Sign in to follow this  
francois

Whitelisting doesn't for work me

Recommended Posts

Hi again.

I searched the forum, read several posts but couldn't find answers to my question.

Using the command-line scanner here.

I'm trying to whitelist some detected items, but it doesn't work.

The items still get listed and or quarantined if I use the /q switch.

Example of the command-line options:

c:\program files\a2cmd>a2cmd /t /q /wl="whitelist.txt"

Content of the whitelist:

c:\windows\system32\dwspy32.dll
c:\program files\national instruments\signal processing start-up kit\dfd\dfd.exe
C:\PROGRAM FILES\Zebra Technologies\Zebra Setup Utilities\Driver\ZBRN\ZebraFD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST4UNST #1

Attached is a scan logfile.

What am I doing wrong?

Program is v5.0.0.11 and I have the very latest updates.

Thanks in advance!

Best regards,

François

Share this post


Link to post
Share on other sites

Hi François

You have to add the detection names whether it is trojan; Riskware; or just the Trace in the Registry

If you want whole folder to be omitted during the scan - then add that folder name

Here is an example:

My current White List – image taken taken using GUI

WhiteListGUI.jpg

The whitelist file created for CLS Scan

Trace.File.Winspy!A2
Trace.Registry.Winspy!A2

a2cmd_WL.jpg no WinSpy Traces. It doesn't really matter where the Software (WinSpy.exe in this case) is currently installed

Scanned without /WL parameter (this is just a part of the DOS screen of the whole scan performed)

a2cmd_minus_WL.jpg here you can see “WinSpy” detections

My regards

Share this post


Link to post
Share on other sites

Thanks a lot, Lynx!

I'll try that tomorrow!

The doc is really not clear (read useless) as how to properly fill out the whitelist file for the CLS when you don't use the GUI at all. (I *only* have the CLS in fact)

Best,

François

Share this post


Link to post
Share on other sites

Saying that the doc is "useless" seems too harsh

Please keep in mind that it's an excellent very flexible product provided for free

If you do have suggestions regarding improving it - please do...

As it was pointed previously - many features posted by users were implemented - the developers are listening despite they have pretty much tight schedule ... especially now, due to fine tuning the new EAM release

My regards

Share this post


Link to post
Share on other sites

Thanks Lynx.

What I was trying to say (and maybe failed because english is not my primary language, as many people) is that the doc doesn't help when it comes to writing the whitelist.

There's no example at all.

Maybe a whitelist sample could be included with the program.

The program is great, don't get me wrong!

Reading your previous answer again, it seems we can't whitelist a single file with its filename.

We need to use the detection name.

On the other hand, Christian Peters from Emsisoft told me I could use the filename.

That's contradictory, and it doesn't work here, thus this thread on the forum.

However: if I need to use the detection name, is it possible that more than one program can give the same detection?

If so, is it possible that one of them is a real threat, and not another one?

In that case, if I put the detection name in the whitelist, I'm exposed to a threat.

My conclusion is that using detection names in the whitelist leaves me exposed to real threats.

My best regards,

François

Share this post


Link to post
Share on other sites
...The program is great, don't get me wrong!
Hi François,

I am not getting you wrong :) I know that the program is great & you are appreciating its power & flexibility

As it was pointed please contact the developers & suggest the improvements regarding the content of the a2cmd; placing examples & so on...

I am sure they will do that as soon as they have a bit more time than they have now when fine tuning the latest major release

As for the note by Christian Peters - yes - you can put not only the directory but the file name into the White List

Here is the example:

CLS_TrojanDetected.jpg the directory with the file flagged was scanned - there is a detection

The whitelist file was created as

F:\_Temp\TrojanTest_2\This_Is_aTrojan.exe

the file was included not the whole directory

The same directory was scanned

CLS_TrojanFileWhitelisted.jpg but with the /WL= parameter ... there is no detection

Cheers!

Share this post


Link to post
Share on other sites

Thanks Lynx.

Strange that putting the filename into the whitelist doesn't work here.

Can you please try this?:

Put your trojan file into "c:\program files".

Then do the scan but use the /smart option, not the /f=[...] one.

Thanks again,

François

Share this post


Link to post
Share on other sites

Hi François,

Below is a scenario that proves “the thing” is working.

1) The only guess at the moment would be - please check whether you are setting all paths in your command/or batch /and whitelist file explicitly. That is the best practice and basically the “rule of thumb”;

2) In my 1st post The path for whitelist was not set because I was sure that the file is within the directory where CLS is resided;

3) This time I deliberately placed the whitelist into the different directory – the root of a D partition;

4) I did not place the suspect into C:\program files\ as you asked , but into

C:\WINDOWS\$hf_mig$\ because that is the first directory scanned by the “Smart”

& I was not going to complete that scan, but rather stop it as soon as the detection was made (which I did).

I do like my hard drive and usually don't do many and frequent Smart or Deep Scans.

And in this case I was “compelled” to run the other one straight after with the whitelist set (I'll send you my PayPal account cause I need money for the new hard drive doing such sadistic hard drive torture ...hehe :) … just kidding !)

5) The second scan though was complete and as you can see the whitelist with the file did the job as expected

The content of Wlist_Smart.txt

C:\WINDOWS\$hf_mig$\This_Is_aTrojan.exe

1_CLS_v5_Smart_Riskware.jpg the suspect in the folder where it has to be picked up by the Smart Scan

2_CLS_v5_SmartStarted_NoWL.jpg Smart Scan Started – No WhiteList

3_CLS_v5_Smart_RiskwareDetected.jpg The suspect was detected … the scan was interrupted (stopped) – That's enough for the 1st stage of a Test

4_CLS_v5_Smart_WL.jpg another Smart Scan started. The whitelist placed into “whatever folder but the path is explicitly set. See above the content of the whitelist

5_CLS_v5_Smart_RiskwareNOTDetected.jpg we already passed the point, where the suspect was previously detected

6_CLS_v5_Smart_WL_Ended.jpg Smart Scann ended – to detections because of the Whitelist

Cheers!

Share this post


Link to post
Share on other sites

Thanks Lynx.

I'll check all this again monday when I'm back to work. (ths is going on on my office PC)

Best regards,

François

Share this post


Link to post
Share on other sites

Thanks Lynx.

I'll check all this again monday when I'm back to work. (ths is going on on my office PC)

Best regards,

François

Still doesn't seem to work.

Question: one of my items is a file, but detected as a Trace.

Is the whitelist supposed to work with that kind of detection too?

Whitelist:

c:\windows\system32\DWSPY32.DLL
c:\program files\national instruments\signal processing start-up kit\dfd\dfd.exe
c:\program files\national instruments\signal processing start-up kit\spt application.exe
C:\PROGRAM FILES\Zebra Technologies\Zebra Setup Utilities\Driver\ZBRN\ZebraFD.exe

Logfile attached. (I stopped the scan when the file was detected)

Command-line was:

C:\Program Files\a2cmd>a2cmd /smart /l /WL=whitelist.txt

Thanks again!

François

Share this post


Link to post
Share on other sites

François,

The Traces were mentioned in the reply above.

You have to place the name of the detection (Trace) as in the provided example.

In many cases you may not have even the file associated but just the Trace in the Registry...

main point is - whether the file itself is flagged (as in the 2nd example)

My regards

Share this post


Link to post
Share on other sites

Thanks Lynx.

To be sure I fully understand (with my limited english):

In my example, the detection is a Trace.File object.

In that case, specifying the file in the whitelist doesn't work and I need to use the Detection name instead?

If so, I'm not fully comfortable with this.

The reason is that maybe another file can produce the same Detection and be a real threat.

(the file mentioned has been sent several days ago as a false positive to Emsisoft's lab but it has not been removed from the detection database yet)

Thanks again, but I think I'll stop using this software as it's more a hassle for me than a real help.

Best regards,

François

Share this post


Link to post
Share on other sites

That is your choice, François

But as in the initial thread you mentioned Traces like “ST4UNST #1 &

and some files that you tried to whitelist , but most likely those were Traces as well

Flagging files as Risk or Trojans & files/ folders as Traces are very different.

In any case Traces may not necessary represent any danger

Please read (if you still have a will) about Traces here or somewhere else if you are using other security.

This Software doing nothing wrong. Spyware Traces in Detail

Search other sources ; this forum or our old forum for “Traces” or alike

Here one of the old threads about a similar Traces

In any case, as I pointed out if you wanna learn more - please use the GUI version 1st in order to be more fluent with the Software. It will provide you with some (a lot of :) ) experience.

Then, you will be more confident how to use CLS; bringing it to any given PC & checking it perfectly … moreover … even having more options & flexibility than GUI version has

...Thanks again, but I think I'll stop using this software as it's more a hassle for me than a real help. Best regards, François
Best wishes to you as well!

I will lock this case

Please PM if you want to reopen it regarding this particular matter. Cheers!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.