JeremyNicoll

Duplicate(?) lines in scan reports

Recommended Posts

EAM 2019.4.0.9412  under Win 8.1 64bit

I do a Custom scan of all my disks every couple of weeks.  There are files on them that I expect to see reported (eg zipped backups of old emails which contain dodgy attachments).  Because full paths to successive backups change over time, I normally make a copy of the scan report and edit the paths shown in it to contain generic literals rather than specific date/time-stamps, then save that temporary copy and generate its hash.  If the hash is the same as last time then the file's contents are the same and so the list represents an equivalent/known set of found files.

Every so often the typical content of each line in the report changes slightly - usually its spacing, so my editing process removes extra spaces.   And this time the lines also had " detected:" in them, but that's easy to cope with.

Today I had a problem - in the first place the scan appeared to have found twice the number of hits that I expected.  But it turns out that each hit is reported twice.  For example:

E:\Backups\DBfix\20181207\JN_SC_Backups\MessProAppData-SN130-20150315-0122-cpy\Groups\533\Bin0 -> [Subject: MoneyGram notification NTBTC01K98][Date: Tue, 10 Sep 2013 06:22:56 -0700 (PDT)] -> TRANSACT_NTBTC01K98.zip -> TSCT37DHH38-399.exe detected: Gen:Variant.Symmi.33694 (B) [krnl.xmd]

E:\Backups\DBfix\20181207\JN_SC_Backups\MessProAppData-SN130-20150315-0122-cpy\Groups\533\Bin0 -> (REMOVED_NULLS) -> [Subject: MoneyGram notification NTBTC01K98][Date: Tue, 10 Sep 2013 06:22:56 -0700 (PDT)] -> TRANSACT_NTBTC01K98.zip -> TSCT37DHH38-399.exe detected: Gen:Variant.Symmi.33694 (B) [krnl.xmd]

The second line is the same as the first one, except that it also contains:  "(REMOVED_NULLS) -> ".

Do we need both lines?
   

 

 

Share this post


Link to post
Share on other sites

The second line appears to be showing that some other action was taken. I'll ask QA to be certain.

Share this post


Link to post
Share on other sites

@JeremyNicoll would it be possible to attach the full scan log and a copy of the ZIP archive that was detected to a reply? QA would like to take a look at them and see exactly what happened.

Share this post


Link to post
Share on other sites

@GT500 - I've dug out one of the files which was detected; it's not itself a zip but contains parts of emails one of which contains a b64-encoded zip.  Also, the full scan log from Saturday, one for a similar scan a month earlier showing just half the number of hits,  and finally a scan today of the example file.

I've PMed a URL to you.   

Share this post


Link to post
Share on other sites

Thanks. I've passed the link on to QA, and hopefully they will be able to reproduce the issue.

Share this post


Link to post
Share on other sites

I've checked with QA, and they don't have any new information about this yet.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.