Sign in to follow this  
tmcd

How find name of file submitted to Threatwork

Recommended Posts

I am trying to find out what file/item Ad-Aware AE found that was suspicious and was submitted to Threatwork.

 

Yesterday, I did a full scan. The Scan detected nothing but did want to submit something suspicious to Threatwork. I canceled and scanned again with the same result ... so I let it submit to Threatwork.

 

HOWEVER .... is is bothering me ... I want to find out what the file, or other item, is that Ad-Aware AE found that was suspicious .. my problem is that I can not figure out how to find what the name of the file or item was that was submitted. Nothing seems to be in any detection logs.

 

Question ... How do I find out what it was that was suspicious and was submitted?

 

 

I created a TXT file of the log ... here is the result so you can see that it detected nothing ... yet something was submitted to Threatwork ....

 

******************************** Scan results: *********************************

Scan profile name: Full Scan (ID: full)

Objects scanned: 189739

Objects detected: 0

 

 

Type Detected

==========================

Processes.......: 0

Registry entries: 0

Hostfile entries: 0

Files...........: 0

Folders.........: 0

LSPs............: 0

Cookies.........: 0

Browser hijacks.: 0

MRU objects.....: 0

 

Share this post


Link to post
Share on other sites

Hi tmcd,

 

AAW logs are located at "C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs" - I have had a quick check and can't locate any references to Threatwork submissions, however you may have more success searching there.

 

That said, when Threatwork wishes to submit a "suspicious" file following a scan, the file in question is always listed in the Threatwork GUI.

 

For example, Threatwork has had issues with a particular file on my system (DivX.dll) and has repeatedly asked permission to submit - after a few submissions, I simply added the file to "Ignore" and no longer get nagged about it (until I remove from Ignore). The file path/name is always listed in the GUI - in this case "C:\windows\system32\divx.dll".

 

When an item is added to Ignore (or, for that matter, detected during a scan), the name is not always immediately apparent:

 

Ignore_01_resize.gif

 

To view the name, click on the arrow to the right of the "Action" list, select "Custom Action" and the file name appears:

 

Ignore_02_resize.gif

 

There is known malware that tries to masquerade as that particular file (and others similar in nature), so I remove it from Ignore on a regular basis and resubmit it.

 

Try running another scan (a Smart Scan may be enough), and when the item is detected by Threatwork, check it's name and path. Something in your particular file is similar enough to known malware (or a malware family ID), that causes the "suspicious" flag to be raised.

 

If you are certain that the file is not malware, or if it continues to be marked as "suspicious" rather than "definite malware", start a new Topic in the False Positives sub-forum, asking whether the particular file is safe to add to Ignore.

 

Regards,

 

Spike

 

 

EDIT: Oops! Just deleted my own double-post - sorry about that :)

Edited by spike-nz

Share this post


Link to post
Share on other sites

Spike,

 

Thanks for the help.

  • The problem is that, as shown in the log above, the actual detection shows absolute nothing. Also, I have nothing in Quarantine or Ignore. That was why I was trying to find out what file it submitted. I have to think that some where in the Ad-aware files there is some sort of record of what it submitted to Threatwork. But I could be wrong.

  • I just ran Adaware again .. both Short and full versions... and, this time, it found nothing. Until yesterday I was clean. Yesterday it did the above twice. Today it found nothing again.

Well, I guess I will have to wait to see if it happens again. Perhaps it was some sort of Temp file that was deleted by some program.

 

I swear computers hate me!

 

Thanks for the help.

TMCD

PS... Always wanted to see New Zealand and Australia .... beautiful countries.

 

 

EDIT: I've tidied up your reply by removing the quoted copy of my post - to reply without quoting the post above each time, please use the "Add Reply" button in the bottom right of the page (next to "New Topic").

Edited by spike-nz

Share this post


Link to post
Share on other sites

Hi tmcd,

 

The problem is that, as shown in the log above, the actual detection shows absolute nothing

As I said above, I haven't been able to locate any reference to the DivX.dll file submitted to Threatwork. I'll check my logs next time it is marked.

 

Also, I have nothing in Quarantine or Ignore

I place the file into Ignore myself, when it is listed as suspicious and the Threatwork submission GUI appears.

 

I took it out of Ignore (again) last night and ran a smart scan - then I ran a full scan today. So far, it hasn't been re-detected, but that may only be a matter of time...

 

this time, it found nothing. Until yesterday I was clean. Yesterday it did the above twice. Today it found nothing again.

It was only detected twice because you canceled the first scan. It may well be that the file was similar to something recently added to the Defs - having been checked, it may no longer be viewed as suspicious. Or, it may pop up again in Threatwork at a future date.

 

Regards,

 

Spike

Share this post


Link to post
Share on other sites
Sign in to follow this