Jump to content

Detection discrepancy - result of different order of detection?


Recommended Posts

This is an odd one, and not so much an FP as an odd difference between the threat identity according to the scan engine vs the real-time protection component and I suspect it's due to the order of analysis for objects by real-time protection checking with the heuristics engine/defs first and the scanner relying on traditional defs first, but I wanted it reviewed just to be sure it isn't some kind of bug.

As you can see, while 2 of the 3 detections are identical between the scan and real-time protection, one of them is not and is identified as PUP.Optional.Babylon (which is accurate) by the scanner but identified as Generic.Malware/Suspicious by real-time protection.  I've highlighted the relevant entries/detections in red to make them easier to identify:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/22/18
Scan Time: 1:23 AM
Log File: aed6fff0-45f5-11e8-b4a4-80fa5b3c2fcb.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4832
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Exile-PCII\Exile

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 237891
Threats Detected: 3
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 2 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
Trojan.MBAMTest, C:\USERS\EXILE\DESKTOP\TEST-TROJAN.EXE, No Action By User, [8536], [145300],1.0.4832
PUP.Optional.DotPitch, C:\USERS\EXILE\DESKTOP\TEST-PUP.EXE, No Action By User, [14197], [284958],1.0.4832
PUP.Optional.Babylon, C:\USERS\EXILE\DESKTOP\DOWNLOADS\UNLOCKER1.9.2.EXE, No Action By User, [317], [76260],1.0.4832

Physical Sector: 0
(No malicious items detected)


(end)


Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/22/18
Protection Event Time: 1:26 AM
Log File: 0e57b320-45f6-11e8-afa9-80fa5b3c2fcb.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4832
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Generic.Malware/Suspicious, C:\Users\Exile\Desktop\Downloads\Unlocker1.9.2.exe, Quarantined, [0], [392686],1.0.4832


(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/22/18
Protection Event Time: 1:25 AM
Log File: 0107f450-45f6-11e8-a3de-80fa5b3c2fcb.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4832
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Trojan.MBAMTest, C:\Users\Exile\Desktop\test-trojan.exe, Quarantined, [8536], [145300],1.0.4832


(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/22/18
Protection Event Time: 1:25 AM
Log File: 0070bd60-45f6-11e8-a397-80fa5b3c2fcb.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4832
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
PUP.Optional.DotPitch, C:\Users\Exile\Desktop\test-PUP.exe, Quarantined, [14197], [284958],1.0.4832


(end)

Link to post
Share on other sites

I found out why this happened.  It turns out it was due to archive scanning which allowed the bundled Babylon component to be flagged which explains the PUP detection from the scanner, and the anomalous file detector flagged the installer itself without extracting it as it matched against its signature-less algorithms for being suspicious.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.