Ahnlab V3 Report False Positive

Aug 6th, 2009
  • VirusTotal false positive contacts collection Wall of Shame. These vendors don't provide any way to submit a false positive without making an account, or at all. Alibaba (virustotal@list.alibaba-inc.com rejected my mail as spam) AhnLab-V3; ALYac (requires program) Cynet; Elastic; Malwarebytes; Sangfor Engine Zero.
  • The current test AhnLab V3 Mobile Security 3.1 for Android (194401) from November 2019 of AV-TEST, the leading international and independent service provider for antivirus software and malware. AV-TEST Product Review and Certification Report – Nov/2019. Including performance and false positives. The products had to demonstrate their.
  • C: windows system32 APISlice.dll CRC32: 529DB134 MD5: 5AE4BF2AFF6427DB5AEABD SHA-1: 5EF48F7CCD80A42E173E26F459D3A19B3F22896F Submitted to virus lab a couple.

Report a false positive. The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.18.00, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, Ikarus Virus. This report details the VB100 certification results of 41 of such products from 36 different vendors during November and December 2020. A legitimate file that is blocked at least once is considered a false positive, while a WildList file that isn’t blocked is considered a miss. AhnLab V3 Endpoint Security.

Never
Not a member of Pastebin yet?Sign Up, it unlocks many cool features!
  1. Agnitum
  2. Failure reason: 1 false positive
  3. Product name: Agnitum Outpost Security Suite Pro
  4. AhnLab
  5. Result history: AhnLab
  6. Details: Only available to subscribers.
  7. Status: PASS
  8. Product name: Alwil avast! Professional
  9. AVG (Grisoft)
  10. Result history: AVG (Grisoft)
  11. Details: Only available to subscribers.
  12. Status: PASS
  13. Product name: Avira AntiVir Professional
  14. CA eTrust
  15. Result history: CA eTrust
  16. Details: Only available to subscribers.
  17. Status: FAIL
  18. Product name: CA Internet Security Suite
  19. eEye
  20. Result history: eEye
  21. Details: Only available to subscribers.
  22. Status: PASS
  23. Product name: ESET NOD32 Antivirus
  24. Filseclab
  25. Failure reason: 2612 wildlist misses, 38 false positives
  26. Product name: Filseclab Twister AntiTrojanVirus
  27. Finport
  28. Failure reason: 2897 wildlist misses, 2 false positives
  29. Product name: Finport Simple Anti-Virus
  30. Fortinet
  31. Result history: Fortinet
  32. Details: Only available to subscribers.
  33. Status: PASS
  34. Product name: Frisk F-PROT antivirus
  35. F-Secure
  36. Result history: F-Secure
  37. Details: Only available to subscribers.
  38. Status: PASS
  39. Product name: F-Secure PSB Workstation Security
  40. GDATA
  41. Result history: GDATA
  42. Details: Only available to subscribers.
  43. Status: FAIL
  44. Result history: K7 Computing
  45. Details: Only available to subscribers.
  46. Status: PASS
  47. Product name: Kaspersky Anti-Virus 2009
  48. Kingsoft Standard
  49. Failure reason: 228 wildlist misses
  50. Product name: Kingsoft Internet Security 2009 Standard
  51. Kingsoft Advanced
  52. Result history: Kingsoft Advanced
  53. Product name: Kingsoft Internet Security 2009 Advanced
  54. McAfee Total Security
  55. Result history: McAfee Total Security
  56. Details: Only available to subscribers.
  57. Status: PASS
  58. Product name: McAfee VirusScan Enterprise
  59. Microsoft Forefront
  60. Result history: Microsoft Forefront
  61. Product name: Microsoft Forefront Client Security
  62. MicroWorld
  63. Result history: MicroWorld
  64. Details: Only available to subscribers.
  65. Status: PASS
  66. Product name: Nifty Corp. Security24
  67. Norman
  68. Result history: Norman
  69. Details: Only available to subscribers.
  70. Status: FAIL
  71. Failure reason: 1188 wildlist misses, 1 false positive
  72. Product name: PC Tools AntiVirus 2009
  73. PC Tools Internet Security
  74. Failure reason: 1355 wildlist misses, 1 false positive
  75. Product name: PCTools Internet Security 2009
  76. PC Tools Spyware Doctor
  77. Failure reason: 1355 wildlist misses, 1 false positive
  78. Product name: PCTools Spyware Doctor
  79. Quick Heal
  80. Result history: Quick Heal
  81. Details: Only available to subscribers.
  82. Status: FAIL
  83. Failure reason: 43 wildlist misses, 1 false positive
  84. Product name: Rising Internet Security 2009
  85. Sophos
  86. Result history: Sophos
  87. Details: Only available to subscribers.
  88. Status: FAIL
  89. Result history: Symantec
  90. Details: Only available to subscribers.
  91. Status: PASS
  92. Product name: Trustport Antivirus 2009
  93. VirusBuster
  94. Failure reason: 1 false positive
  95. Product name: VirusBuster VirusBuster Professional

I’ve covered the impact that automated detection systems have on false positives in the past. Hispasec, the makers of VirusTotal, also talked about this issue in their blog post aptly named Antivirus Rumorology. More recently Kaspersky conducted an experiment during a press conference and showed a bunch of journalists how these false positives roll over from one vendor engine to the next. Of course being journalists, they only took home the message “AV copies each other and mostly us” as is shown in the articles published covering the event . Even though the objective of the experiment was put under scrutiny, the fact remains that this is an industry-wide problem and no single vendor is immune to its effects, not even Kaspersky as we will see.

As some of the regular readers of this blog will probably remember, in March 2010 we published a “PandaCloudTestFile.exe” binary file to test the connectivity of Panda products with its cloud-scanning component, Collective Intelligence. This “PandaCloudTestFile.exe” is a completely harmless file that only tells the Panda products to query the cloud. Our cloud-scanning servers have been manually configured to detect this file as malicious with the only objective of showing the end user that the cloud-scanning component of his/her product are working correctly.

Initially this file was only detected by Panda as Trj/CI.A (a Collective Intelligence detection) and Symantec’s Insight (noting that this is not a very common file, even though treating reputation alone as “suspicious” is by itself grounds enough for debate — maybe another future post).

Panda 10.0.2.2 2010.03.10 Trj/CI.A
Symantec 20091.2.0.41 2010.03.11 Suspicious.Insight

A few days later came the first problematic detection, this time from Kaspersky, who detected the “PandaCloudTestFile.exe” with a signature, specifically calling it a Bredolab backdoor. I call this detection problematic as it is clearly not a suspicious detection nor a reputation signature. It is also clearly an incorrect detection as the file in itself is not related in any way to Bredolab. Soon we will see why this Kaspersky signature is problematic.

Kaspersky 7.0.0.125 2010.03.20 Backdoor.Win32.Bredolab.djl

In the next few days some other AV scanners started detecting it as well, in many cases with the exact same Bredolab name.

McAfee+Artemis 5930 2010.03.24 Artemis!E01A57998BC1
Fortinet 4.0.14.0 2010.03.26 W32/Bredolab.DJL!tr.bdr
TheHacker 6.5.2.0.245 2010.03.26 Backdoor/Bredolab.dmb
Antiy-AVL 2.0.3.7 2010.03.31 Backdoor/Win32.Bredolab.gen
Jiangmin 13.0.900 2010.03.31 Backdoor/Bredolab.bmr
VBA32 3.12.12.4 2010.03.31 Backdoor.Win32.Bredolab.dmb

In the month that follows (April 2010) a bunch of new engines started detecting it, mostly as the Bredolab name we are now familiar with, although some new names started appearing as well (Backdoor.generic, Monder, Trojan.Generic, etc.).

a-squared 4.5.0.50 2010.04.05 Trojan.Win32.Bredolab!IK
AhnLab-V3 2010.04.30.00 2010.04.30 Backdoor/Win32.Bredolab
AVG 9.0.0.787 2010.04.30 BackDoor.Generic12.BHAD
Ikarus T3.1.1.80.0 2010.04.05 Trojan.Win32.Bredolab
CAT-QuickHeal 10.00 2010.04.12 Backdoor.Bredolab.djl
TrendMicro 9.120.0.1004 2010.04.03 TROJ_MONDER.AET
Sunbelt 6203 2010.04.21 Trojan.Win32.Generic!BT
VBA32 3.12.12.4 2010.04.02 Backdoor.Win32.Bredolab.dmb
VirusBuster 5.0.27.0 2010.04.17 Backdoor.Bredolab.BLU

And to top it all off, during this month of May 2010 the following engines started detecting “PandaCloudTestFile.exe” as well. Here we can also even see a “suspicious” detection, probably the only one out of all of them that could make any sense.

Authentium 5.2.0.5 2010.05.15 W32/Backdoor2.GXIM
F-Prot 4.5.1.85 2010.05.15 W32/Backdoor2.GXIM
McAfee 5.400.0.1158 2010.05.05 Bredolab!j
McAfee-GW-Edition 2010.1 2010.05.05 Bredolab!j
Norman 6.04.12 2010.05.13 W32/Suspicious_Gen3.CUGF
PCTools 7.0.3.5 2010.05.14 Backdoor.Bredolab
TrendMicro-HouseCall 9.120.0.1004 2010.05.05 TROJ_MONDER.AET
ViRobot 2010.5.4.2303 2010.05.05 Backdoor.Win32.Bredolab.40960.K

Ahnlabs V3 Windows 10

It is worth noting that consumer products have other technologies included in their products, such as white-listing and digital certificate checks, which could cause the file to not be detected on the consumer endpoint, but the fact that there is a signature for such file is a good indicator that it will probably be detected on the endpoint.

Ahnlab V3 Lite

Positive

Ahnlab-v3 Report False Positive

So why am I writing about all this? First of all, to emphasize the point I tried to make in the past that automated systems have to be maintained, monitored, tuned and improved so that more in-depth analysis is done through them and not rely so much on “rumorology”.

Secondly, to show that this is an industry-wide problematic that results from having to deal with tens of thousands of new malware variants per day, and no vendor is immune to it. What matters at the end of the day is that the automated systems are supervised and improved constantly to avoid false positives.

Ahnlab V3 Report False Positive Blood

I can certainly understand why vendors point to their signatures being “rolled over” to other AV engines, but these same vendors should also take care so that they do not become the source of these “false positive rumors” in the first place.

Ahnlab V3 Report False Positive Results

UPDATE June 3rd, 2010: Reading Larry’s post over at securitywatch, it seems Kaspersky has reacted quickly and has removed their signature for the PandaCloudTestFile.exe file. Thanks Larry & Kaspersky!