Jump to content

Blat SMTP mailer command line tool -> RiskWare.Agent

RealPaul

By RealPaul
in File Detections

 Share

Recommended Posts

RealPaul

RealPaul

Posted
Posted

Good Day

I ran a malware scan of my PC and it flagged "BLAT3219_32.FULL.ZIP" as RiskWare.Agent  which was downloaded from https://sourceforge.net/projects/blat/files/Blat%20Full%20Version/32%20bit%20versions/Win2000%20and%20newer/  (has been around since 2017-11-20)

The strange thing is, that the  Malware-bytes didn't seem to have a issue with the zip file contents which which had also been extracted. 

Norton didn't seem to have a issue with it; but virustotal.com threw up a few alerts https://www.virustotal.com/#/file/cd026e10a6a8d2e164e67e859b058dc4642121f8e12075d1db980eafe1e7462d/detection  (NotAVirus, Unsafe, Trojan>blat, Win32/Virus.b23)

So just wondering the following:

  1. Why the zip file was flagged; but the extracted EXE was not? 
  2. Any details on why Blat was put into the RiskWare.Agent classification?  
    I've read this https://blog.malwarebytes.com/detections/riskware-agent  already

    Is Blat in the "RiskWare.Agent" classification because it one of its uses could be to send spam STMP mail via a batch? Similar to a gun being good or bad depending on its use; or does blat expose me to something dangerous? If its just the intended use, then this is ok, as I use it to send email alerts on different batch job result (backup space, backups complete, etc)

I just want to make sure the risk is that Blat could be used for bad stuff (if I chose to), and not that its a "active threat!"

Thanks

Paul

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

Thanks for reporting. The reasoning you gave, is exactly why we were detecting it:

"Is Blat in the "RiskWare.Agent" classification because it one of its uses could be to send spam STMP mail via a batch? Similar to a gun being good or bad depending on its use; or does blat expose me to something dangerous? If its just the intended use, then this is ok, as I use it to send email alerts on different batch job result (backup space, backups complete, etc)"

However, after further analysis and thought, we decided to delist this detection again, as it's a real borderline case.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.