Jump to content

Recommended Posts

I was doing some testing on behalf of a user in another thread and discovered that Malwarebytes 3 is classifying the two versions of its installer (32 bit and 64 bit) differently, one as PUP and one as actual malware (adware) because of the differing vendor names being used (one starting with PUP.Optional and the other starting with Adware.):

InstallCore.thumb.png.1fc86c5c6be2103aa7888f372e69283e.png

The software in question is PowerISO and the two installers are available here:

http://www.poweriso.com/download.php

I would suggest changing one of the classifications to match the other for consistency since they are obviously the same threat/PUP/adware and one being targeted as malware while the other is classified as PUP could have far reaching consequences due to how Malwarebytes 3 differentiates between the two categories of detections, both in its display as well as in its settings and how they may potentially be handled by the user should they alter settings for PUPs.

Link to post
Share on other sites

Sure, here you go:

	Malwarebytes
www.malwarebytes.com
	-Log Details-
Scan Date: 8/8/18
Scan Time: 1:54 PM
Log File: 8164a580-9b3c-11e8-8fb2-80fa5b3c2fcb.json
Administrator: Yes
	-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.6257
License: Premium
	-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Exile-PCII\Exile
	-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 2
Threats Detected: 2
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 7 sec
	-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
	-Scan Details-
Process: 0
(No malicious items detected)
	Module: 0
(No malicious items detected)
	Registry Key: 0
(No malicious items detected)
	Registry Value: 0
(No malicious items detected)
	Registry Data: 0
(No malicious items detected)
	Data Stream: 0
(No malicious items detected)
	Folder: 0
(No malicious items detected)
	File: 2
Adware.InstallCore, C:\USERS\EXILE\DESKTOP\DOWNLOADS\POWERISO7-X64.EXE, No Action By User, [572], [538163],1.0.6257
PUP.Optional.InstallCore, C:\USERS\EXILE\DESKTOP\DOWNLOADS\POWERISO7.EXE, No Action By User, [398], [542243],1.0.6257
	Physical Sector: 0
(No malicious items detected)
	WMI: 0
(No malicious items detected)
	
(end)

Link to post
Share on other sites

One might make the argument that anything classified as adware is technically PUP, not actual malware and therefore should be categorized always as orange/PUP, not red/malware, but doing so without manually changing every Adware. entry in the database would require new engine syntax to classify any def using that prefix as orange/PUP meaning the Devs would have to modify the engine/SDK so a simple find/replace routine through the raw database might be easier for now and perhaps a memo to the other members of Research regarding adware classification.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.