Skip to main content

False Positive Correlog SIEM Server

Comments

12 comments

  • Customer

    Hi Correlog,

     

    Thanks for letting us know. We'll investigate and report back here.

     

    Regards,

     

    Andy

    Lavasoft Malware Lab

    0
  • Customer

    Hi Correlog,

     

    The detection is (obviously!) a false positive and will be removed from detection. Thanks for letting us know.

     

    Regards,

     

    Andy

    Lavasoft Malware Lab

    0
  • Customer

    Hello Andy,

     

    How long does it usually take for the new dat files to sync with VirusTotal as we are still showing as detecting Trojan.Zmutzy.802.

     

    Thank you,

     

    Michael

    0
  • Customer

    Hello Andy,

     

    I have contacted VirusTotal and they are telling me that their engineering team has confirmed that Ad-Aware is still passing the same results to them. I have added VirusTotal's response to this comment. Could you please look into this for me. We are also a security company and are looking for some good partners in the Anti-virus protection realm.

     

     

    Thank you,

     

    Michael

     

     

     

    Svetla Yankova (VirusTotal)

    Sep 29, 23:09 CEST

    Hi Michael,

    Our engineering team validated that our results have been refreshed. Ad-aware is still passing the same result to us.

    Their engine might be caching an old result that is being passed to VirusTotal as our results from them are updated multiple times a day.

    Sorry I'm not able to be of any further help, are you in contact with Ad-aware? It helps if you send them the latest scan reports.
    Don't hesitate to reach out if the issue persists once AdAware confirms they've updated their VirusTotal information.

    0
  • Customer

    Hello Andy,

     

    I have Ad-Aware installed on a VM in my lab and Ad-Aware does not look like it is showing a false positive on our software any longer. It looks to me like VirusTotal just has not updated their definitions with the new ones you have created.

     

    Thank you,

     

    Michael

    0
  • Customer

    Hi Michael,

     

    I'm still unable to recreate the detection using Ad-Aware. I ran several scans against the file:


    • scanning the file itself

    • extracting the contents and scanning them

    • installing the application and running a full system scan


    ... and nothing was flagged. Can you provide the Virus Total link that shows the detection? That will give me the hash of the file being flagged - I can check if that file exists on my machine after installing CorreLog.

     

    I'm not quite sure what to make of Virus Total's response. They use the command line version of Ad-Aware that has the same definition files as the regular GUI version. They will most certainly keep it updated with the latest definition files, so if they are still seeing the Trojan.Zmutzy.802 flag, I should see it too.

     

    If you can post the Virus Total link, that will give me something to go on.

     

    Thanks,

     

    Andy

    0
  • Customer

    Hello Andy,

     

     

    Here is the VirusTotal link:

    https://www.virustotal.com/en/file/34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4/analysis/1475237312/

     

     

    Here is the file identification information:


    MD5 4a91f38b36523f624cad88c7af2857c3


    SHA1 5a75de6e78e0e48ffc81442468da8808c04bf394


    SHA256 34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4


    ssdeep

    1572864:EDp1RDzlaGGwC/e2FnK6u8sxmvrjmaP727OnRV4Hqoim82SXIFLRKE3QqzO84QZC:EDBzla0t2FnK6DDV7SH1im82gIFLRKE4



    authentihash 270accd2fd0e6bf2c55403a47921c722249b3b70d97dcbc3363f47ec7bbfe0a5


    imphash 78c751010579c51cdad3f096a3cbcc97


    File size 90.1 MB ( 94469856 bytes )


    File type Win32 EXE


    Magic literal

    PE32 executable for MS Windows (GUI) Intel 80386 32-bit


    TrID Win64 Executable (generic) (42.0%)
    Winzip Win32 self-extracting archive (generic) (35.0%)
    Win32 Dynamic Link Library (generic) (10.0%)
    Win32 Executable (generic) (6.8%)
    Generic Win/DOS Executable (3.0%)

     

     

    This is what their analysis says when it completes scanning our installer:

    Ad-Aware Trojan.Zmutzy.802 20160930

     

     

     

    Thank you,

     

    Michael

    0
  • Customer

    I can see the problem now - we're looking at different files.

     

    The sha256 for the file submitted to Virus Total is not the same for the file I downloaded from https://correlog.com/Download/co-5-6-3.exe.

     

    VT file hash: 34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4

    From URL: 9cc3ba54b08be7b21b9e52c8b48d281e8e7797b90f0d5de6d6bf13698a7e3d3d

     

    I'll download the file from Virus Total and check it out.

    0
  • Customer

    I was able to recreate the detection with the correct file. I'll send this to the false positive team and report back here when I get the result.

    0
  • Customer

    Hi Michael,

     

    The detection is a false positive and will be removed within the next few updates.

     

    Andy

    Lavasoft Malware Lab

    0
  • Customer

    Andy,

     

    We just release a new version of our CorreLog Security Information and Event Management server and we are getting false positives again.

     

    https://correlog.com/Download/co-5-6-4.exe

     

    Ad-Aware Trojan.Zmutzy.802 20161004

     

     

    MD5 0a1d466738ddfe189c0115fca4e22683

    SHA1 e2c881711839a20394fa47fbb14900d61252bf1e

    SHA256 edcdbe9ca1abfdac903337df5066d90a09af8181712e166ae74caf3ac8b62d61

    ssdeep1572864:bDSp9zlaGGwC/e2OnK6u8sxmvrjBENP5J7wbXVm/xoiamgZE574cQe7nNJAggAqI:bDOzla0t2OnK6DDY5ld+iafSBy4JAgg2

    authentihash 7ef0b85ba2c0a65e1e211896e750525c76677dc6bf398be7dce2f2405fb0589f

    imphash 78c751010579c51cdad3f096a3cbcc97

    File size 91.1 MB ( 95522016 bytes )

    File type Win32 EXE

    Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit


    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



    Ad-Aware Trojan.Zmutzy.802 20161004

     

    Ad-Aware Trojan.Zmutzy.802 20161004


    MD5 8da60b4390eb94bc45380fa4b529da4d

    SHA1 ef5f65646150a60fb5f5cbb94c7b6229fb5fbb6d

    SHA256 2b196cc96f53a1068489a4cc7b921df15aa2f2f1b10784c4d5fa302d1f657f82

    ssdeep1572864:Cc3mg3g05c5FIz+FS0kMs1rZRPPBQfHLmfsO9EMhR:CcWgI6VdrPpQfKksEWR

    authentihash ea087e4b7857e25ef3deec18248b6dede22f1469837372ca5d477de01f06aa14

    imphash c2efd92ae42b3ea6e0c20d357e055c67

    File size 66.6 MB ( 69886360 bytes )

    File type Win32 EXE

    Magic literalPE32 executable for MS Windows (console) Intel 80386 32-bit

    TrID Win32 Executable MS Visual C++ (generic) (23.4%)

    UPX compressed Win32 Executable (22.9%)

    Win64 Executable (generic) (20.7%)

    Win32 EXE Yoda's Crypter (19.9%)

    Win32 Dynamic Link Library (generic) (4.9%)


    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



    Ad-Aware Trojan.Zmutzy.802 20161004




    MD5 1fd24a835f477ed9e8eba9deadf5487d


    SHA1 5fa5fae8c8943ef2ee1df1e2d22fa7306b4862c4


    SHA256 5d6955ac1308e649d63537a1ec6c5f49fe0ef752c9acd5ad290b5daeb13fca50


    ssdeep

    1572864:DZV6g3g05c5FIz+FS0KMs1rZRW++OmLb+Zcwvh5NOoiXiZAMlOk/ujNTauN4TNhM:tUgI6V3raY2wvhRNHWjNNN4TQF



    authentihash 534f49930ee88fab2719a1b1f881de4b4bfbe72445a8dd316e84f13eec501c15


    imphash c2efd92ae42b3ea6e0c20d357e055c67


    File size 86.9 MB ( 91142608 bytes )


    File type Win32 EXE


    Magic literal

    PE32 executable for MS Windows (console) Intel 80386 32-bit


    TrID Win32 Executable MS Visual C++ (generic) (23.4%)
    UPX compressed Win32 Executable (22.9%)
    Win64 Executable (generic) (20.7%)
    Win32 EXE Yoda's Crypter (19.9%)
    Win32 Dynamic Link Library (generic) (4.9%)

     

     




    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------





    Ad-Aware Trojan.Zmutzy.802 20161004

     


    MD5 b2e3defa20ddbaa2f45369a98611b2ad


    SHA1 2a0afe88d7817ef69f1a767002c59a5c7e698a70


    SHA256 8c878601f1854fb4e9b2b559c9e7775ac97bd8e0907dec487cfc4c973ebb3c22


    ssdeep

    1572864:nbhJmzlaGGwC/e27nK6u8sxmvrj0r5td87kOFzbey5mI+8vuYM6E2684jQD7:n2zla0t27nK6DDYr5tuk0zbZoYk184G



    authentihash 9fe1ec9289d35c3fd26d6975827ab646d513592d289764170423d5232291acf4


    imphash 78c751010579c51cdad3f096a3cbcc97


    File size 86.0 MB ( 90224864 bytes )


    File type Win32 EXE


    Magic literal

    PE32 executable for MS Windows (GUI) Intel 80386 32-bit


    TrID Win64 Executable (generic) (42.0%)
    Winzip Win32 self-extracting archive (generic) (35.0%)
    Win32 Dynamic Link Library (generic) (10.0%)
    Win32 Executable (generic) (6.8%)
    Generic Win/DOS Executable (3.0%)

     

     

     

     




    Thank you ,


    Michael




    0
  • Customer

    Hi Michael,

     

    Thanks for letting me know about the new files - they've been removed from detection.

     

    Andy

    0

Please sign in to leave a comment.