Jump to content

False positives about files (and urls)


Recommended Posts

Hello

Malwarebytes detects HFS.exe like a malware analysing my Computer in it's last version, but it's 100% legit , it comes from Rejetto Http File Transfer ( Allows to transfer a file giving a link in http from PC to PC without Server, I use it for a long time.(perhaps it's cause we have to open a port in the box to make it work it's detected like this.....)

http://www.rejetto.com/hfs/

In Virustotal analysis, Malwarebytes says it's Clean.....

(zip containing the file attached)

======

it detects too as a Dns.unlocker but these IPs are "Free" OPEN DNS and local IP connection to my box


[HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]~[DhcpNameServer] : 212.27.40.240 212.27.40.241
[HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{82eba569-60eb-4390-9f4d-45fec09da1b1}]~[DhcpNameServer] : 212.27.40.240 212.27.40.241
[HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{b51955e3-93cb-4826-ac4f-741fec48fcd4}]~[DhcpNameServer] : 192.168.42.129

The value "NameServer" was detected too like a dns.unlocker but I looked in the registry at this place and there's nothing written in this value , no data.

ISP: Free SAS
Organization: Free SAS
AS Number: AS12322 Free SAS

 

 

192.168.42.129 => Local

=====

And like said My friend rubised in the other topic, detects cjoint.com like Fraud, but here's some examples to show you that's a really a false positive

https://quttera.com/detailed_report/www.cjoint.com

https://sitecheck.sucuri.net/results/www.cjoint.com

And from the Kaspersky VirusDesk :

Le lien https://www.cjoint.com est sain

Ce lien est sain conformément aux données de réputation de Kaspersky VirusDesk.

does mean in english :

The link https://www.cjoint.com is healthy

This link is healthy according to Kaspersky VirusDesk reputation data.

=====

a Last thing :

while analyzing my computer, malwarebytes takes very much percents of my processor , I cannot do anything other, it makes my computer going very slow almost static, the browsers pages cannot refresh correctly cause all the processor is taken by Mbam

here's an example (png attached) , and sometimes it goes over 80% of the processor

hfs.zip

CPU_MBAMService.PNG

Link to post
Share on other sites
Link to post
Share on other sites

Hi,

Thanks for reporting. We will look into this and fix where needed.

As for the DNS.Unlocker, do you have a log where this detection is displayed? Because checking our database, we don't detect any of these DNS.

Additional note, for cjoint.com, detection will remain for now - Please see here: https://myonlinesecurity.co.uk/fake-google-drive-shared-documents-notification/

Thanks!

Link to post
Share on other sites

sorry I uninstalled Malwarebytes , I'm gonna reinstall, do a new complete scan and give you the log when it'll be ended :)

the datas , as I remember aren't displayed in the log, only keys and values

 

Link to post
Share on other sites

okay I'll do that so I don't understand why It scans winsxs folder , it takes some time and I have never saw some infections in this folder in 10 years desinfecting ^^

Edited by gen-hackman
Link to post
Share on other sites

You probably ran a full custom scan, so it scans every location (which is how it should - we've seen malware in there and there's no guarantee future malware won't drop in there either (as some avs have this folder excluded, thus can be exploited by Malware)).

You can always exclude that folder from scans (when you run a full scan).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.