Jump to content

Recommended Posts

Hello colleagues,

Our user has informed us that IP of our site www.nanoav.ru (84.42.39.75) is blocked by Malwarebytes Anti-Malware. Please settle the problem.

If you need any information please contact me by e-mail in my profile

Thank you.

Best,

Pamfilova Irina

Link to post
Share on other sites

Apologies for taking so long. This IP is blocked because it lies within a known malicious range.

/edit

Just a note, all of the previous activity on this range seems to have gone from what I'm seeing, so I'm looking further into this.

Link to post
Share on other sites
  • 2 weeks later...
Apologies for taking so long. This IP is blocked because it lies within a known malicious range.

/edit

Just a note, all of the previous activity on this range seems to have gone from what I'm seeing, so I'm looking further into this.

I can't understand, is it a great problem to check the site and unblock it?? Please settle the problem!

Link to post
Share on other sites

It's not just your site that needs checked, but your software aswell (I've got that scheduled for testing for this afternoon).

Link to post
Share on other sites

Testing your software as I write this and ..... care to explain why you're targetting;

1. MBAMService.exe (Malwarebytes AntiMalware)

2. MSMPENG.exe (Microsoft Security Essentials)

Got me curious now as to whether you're targeting solely these two, or other vendors aswell. Guess we'll find out as testing progresses to stage 2, once stage 1 has finished.

Link to post
Share on other sites
Testing your software as I write this and ..... care to explain why you're targetting;

1. MBAMService.exe (Malwarebytes AntiMalware)

2. MSMPENG.exe (Microsoft Security Essentials)

Got me curious now as to whether you're targeting solely these two, or other vendors aswell. Guess we'll find out as testing progresses to stage 2, once stage 1 has finished.

Did you mean that the system protection of NANO AntiVirus detects these processes as harmful? If so, it's predictable. We have analysed the situation. As we have conjectured there are unencrypted fragments of malicious code in the memory of both above-mentioned programs.

Link to post
Share on other sites

It was your scanner that detected them - and I'm afraid your argument doesn't wash with me. The test was run on a CLEAN INSTALL of Windows XP SP3, as such, no malware was present, and there's no malicious code in either MBAM or MSE.

Interestingly, care to explain also, why the log file it created, didn't make any mention of these detections? (I've got screenshots of the detections themselves and a copy of the log file btw, just incase).

Regardless, the tests will be completed by tonight, and a decision as far as unblocking, will be based on such results. Your continued detection of MBAM/MSE files isn't going to help you - I'd strongly urge you REMOVE detection for them.

Link to post
Share on other sites

I'd like to clarify, incase you're wondering why it's taking so long to do the tests - your software is taking an hour and a half per scan on the test system (which is a long time, given it takes another 45-60 mins to restore the image for the next test).

Link to post
Share on other sites
It was your scanner that detected them - and I'm afraid your argument doesn't wash with me. The test was run on a CLEAN INSTALL of Windows XP SP3, as such, no malware was present, and there's no malicious code in either MBAM or MSE.

I guess you don't understand me. I will try to explain more clear. I don't allege that there are malware in your test system or that MBAM or MSE are malware. The fact is that there are fragments of malware in the memory of these both programs. We guess that these fragments are some signatures of virus bases of these AV's. I can send on demand 160 byte dump of the memory block of MBAM process where is the above-mentioned fragment. That fragment looks like a part of the modified Kryptik.gen by our classification (Trojan.FakeAV!gen27 by Symantec, FakeAlert-LX by McAfee and so on).

To avoid that kind of problem other AV's store signatures in encrypted state usually.

Interestingly, care to explain also, why the log file it created, didn't make any mention of these detections? (I've got screenshots of the detections themselves and a copy of the log file btw, just incase).
We create a few log files. Logs with detects are here "Documents and Settings\All Users\Application Data\nanoav\scan.*.log". If you have more questions about NANO AntiVirus we will be glad to discuss it on our forum (English is available).
Link to post
Share on other sites

I have found the topic here on the forum. Perhaps this is the reason why our IP was blocked? The topic is closed so I can't post a disclaimer. Our AV NANO AntiVirus and known rogue Nano antivirus are not the same, there is the unfortunate name's coincidence only. I have sent the private message to the moderator Fatdcuk but haven't received any reply.

Link to post
Share on other sites

I noticed the confusion over the name, thanks. I verified MBAM wasn't detecting yours during my testing. The tests were delayed however, which is why the block hasn't been removed yet. It's scheduled finishing today, and will likely be unblocked. I'll post back when this is done.

Link to post
Share on other sites
I noticed the confusion over the name, thanks. I verified MBAM wasn't detecting yours during my testing. The tests were delayed however, which is why the block hasn't been removed yet. It's scheduled finishing today, and will likely be unblocked. I'll post back when this is done.
Hello, are there some news?
Link to post
Share on other sites

I'm running some more tests, which is why it's taking so long.

Have you fixed the detection of the legit AV/AM's yet? (note, this is a pre-requisite before removal of the block can be approved by me, I can't allow you to go round detecting the likes of MSE/MBAM etc as malicious when they aren't, regardless of your reasons).

Link to post
Share on other sites

Nevermind, got it re-scanning as I write this and see detection of legit AMs/AVs has not been fixed, so the block isn't going to be removed.

Link to post
Share on other sites
  • 2 weeks later...
Nevermind, got it re-scanning as I write this and see detection of legit AMs/AVs has not been fixed, so the block isn't going to be removed.
We regret sincerely you refuse to unblock our IP, though it is not malicious. The decision should be unbiased but it looks like an attempted blackmail.

The detection of processes of some AVs by our AV does not contain a fraudulent intent. It is a result of using an incorrect method by those AVs to store and operate their virus bases. So the fake detection is not so much our problem as the problem of developers of those products. Of course this situation is off-nominal and requiring a solution. We try to solve this problem but it requires a lot of efforts and time as we have to test third-party products instead of their developers in fact. Therewith we would like you to revise your attitude to this problem and also make some efforts to solve it by correcting the way your product works with virus signatures.

Link to post
Share on other sites

After further investigation, I am now removing the block. However, I'd ask you please ask your research team to look into the methods of detection that have caused this issue.

The block will be removed as of the next update.

Link to post
Share on other sites
After further investigation, I am now removing the block. However, I'd ask you please ask your research team to look into the methods of detection that have caused this issue.

The block will be removed as of the next update.

Thank you for your decision. We try to find a solution of the problem, but anyway, how I have said before, we would like to ask developers of MBAM, on their part, to draw close attention on this situation.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.