This page is designed to help Cheat Happens users better deal with antivirus warnings and false positives generated by Ahnlab.Use the information below to learn how to report false positives and temporarily disable protection or whitelist our files to allow them to run.
I’ve covered the impact that automated detection systems have on false positives in the past. Hispasec, the makers of VirusTotal, also talked about this issue in their blog post aptly named Antivirus Rumorology. More recently Kaspersky conducted an experiment during a press conference and showed a bunch of journalists how these false positives roll over from one vendor engine to the next. Of course being journalists, they only took home the message “AV copies each other and mostly us” as is shown in the articles published covering the event . Even though the objective of the experiment was put under scrutiny, the fact remains that this is an industry-wide problem and no single vendor is immune to its effects, not even Kaspersky as we will see.
- The current test AhnLab V3 Mobile Security 3.1 for Android (202901) from July 2020 of AV-TEST, the leading international and independent service provider for antivirus software and malware.
- Detection(s) are confirmed false positive This driver is part of the Process Hacker tool, which is a completely open source and is a widely known & trusted tool for developers. According to a statement from Microsoft, the unmodified, original versions of the software are not a threat, but the false positive occurs because some viruses use.
- AhnLab-V3 184.108.40.206 2010.02.23 - AntiVir 220.127.116.11 2010.02.23 - Antiy-AVL 18.104.22.168 2010.02.23. Thank you for taking the time to submit a false positive report!
As some of the regular readers of this blog will probably remember, in March 2010 we published a “PandaCloudTestFile.exe” binary file to test the connectivity of Panda products with its cloud-scanning component, Collective Intelligence. This “PandaCloudTestFile.exe” is a completely harmless file that only tells the Panda products to query the cloud. Our cloud-scanning servers have been manually configured to detect this file as malicious with the only objective of showing the end user that the cloud-scanning component of his/her product are working correctly.
Initially this file was only detected by Panda as Trj/CI.A (a Collective Intelligence detection) and Symantec’s Insight (noting that this is not a very common file, even though treating reputation alone as “suspicious” is by itself grounds enough for debate — maybe another future post).
Panda 10.0.2.2 2010.03.10 Trj/CI.A
Symantec 20091.2.0.41 2010.03.11 Suspicious.Insight
A few days later came the first problematic detection, this time from Kaspersky, who detected the “PandaCloudTestFile.exe” with a signature, specifically calling it a Bredolab backdoor. I call this detection problematic as it is clearly not a suspicious detection nor a reputation signature. It is also clearly an incorrect detection as the file in itself is not related in any way to Bredolab. Soon we will see why this Kaspersky signature is problematic.
Kaspersky 22.214.171.124 2010.03.20 Backdoor.Win32.Bredolab.djl
In the next few days some other AV scanners started detecting it as well, in many cases with the exact same Bredolab name.
Ahnlab V3 Internet Security 8.0
McAfee+Artemis 5930 2010.03.24 Artemis!E01A57998BC1
Fortinet 126.96.36.199 2010.03.26 W32/Bredolab.DJL!tr.bdr
TheHacker 188.8.131.52.245 2010.03.26 Backdoor/Bredolab.dmb
Antiy-AVL 184.108.40.206 2010.03.31 Backdoor/Win32.Bredolab.gen
Jiangmin 13.0.900 2010.03.31 Backdoor/Bredolab.bmr
VBA32 220.127.116.11 2010.03.31 Backdoor.Win32.Bredolab.dmb
In the month that follows (April 2010) a bunch of new engines started detecting it, mostly as the Bredolab name we are now familiar with, although some new names started appearing as well (Backdoor.generic, Monder, Trojan.Generic, etc.).
a-squared 18.104.22.168 2010.04.05 Trojan.Win32.Bredolab!IK
AhnLab-V3 2010.04.30.00 2010.04.30 Backdoor/Win32.Bredolab
AVG 22.214.171.1247 2010.04.30 BackDoor.Generic12.BHAD
Ikarus T126.96.36.199.0 2010.04.05 Trojan.Win32.Bredolab
CAT-QuickHeal 10.00 2010.04.12 Backdoor.Bredolab.djl
TrendMicro 188.8.131.524 2010.04.03 TROJ_MONDER.AET
Sunbelt 6203 2010.04.21 Trojan.Win32.Generic!BT
VBA32 184.108.40.206 2010.04.02 Backdoor.Win32.Bredolab.dmb
VirusBuster 220.127.116.11 2010.04.17 Backdoor.Bredolab.BLU
And to top it all off, during this month of May 2010 the following engines started detecting “PandaCloudTestFile.exe” as well. Here we can also even see a “suspicious” detection, probably the only one out of all of them that could make any sense.
Ahnlab V3 Report False Positive Form
Authentium 18.104.22.168 2010.05.15 W32/Backdoor2.GXIM
F-Prot 22.214.171.124 2010.05.15 W32/Backdoor2.GXIM
McAfee 5.400.0.1158 2010.05.05 Bredolab!j
McAfee-GW-Edition 2010.1 2010.05.05 Bredolab!j
Norman 6.04.12 2010.05.13 W32/Suspicious_Gen3.CUGF
PCTools 126.96.36.199 2010.05.14 Backdoor.Bredolab
TrendMicro-HouseCall 188.8.131.524 2010.05.05 TROJ_MONDER.AET
ViRobot 2010.5.4.2303 2010.05.05 Backdoor.Win32.Bredolab.40960.K
It is worth noting that consumer products have other technologies included in their products, such as white-listing and digital certificate checks, which could cause the file to not be detected on the consumer endpoint, but the fact that there is a signature for such file is a good indicator that it will probably be detected on the endpoint.
So why am I writing about all this? First of all, to emphasize the point I tried to make in the past that automated systems have to be maintained, monitored, tuned and improved so that more in-depth analysis is done through them and not rely so much on “rumorology”.
Juicy realm for mac. Secondly, to show that this is an industry-wide problematic that results from having to deal with tens of thousands of new malware variants per day, and no vendor is immune to it. What matters at the end of the day is that the automated systems are supervised and improved constantly to avoid false positives.
I can certainly understand why vendors point to their signatures being “rolled over” to other AV engines, but these same vendors should also take care so that they do not become the source of these “false positive rumors” in the first place.
UPDATE June 3rd, 2010: Reading Larry’s post over at securitywatch, it seems Kaspersky has reacted quickly and has removed their signature for the PandaCloudTestFile.exe file. Thanks Larry & Kaspersky!
FILE-EXECUTABLE -- Snort detected traffic targeting vulnerabilites that are found in or delivered through executable files, regardless of platform. In those instances, Snort is able to correct traffic that has been altered.
FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt
The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.18.00, Emsisoft Anti-Malware 184.108.40.206, eSafe 220.127.116.11, Ikarus Virus Utilities T3 Command Line Scanner 18.104.22.168, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an EXE file with a 504B4C495445 character sequence at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different EXE parser implementations.Impact:CVSS base score 4.3CVSS impact score 2.9CVSS exploitability score 8.6confidentialityImpact NONEintegrityImpact PARTIALavailabilityImpact PARTIALDetails:Ease of Attack: