reply to the email altering the header by adding the word FALSE in front of it.

              I can't guarantee anything but they often reverse detections that way.

              • 4. Re: False Positive? W32/Pinkslipbot.as!a

                Many thanks, I think I was editing my response to you about the time you posted that. I just glanced over the page and it appeared to be a submission guide. It wasn't until I went back to read it in full that I realized it contained info on how to handle the false positive response. Sorry for my rude response, waay past my bed time and so stressed over this. I don't want this person thinking I'm trying to infect them so I really want to get this resolved so I can either tell them yup sorry it was a virus after all or the issue has been resolved, just update your AV. We need to transfer some large files to each other from camera footage at a recent family event and I was unable to find sufficent storage on 3rd party sites so I suggested this program and now shes waiting for someone to look at / fix her computer after being alerted that the file was a virus. Anyway TMI, time for bed and maybe it'll be resolved when i wake up!

                • 5. Re: False Positive? W32/Pinkslipbot.as!a
                  Peter M

                  I understand.  Good luck ;-)