AndreaB

False positive and whitelist exclusion problem

Recommended Posts

Using a2cmd and the attached whitelist.txt file as whitelist file the two false positive files (it is the same file expanded and compressed) are correctly not signaled using a2cmd v.10 but using the latest, updated 64 bit v.12 version with the same whitelist.txt file

  • the expanded tcp_fcv.exe file is correctly excluded
  • the file compressed in the zip is signaled

Emsisoft Commandline Scanner - Version 12.2
Last update: 29/03/2017 06:00:25

Scan settings:

Scan type:                              Custom Scan
Objects:                                Rootkits, Memory, Traces, C:\Av_Test\Av_Test\MyTemp

Detect Potentially Unwanted Programs:   Off
Scan archives:                          On
ADS Scan:                               Off
File extensions:                        On
Exclusion filter:  |.omg|
Direct disk access:                     Off

Scan start:                             04/05/2017 18:39:23

C:\Av_Test\Av_Test\MyTemp\M110 Flex OP250_166335_2017-03-09.zip -> [mac]/fcbin/tcp_fcv.exe     detected: Trojan.GenericKD.1811878 (B)

Scanned            62877
Found              1

Scan end:          04/05/2017 18:39:37
Scan time:         0:00:14

 

 

It seems that the explict exclusion of the file using its complete path 

C:\Av_Test\Av_Test\MyTemp\tcp_fcv.exe

 

works both in v.10 and in v.12 but the exclusion using the malware name (Trojan.GenericKD.1811878 Trojan.GenericKD.1811878 (B)) is no more working in v.12

How can I exclude a false positive based on the malware name in a2cmd v.12?

The VScan_3264.bat is the batch file used to start the 32 (v.10) or 64 (v.12) version of the a2cmd tool

thank you in advance.
 

whitelist.txt

M110 Flex OP250_166335_2017-03-09.zip

tcp_fcv.exe

VScan_3264.bat

Share this post


Link to post
Share on other sites
2 hours ago, AndreaB said:

works both in v.10 and in v.12 but the exclusion using the malware name (Trojan.GenericKD.1811878 Trojan.GenericKD.1811878 (B)) is no more working in v.12

That is correct, we removed exclusions by malware name.

I recommend reporting false positives so that they can be resolved. You can e-mail the file to [email protected] to submit it, or create a topic in our False Positives forum section (submissions are only downloadable by staff).

In this case it is a BitDefender detection, so it will need to be forwarded to BitDefender to be resolved.

Share this post


Link to post
Share on other sites
12 hours ago, GT500 said:

That is correct, we removed exclusions by malware name.

I recommend reporting false positives so that they can be resolved. You can e-mail the file to [email protected] to submit it, or create a topic in our False Positives forum section (submissions are only downloadable by staff).

In this case it is a BitDefender detection, so it will need to be forwarded to BitDefender to be resolved.

Where can I find the list of improvements, modifications, changes, ... of v.12 respect v.11 and of v.11 respect v.10?

Thank you in advance.

Best regards.

Share this post


Link to post
Share on other sites

We don't post a public changelog for the Commandline Scanner, however it incorporates the same changes to the scanning technology that Emsisoft Anti-Malware and Emsisoft Emergency Kit do.

The biggest thing to keep in mind about version 12 vs older versions is that in version 12 we switched to a new database format, and we have not published database updates for the older versions of the Commandline Scanner since August of last year. BitDefender also no longer publishes database updates for older versions of its anti-virus engine, so versions of the Commandline Scanner older than version 12 should be considered unsafe.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.