mike123

Whitelist command not working

Recommended Posts

Hi Team,

 

Can you tell me what is wrong with this whitelist file?

 

Trojan.Generic.KDV.764073
Backdoor.Generic.750553
Backdoor.Generic.758207
Application.AppInstall
Application.InstallAd
Application.AdReg
 
 
Is it necessary for it to include the parenthesis name? I tried it with the parenthesis name below, but it wasn't working.
 
Trojan.Generic.KDV.764073 (B)
Backdoor.Generic.750553 (B)
Backdoor.Generic.758207 (B)
Application.AppInstall (A)
Application.InstallAd (A)
Application.AdReg (A)

 

Share this post


Link to post
Share on other sites

Detection names do not tell us what was found, we would need the scan log. Detection names belong that families of Adware, malware, toolbars and such.

Attach a scan log to your reply.

Share this post


Link to post
Share on other sites
C:\Documents and Settings\All Users\Application Data\bigfix detected: Application.AppInstall (A)

Key: HKEY_USERS\SD\User\SOFTWARE\BIGFIX detected: Application.InstallAd (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\BIGFIX detected: Application.InstallAd (A)

Share this post


Link to post
Share on other sites

Attach and copy & paste are not remotely the same thing.

Is the BigFix patch management software installed on this computer?

Share this post


Link to post
Share on other sites

Report the false positive in the False positives support forum. Our developers check the forum several times during the day. Reporting in the forum will get the attention quicker then using the report FP feature in EEK.

The EEK whitelist is maintained in a2whitelist.ini, if it is not being created then there may be a permission problem. I do not recommend manually editing the a2whitelist.ini.

Share this post


Link to post
Share on other sites

I'm using a2cmd, so the /wl argument for me points to a text file called whitelist.txt and has the lines I mentioned above.

I don't seem to see a a2whitelist.ini file in my folder.

Share this post


Link to post
Share on other sites

Wow now thats COOL!

If the path has spaces like C:\Documents and Settings\All Users\Application Data\bigfix, will I need to wrap it with quotes around it or anything?

Share this post


Link to post
Share on other sites

Wow now thats COOL!

If the path has spaces like C:\Documents and Settings\All Users\Application Data\bigfix, will I need to wrap it with quotes around it or anything?

Shouldn't need to wrap the path in quotes.

Share this post


Link to post
Share on other sites

Looks like it doesn't work. Here is what my whitelist.txt file has:

 
C:\Documents and Settings\All Users\Application Data\bigfix
HKEY_USERS\SC\FW_Release\SOFTWARE\BIGFIX
HKEY_LOCAL_MACHINE\SOFTWARE\BIGFIX
 
This is what I get back after the scan:
C:\Documents and Settings\All Users\Application Data\bigfix detected: Application.AppInstall (A)
Key: HKEY_USERS\SC\FW_Release\SOFTWARE\BIGFIX detected: Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\BIGFIX detected: Application.InstallAd (A)
 

Share this post


Link to post
Share on other sites

This is the command I'm running:

a2cmd.exe /m /t /c /f=C: /l=C:\Monitoring\virusscan_run.txt /wl=C:\Monitoring\Emsisoft\whitelist.txt

 

Here is what the whitelist file contains:

 

FILE: C:\Monitoring\Emsisoft\whitelist.txt

C:\Documents and Settings\All Users\Application Data\bigfix
HKEY_USERS\SC\FW_Release\SOFTWARE\BIGFIX
HKEY_LOCAL_MACHINE\SOFTWARE\BIGFIX

Share this post


Link to post
Share on other sites

I haven't forgotten about you. I have been testing this, and I don't have a resolution on the proper whitelist format.

Share this post


Link to post
Share on other sites

The whitelist should consist of detection names, file paths, and folder paths; each on a separate line. However, after extensive testing I have come to the conclusion that a2cmd is not loading and parsing the whitelist. This has been elevated to our developers.

Share this post


Link to post
Share on other sites

I was able to isolate what is breaking the whitelisting in a2cmd, and the proper whitelist format.

Your whitelist should look like:

Application.AdReg
Application.AdReg (A)
Application.AppInstall
Application.AppInstall (A)
Application.InstallAd
Application.InstallAd (A)
Backdoor.Generic.750553
Backdoor.Generic.750553 (B)
Backdoor.Generic.758207
Backdoor.Generic.758207 (B)
Trojan.Generic.KDV.764073
Trojan.Generic.KDV.764073 (B)
C:\Documents and Settings\All Users\Application Data\bigfix
Make sure to save it as an ANSI or UTF-8 w/o BOM encoded file.

Share this post


Link to post
Share on other sites

OMG it worked! How does it work by the way? I'm curious why there needs to be a (A) and (B) for each one.

That is which engine is responsible for the detection.

(A) is our detection engine

(B) is the BitDefender engine.

Does it also support registry key entries?

Using the detection name should work for whitelisting registry items.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.