Jump to content

Windows Agent I built was detected as Malware?


BrianHerdeg

Recommended Posts

I have modified the Open Source Windows Agent for OCS Inventory to replace the libraries with the latest static versions.  I did this to avoid the CVEs that were reported in previous libraries used to build the Agent.

However, now my builds are detected as 'malware' - how can I determine why this happened?

AssetSonar-Windows-Agent-Setup-x86-BH-A4.zip

Link to post
Share on other sites

3 minutes ago, BrianHerdeg said:

where can I find this?

I believe I found the file and have provided a log for staff on your behalf.

File: 1
Malware.Heuristic.2125, C:\MALWARE TEST NO WD\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A4\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A4\OCSSERVICE.EXE, No Action By User, 1000001, 1246570, 1.0.89039, 00000000000000000000084D, dds, 02994844, 2BC1AC57C9D488CDCB4E653C3A88EA27, F0FB2BF7FECA4CE2464525A4A0259BF289936D49517858EE0CF458825FA6E191

https://www.virustotal.com/gui/file/f0fb2bf7feca4ce2464525a4a0259bf289936d49517858ee0cf458825fa6e191

 

Edited by Porthos
Link to post
Share on other sites

I found the MBAMSERVICE.LOG for today, and these warnings:

Line 12246: 09/10/24    " 10:25:10.851"    164319812    191c    4d18    WARNING    CleanControllerImpl    mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx    "RulesWhiteLister.cpp"    372    "Unexpected MBStatus 9 while attempting to white list 'C:\USERS\BRIAN\DOWNLOADS\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A5-SIGNED(1).ZIP'"
   

Line 12762: 09/10/24    " 10:27:10.518"    164439484    191c    4d18    WARNING    CleanControllerImpl    mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx    "RulesWhiteLister.cpp"    372    "Unexpected MBStatus 9 while attempting to white list 'C:\USERS\BRIAN\DOWNLOADS\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A5.ZIP'"
   

    Line 12848: 09/10/24    " 10:27:22.093"    164451062    191c    4d18    WARNING    CleanControllerImpl    mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx    "RulesWhiteLister.cpp"    372    "Unexpected MBStatus 9 while attempting to white list 'C:\USERS\BRIAN\DOWNLOADS\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A5-SIGNED.ZIP'"

    Line 13121: 09/10/24    " 10:27:48.401"    164477359    191c    4d18    WARNING    CleanControllerImpl    mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx    "RulesWhiteLister.cpp"    372    "Unexpected MBStatus 9 while attempting to white list 'C:\USERS\BRIAN\DOWNLOADS\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A4.ZIP'"

 

 

Link to post
Share on other sites

         "mainTrace": {
            "ImpersonationSid": "",
            "archiveMember": "OcsService.exe",
            "archiveMemberMD5": "2BC1AC57C9D488CDCB4E653C3A88EA27",
            "cleanAction": "quarantine",
            "cleanContext": {
            },
            "cleanResult": "notStarted",
            "cleanResultErrorCode": 0,
            "cleanTime": "",
            "generatedByPostCleanupAction": false,
            "hubbleRequestErrorCode": 0,
            "id": "ae3c0f20-6f99-11ef-918f-1cce518477ea",
            "igExitCode": "",
            "isPEFile": true,
            "isPEFileValid": true,
            "isWhitelistedByAdsInfo": false,
            "linkType": "none",
            "objectMD5": "95D62DB9B20C1C879395569ADC2B9865",
            "objectPath": "C:\\USERS\\BRIAN\\DOWNLOADS\\ASSETSONAR-WINDOWS-AGENT-SETUP-X86-BH-A4.EXE",
            "objectSha256": "F279786331233CAEB8584916AAE9099B66C055E9DAAB0B368CB1800B905143FA",
            "objectSize": 5825576,
            "objectType": "file",
            "resolvedPath": "C:\\Users\\brian\\Downloads\\AssetSonar-Windows-Agent-Setup-x86-BH-A4.exe",
            "rtpEventType": "other",
            "suggestedAction": {
               "archiveDir": false,
               "chromeExtensionOther": false,
               "chromeExtensionPreferences": false,
               "chromeExtensionSecurePreferences": false,
               "chromeExtensionSyncData": false,
               "chromeUrlOther": false,
               "chromeUrlSecurePreferences": false,
               "chromeUrlSyncData": false,
               "chromeUrlWebData": false,
               "disableHubbleWhiteListing": false,
               "disableSignatureWhiteListing": false,
               "fileDelete": true,
               "fileReplace": false,
               "fileTxtReplace": false,
               "folderDelete": false,
               "isChromeObject": false,
               "isDDS": true,
               "isDoppleganging": false,
               "isExternalDetection": false,
               "isPUP": false,
               "isShuriken": false,
               "isWMIEventConsumer": false,
               "killProcess": true,
               "minimalWhiteListing": false,
               "moduleUnload": false,
               "noLinking": false,
               "physicalSectorReplace": false,
               "priorityHigh": false,
               "priorityNormal": false,
               "priorityUrgent": false,
               "processUnload": false,
               "regKeyDelete": false,
               "regValueDelete": false,
               "regValueReplace": false,
               "shortcutReplace": false,
               "silentMode": false,
               "singleDelete": false,
               "testingMode": false,
               "treatAsRootkit": false,
               "useDDA": false,
               "verifyResolvedPath": true,
               "whitelistCheckError": false
            },
            "uploadToBTOC": true,
            "winVerifyTrustResult": {
               "expectedError": false,
               "lastErrorCode": 0,
               "wvtCalled": true,
               "wvtResult": 0
            }
         },
         "ruleID": 1246570,
         "ruleString": "00000000000000000000084D",
         "rulesVersion": "1.0.89033",
         "srcEngineComponent": "dds",
         "srcEngineThreatNames": [
            "Malware.Heuristic.2125"
         ],
         "threatID": 1000001,
         "threatName": "Malware.Heuristic.2125"
      },

 

Link to post
Share on other sites

It is not a Static detection, it is a code based logical presumption or "heuristic" rationalized detection.

I loosely use the analogy;  if it walks like a duck, and squawks like a duck then it must be a duck.

As one can see there are holes in the logical approach.  But it is the first step in logical deductive malware detection reasoning.

Since malware evolves and changes over time with numerous variations created by the hour, there has to be some kind of 1st level malware detection heuristic as a tripwire type detection.

Unfortunately it may result in a False Positive detection because it really wasn't a duck alliterate.

https://en.wikipedia.org/wiki/Heuristic

Quote

A heuristic[1] or heuristic technique (problem solving, mental shortcut, rule of thumb)[2][3][4][5] is any approach to problem solving that employs a pragmatic method that is not fully optimized, perfected, or rationalized, but is nevertheless "good enough" as an approximation or attribute substitution.[6][7] Where finding an optimal solution is impossible or impractical, heuristic methods can be used to speed up the process of finding a satisfactory solution.[8][9] Heuristics can be mental shortcuts that ease the cognitive load of making a decision.[10][11][12]

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

Thank you David - I agree and appreciate the insight.  In this case, software which looks a lot like existing Open Source products might well be worth investigating further.  This is a digitally signed package, but not with an EV Certificate - so that would also be part of the equation.

Are you part of the MalwareBytes team?

Brian

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.