BlackSun

"C:\Progr~\Browser\" being "found" as Adware.Win32.XBrowse (A)

Recommended Posts

... and I can't even submit false positive report, because it then states it can't find the file. Yeah, because there is no file to begin with...!

Some people may like to put all their installed browsers into a subfolder "Browser" within Program Files to keep on top of things.
If it's literally just detecting the path itself, "C:\Program Files (x86)\Browser\", then yes, I created that to install my browsers into.

Scan start:    3/5/2020 5:19:20 PM
C:\Program Files (x86)\browser     detected: Adware.Win32.XBrowse (A) [223312]

 

... adding that to exclusions will prevent Emsisoft from ever again scanning or reacting to anything happening from within that path, does it not? As such, I'd like to add detection of the path to exclusions, not all content within that path!

Share this post


Link to post
Share on other sites

There are certain things that are detected by path (usually what we classify as PUPs, aka. "Potentially Unwanted Programs"). You can add it to the scan exclusions to keep it from being deleted. Here's how:

  1. Open Emsisoft Anti-Malware.
  2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
  3. Click on Exclusions in the menu at the top.
  4. The exclusions section contains two lists (Exclude from scanning and Exclude from monitoring). Look for the box right under where it says Exclude from scanning.
  5. Click on the Add folder button right below the Exclude from scanning box.
  6. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
  7. Close Emsisoft Anti-Malware.

  • Downvote 1

Share this post


Link to post
Share on other sites
8 hours ago, JeremyNicoll said:

But, @GT500 doesn't that exclude from scanning everything inside the selected folder?

Yes, it does.

 

8 hours ago, JeremyNicoll said:

The OP does not want that.

Technically the folder name isn't a false positive. The only way to prevent it from being detected is to add it to exclusions.

  • Downvote 1

Share this post


Link to post
Share on other sites
On 3/7/2020 at 8:16 AM, GT500 said:

Technically the folder name isn't a false positive.

And this, technically, is wrong.

As long as Anti Malware detects something as being harmful / unwanted and even quarantines it, despite it not containing anything actually harmful... what's that called? Right - a false positive.

The point of any Anti Malware software is to find harmful objects, whatever they are, wherever they are, and prevent them from successfully causing harm to the system and user. Arguing that it "technically isn't a false positive", because the program was deliberately instructed to treat a harmless folder name string as a harmful entity in itself, is a false positive caused by a flaw in design. Harmful software could be anywhere - and anywhere could also contain not-harmful software.

Anti Malware should, regardless of folder name and path, keep all my folders safe.
As such, I expect both "C:\Windows\", as well as "C:\Program Files (x86)\Browsers\" and any other folder on my system, to be protected. Period. That's what I pay for. Having to disable said paid-for-protection of big folders, because of this serious flaw in design, is not inspiring much confidence in the quality of Your product. In fact, behavior like this has SNAKE OIL stamped right on the tin in huge, red letters. And I hope it's not becoming representative for other parts of the package, too.

Finding a "suspicious path" may, maybe, warrant executing a quick scan of the folder, to check for any harmful contents. But hamfistedly labelling the whole thing as harmful and quarantining it is just alarmingly bad. Especially, when restoring from quarantine afterwards fails. Thank god for my backups.

Go ahead, create a "Browsers" folder in Program Files, and copy your Firefox, Chrome, Edge, and whatever other browsers you use, in there. Then, execute a manual scan of the Program Files directory.

I want all my folders to be treated with equal protection, regardless of their respective names. Period.
And this is a false positive by design? Okay, so, fix the design, then. Thank You.

Kind regards,
Paying customer No 543972 (or something like that)

Share this post


Link to post
Share on other sites

Give the team some slack.

What @Elise could do for this is to not add detection for the whole folder and only detect the known malicious files dropped by the PUP inside it

C:\Progr~\Browser\badplugin.dll

C:\Progr~\Browser\badplugin.exe

Actually pls dont put your portable or custom installs inside the Progr~ directory as security software monitor that very carefully along with other important Windows directory. One way security software validate a program is legit by making sure it is installed on the default install path. I bet any zero-day protection would flag your 'browser' inside that custom install path... Thats the limitation of signature black or white patterns in general. You create them for known or possibly malicious stuff based on previously analysed samples then tweak them as needed. I wouldnt call that snake oil. Everyone does it. You expect EAM to know it like you do which just aint reasonable. 

Anyway, hope everyone is well and safe during this time.

Share this post


Link to post
Share on other sites
3 hours ago, grayskull said:

What @Elise could do for this is to not add detection for the whole folder and only detect the known malicious files dropped by the PUP inside it

The problem is that those malicious executables can change (there are often multiple versions of the same PUP, just like there is with any software) and detection rules have to be updated for every version of the files. Since they tend to use the same folder, and no other legitimate software does, the folder name is traditionally considered the proper way to detect it (not only by us but by other companies as well).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.