Jump to content


Photo

False-Positive Backdoor.Win32.Bifrose!IK [Resolved]


  • Please log in to reply
12 replies to this topic

#1 BBStyle

BBStyle

    Member

  • Members
  • PipPip
  • 27 posts

Posted 03 January 2010 - 09:20 PM

Asquared Anti-Malware detects everything which is compiled in Autoit(www.autoitscript.com/autoit3/) as Backdoor.Win32.Bifrose!IK.

It doesnt matter what the script contains, every thing is detected! It happend today, i didnt notice anything before!

You can simply test it if you have Autoit installed on your machine. Create a simple new script and insert just anything or for example write 123456 in it.

Save it and then right click on the file, Compile.
Now you have a .exe file which gets detected as Backdoor.Win32.Bifrose!IK!


Please fix this!
Thanks in advanced!

#2 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 04 January 2010 - 09:35 AM

Hi BBStyle, welcome to the forum.

Thank you for reporting the issue with "Autoit v3"

At the same time please submit flagged items to EMSI developers for the analysis d from the detection list.

That is the best and fastest way to identify the problem.

You can provide the result of several different compilations.
For those that are flagged - created passworded archive (ZIP or RAR) and attach to email fp@emsisoft.com . Include password in the email body

You can copy and send the description of the problem as in post here.

Although the developers may check this issue in particular, that may not be the case, because as you understand that is impossible for any vendor of the security Software to download / install / maintain versions/ etc. of all Software available out there when users are reporting possible FPs.
The analysis of the code is the only correct and sufficient way to manage such issues.

My regards

P.S. please provide information about your system as in Forum Posting Rules #2)

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#3 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 04 January 2010 - 10:25 AM

BBStyle,

I decided to check it out , since quite a while ago I was using Autoit

I downloaded the new version and simply compiled and built few samples.

I can confirm that they are flagged as you reported.

I submitted one of the executables
That should be enough for developers to identify the problem

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#4 BBStyle

BBStyle

    Member

  • Members
  • PipPip
  • 27 posts

Posted 04 January 2010 - 04:30 PM

Ok thank you very much ;)

#5 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 07 January 2010 - 05:17 PM

Hi BBStyle,

Since the submission from the detection list somehow delivered a rejection from Ikarus server (that's rarely happening) I submitted again (afternoon, 07) and then sent the samples by e-mail too just in case.

Right now I got two confirmations from both EMSI & Ikarus simultaneously that the nearest incoming update(s) should fix the FP.
I'm expecting to see that tomorrow morning. You may get that earlier

Cheers!

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#6 BBStyle

BBStyle

    Member

  • Members
  • PipPip
  • 27 posts

Posted 08 January 2010 - 01:08 AM

Its ok ;)
Thank you again for your help!

PS:
Malw*reby**s had the same problem a few days ago with the old compiled scripts!

#7 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 08 January 2010 - 01:11 AM

Good morning, BBStyle

That's fixed with the first received update.

Cheers!

P.S. you added P.S. while I was replying ... Malw*reby**s... :lol:

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#8 BBStyle

BBStyle

    Member

  • Members
  • PipPip
  • 27 posts

Posted 08 January 2010 - 03:48 PM

heh :rolleyes:
I didnt knew if it's allowed to write name of other products, on some other forums it's not allowed!

Its fixed now..
Happy to see that ;)

#9 mara-

mara-

    New Member

  • Members
  • Pip
  • 1 posts

Posted 10 January 2010 - 11:45 PM

Hi,

I don't want to create new topic, just to comment something.

I think this product is great but it has to many false positives. I mean, come on, it detected setup of Firefox 3.5.6 as some kind of malware. It detects setup of Scite, editor for AutoIt as Riskware.Monitor.Win32.Hooker!IK. Maybe AutoIt scipts are not detected as a malware now, but some compiled files still are. Those files I wrote and compile and they are not malware for sure. It detects FreeRip setup as maware. This is well known CD ripper and it's not malware.It detected cache file for Spotify, well known program for streaming music as Virus.DOS.Soulmanager!IK. This cache are just ogg files with other extension, maybe even encrypted, but 100% not malware. An there is much more, I can't remember now.

I have 1 year license and detection of so many false positives is really annoying. I really hope that you can fix this.

Cheers ;)

#10 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 11 January 2010 - 12:33 AM

Hi mara-, welcome to the forum

First, that would be indeed better to create new topic, especially if you want to point to or ask something not related to the initial request or express opinions that can be seen and discussed by the users and developers (otherwise your post can be lost despite that would be unintended)

It's understandable though that mentioning some Autoit compilations most likely was a reason.

Here are few comments:

- you can find existing discussions about FPs if you search this and the old forum;

- posting the names of the alleged infections are pretty much useless it does not provide any information; (briefly – always save report & submit flagged items for analysis);

- flaggings as a Riskware in most cases cannot be called FPs and usually you should whitlist
(please read Knowledge Base What is Riskware?; one of the recent cases - here

- flagging of Firefox or Alerting by behvioral Blocker was explained several times – the special way Fox communicating indeed can be considered “backdoor-alike” behaviour;

- Autoit scripting as a matter of fact can be used for “malware development” (sure, as any programming language :)) but only the specific code should be analyzed as usual in order to receive the answer;

- etc.

====

...many false positives is really annoying. I really hope that you can fix this...

So basically, despite some of the flaggings you have may happen to be FPs and could be fixed – you request for "fixing this" ("this" ... what? ;) ) cannot be taken seriously unfortunately, since there is no information whatsoever, which can lead to any conclusions

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#11 shaqan

shaqan

    New Member

  • Members
  • Pip
  • 3 posts

Posted 26 March 2010 - 12:51 AM

~ Whole Quotation Removed {Lynx}

2+ months later. Scite4Autoit still getting flagged as Riskware.Monitor.Win32.Hooker!IK..
ANY script, even "Hello world", gets flagged as some kind of trojan. Cant you at least exclude AutoIT installation files itself..
Got damaged AutoIT3 installation because family member happened to scan my PC and happily removed Scite editor, TheHook.dll and AutoITSC.bin, not to mention bunch in teststage compiled executables..

ASquared is pretty good antispyware program but please do something about being overparanoid:(

#12 Lynx

Lynx

    Forum Veteran

  • Members
  • PipPipPipPipPip
  • 2546 posts
  • LocationAustralia

Posted 26 March 2010 - 01:34 AM

Hi shaqan, welcome to the forum.

The AutoIt (including SciTE editor) I have here now is not flagged with the latest Signatures
You may have different version though already.

Please submit flagged items for to EMSI developers analysis in the first place.

As for exclusion – you can do it yourself by "whitelisting" if you at trusting the Software

As for the relative if he/she is using another account and you are admin then you can restrict their rights through the "Permissions" options

In addition please ask them not to remove all that security (any) is flagging.
In addition let them read this Sticky ;)

My regards

XP Pro, SP3 (32-bit); EAM Full Suite v8.1.0.19(beta) ; Firewall: Comodo 3.14 FW only! (Defense+ HIPS)
Win 7 Home Premium x64, SP1; Firewall: Comodo 3.14 FW only! (Defense+ HIPS); EAM Full Suite v8.1.0.19(beta)


#13 shaqan

shaqan

    New Member

  • Members
  • Pip
  • 3 posts

Posted 28 March 2010 - 11:10 AM

noticed:)

thank you:)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users