Jump to content

False detection in virustotal, is it possible the software does the same ?


gen-hackman

Recommended Posts

Hello an update of my diagnostic tooll named "QuickDiag"  is since today detectes ad Malware.AI.708962152

it has a numeric signature not trusted by trust provider, I know but Malwarebytes never detected this tool before

here's the link to see what : https://www.virustotal.com/gui/file/d78cddc8a9518618037d8351260b3c3bdd71d05b9fb62c3f8bcd23a63cb1562e/detection

thank you to do something

(Microsoft detectes all tools coded in Autoit as "wacapac" or "wacapew" or "wacatac" , their database is so poor :)

Here 's where you can download it if need  : https://genhackmantools.wordpress.com/quickdiag/

Best Regards

g3n-h@ckm@n

Edited by gen-hackman
Link to post
Share on other sites

46 minutes ago, gen-hackman said:

The engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

 

@TwinHeadedEagle

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/17/21
Scan Time: 2:19 PM
Log File: a82f68a0-8755-11eb-8526-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1217
Update Package Version: 1.0.38305
License: Premium

-System Information-
OS: Windows 10 (Build 19042.868)
CPU: x64
File System: NTFS
User: I7-PC\SAPC

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 43 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.708962152, C:\MALWARE TEST\QUICKDIAG.EXE, No Action By User, 1000000, 0, 1.0.38305, 9C5DBA5575FE03CB2A41E768, dds, 01161733, D59E7484C076454A776CE805AB9B7945, 3DCBEF0241713153E6AF1BDA9E214CE76612DA5E4A2C7C8E42125DA8A7090CEB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

@gonzo

http://www.aht.li/2448447/QuickDiag.exe

Blocked by browser guard

Edited by Porthos
Link to post
Share on other sites

Ok thanks,

you can whitelist all of my tools 'cause they have all the same numeric signature (not recognized by Trust Provider, I Know it) but I prefer code tools to repair and desinfect than infections :)

Best Regards,

g3n-h@ckm@n

Link to post
Share on other sites

Yes i know for MBAM' s browser guard, it blocks too much sites which are not necessary bad

I installed it but it's very too sensible, I couldn' t navigate normally with, so I deleted it

I just submitted for 30 mns to Microsoft

but they don't update their database in real time, and when it's done, the things are the same............

Link to post
Share on other sites

7 minutes ago, gen-hackman said:

it blocks too much sites which are not necessary bad

I installed it but it's very too sensible, I couldn' t navigate normally with, so I deleted it

I use Browser Guard and when it comes up with a block I know is a good site or download, it gets reported in the BG section and whitelisted quickly.

 

Link to post
Share on other sites

The problem was not with https://genhackmantools.wordpress.com/quickdiag/

The problem WAS with http://www.aht.li, which is the location of the file to be downloaded.  It is rapidly becoming a block that all browsers will enforce.  A user should NEVER download a file using HTTP protocols.  HTTPS should be used for all downloads, to insure that they are getting what they came for.  If you make the suggested protocol change, you would have no issues.

  • Like 1
  • Thanks 1
Link to post
Share on other sites

So, coming from my lunch, I see your answer and I really don't understand, because when I ask informations about the link to Achive-Host, look at what they give

 

 

Capture.PNG

So I just changed in https manualy and it's like this now

Edited by gen-hackman
Link to post
Share on other sites

Hello three days after, still there...............

https://www.virustotal.com/gui/file/185f7832cd3920bc1981fe36b1d67703fc9953fa8657c979110fcc339c5c70f2/detection

Microsoft removed the detection but malwarebytes..................Nothing.....Not yet removed......

spend a good day

regards

g3n-h@ckm@n

Edited by gen-hackman
Link to post
Share on other sites

6 hours ago, shadowwar said:

When i scan here i an not seeing any current detection.

Hi Rich, It is detected for me locally.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/21/21
Scan Time: 12:58 PM
Log File: 12091a2a-8a6f-11eb-96c4-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1236
Update Package Version: 1.0.38489
License: Premium

-System Information-
OS: Windows 10 (Build 19042.868)
CPU: x64
File System: NTFS
User: I7-PC\SAPC

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 11 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.708962152, C:\MALWARE TEST\QUICKDIAG.EXE, No Action By User, 1000000, 0, 1.0.38489, 9C5DBA5575FE03CB2A41E768, dds, 01167193, D59E7484C076454A776CE805AB9B7945, 3DCBEF0241713153E6AF1BDA9E214CE76612DA5E4A2C7C8E42125DA8A7090CEB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello it's exactly the same than VT

it detects a diagnostic like this, and a tool which deletes with systems rights, it doesn't ^^

look at another of my tools like I said : https://www.virustotal.com/gui/file/c6928d5facf23161a65c1ad2925f28b47fd8e21a3ae595fd97166029c67ec9b2/detection

I don't know this adress r3.o.lencr.org and I don't know where does it come from..............

Edited by gen-hackman
Link to post
Share on other sites

  • Staff

Ok here is the scoop.

 

There are three different files in this thread. I marked all three. I thought we were only dealing with one file. 

The digital signature is invalid and untrusted so whiting the signature is out. 

I sent an email to the dds team to ask why this def hasn't been removed yet. Its the same def hitting all three. 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.