Jump to content

False Positive - SNESCentral.com


Gentlepoke

Recommended Posts

  • Staff
2 hours ago, Gentlepoke said:

Hello, when traversing to snescentral[.]com, the following appears:

image.png.d5c3881a8ede745c201be1bfeb2704ba.png

 

image.png.edb27f40cfd536387a1eecf60cada9f6.png

Hello- Active threat here:

VirusTotal - URL - 18c81b45687bcf967427931f9e83874b71473872b9acd3e10d572891b58c1fb8

File detection:

VirusTotal - File - 6f339d59f883eac33fe86e6f101fd726a9eea69f883283985ed5a4975b862da7

Link to post
Share on other sites

That appears to be one file, and appears to be more PUA than an active threat. As that file appears to be in a section of the site which appears to not be typically viewed, wouldn't it make sense to restore the website itself to an allowlist while blocklisting that URL / file only?

Link to post
Share on other sites

  • Staff
12 minutes ago, Gentlepoke said:

That appears to be one file, and appears to be more PUA than an active threat. As that file appears to be in a section of the site which appears to not be typically viewed, wouldn't it make sense to restore the website itself to an allowlist while blocklisting that URL / file only?

Hi-No that's not how our blocks run. Until the file has been removed the block will stay enabled.

Link to post
Share on other sites

  • Staff
12 minutes ago, Gentlepoke said:

That appears to be one file, and appears to be more PUA than an active threat. As that file appears to be in a section of the site which appears to not be typically viewed, wouldn't it make sense to restore the website itself to an allowlist while blocklisting that URL / file only?

Also detected here: snescentral.com - urlscan.io

Link to post
Share on other sites

4 minutes ago, TeMerc said:

Also detected here: snescentral.com - urlscan.io

From what I can tell, the offending file within that zip file appears to be usbcopy.exe. Considering the file appears to have a date modified of 25th April 2011 @ 13:17, I'm assuming since it was likely designed for USB copying, it'll likely have had code which likely looks something similar to some bad code which was written in other software.

In regards to the URLScan, I am a little confused by the claim of a Phish against Discord, as all the site appears to have on that page is a link to the Discord server for that website / community, with nothing that could really constitute an attempt at bypassing / phishing anyone using Discord. As URLScan themselves say, "Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!"

Link to post
Share on other sites

8 minutes ago, TeMerc said:

Hi-No that's not how our blocks run. Until the file has been removed the block will stay enabled.

Understood, I know typically with network firewalls, such filter rules can be applied, but I understand if it's not practical. I admit I am a little baffled that a single file could red flag an entire domain, especially as more dynamic services out there generally get flagged up when ran against VirusTotal, yet stay available to search.

I will contact the hostmaster for the site, to let them know that the snesflash_1_1.zip file is what is currently causing the issue. If that file was removed or even rehosted elsewhere, that'd make everything kosher, am I correct?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.