Sign in to follow this  
correlog

False Positive - Correlog SIEM Server

Recommended Posts

Hello,

 

The installer of our SIEM server is being reported as having the Trojan.Zmutzy.802 Trojan. How can I get this resolved? It does not appear that Ad-Aware is hitting on any of the files in our installer but the installer itself. This is a common self extracting winzip file.

 

Link to file to be downloaded,

https://correlog.com/Download/co-5-6-3.exe

 

Can anyone assist?

 

Thank you,

 

Michael

 

Correlog Inc.

 

www.correlog.com

 

 

Share this post


Link to post
Share on other sites

Hi Correlog,

 

Thanks for letting us know. We'll investigate and report back here.

 

Regards,

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Hi Correlog,

 

The detection is (obviously!) a false positive and will be removed from detection. Thanks for letting us know.

 

Regards,

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Hello Andy,

 

I have Ad-Aware installed on a VM in my lab and Ad-Aware does not look like it is showing a false positive on our software any longer. It looks to me like VirusTotal just has not updated their definitions with the new ones you have created.

 

Thank you,

 

Michael

Share this post


Link to post
Share on other sites

Hello Andy,

 

I have contacted VirusTotal and they are telling me that their engineering team has confirmed that Ad-Aware is still passing the same results to them. I have added VirusTotal's response to this comment. Could you please look into this for me. We are also a security company and are looking for some good partners in the Anti-virus protection realm.

 

 

Thank you,

 

Michael

 

 

 

Svetla Yankova (VirusTotal)

Sep 29, 23:09 CEST

Hi Michael,

Our engineering team validated that our results have been refreshed. Ad-aware is still passing the same result to us.

Their engine might be caching an old result that is being passed to VirusTotal as our results from them are updated multiple times a day.

Sorry I'm not able to be of any further help, are you in contact with Ad-aware? It helps if you send them the latest scan reports.
Don't hesitate to reach out if the issue persists once AdAware confirms they've updated their VirusTotal information.

Share this post


Link to post
Share on other sites

Hi Michael,

 

I'm still unable to recreate the detection using Ad-Aware. I ran several scans against the file:

  • scanning the file itself
  • extracting the contents and scanning them
  • installing the application and running a full system scan

... and nothing was flagged. Can you provide the Virus Total link that shows the detection? That will give me the hash of the file being flagged - I can check if that file exists on my machine after installing CorreLog.

 

I'm not quite sure what to make of Virus Total's response. They use the command line version of Ad-Aware that has the same definition files as the regular GUI version. They will most certainly keep it updated with the latest definition files, so if they are still seeing the Trojan.Zmutzy.802 flag, I should see it too.

 

If you can post the Virus Total link, that will give me something to go on.

 

Thanks,

 

Andy

Share this post


Link to post
Share on other sites

Hello Andy,

 

 

Here is the VirusTotal link:

https://www.virustotal.com/en/file/34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4/analysis/1475237312/

 

 

Here is the file identification information:

MD5 4a91f38b36523f624cad88c7af2857c3
SHA1 5a75de6e78e0e48ffc81442468da8808c04bf394
SHA256 34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4
ssdeep
1572864:EDp1RDzlaGGwC/e2FnK6u8sxmvrjmaP727OnRV4Hqoim82SXIFLRKE3QqzO84QZC:EDBzla0t2FnK6DDV7SH1im82gIFLRKE4
authentihash 270accd2fd0e6bf2c55403a47921c722249b3b70d97dcbc3363f47ec7bbfe0a5
imphash 78c751010579c51cdad3f096a3cbcc97
File size 90.1 MB ( 94469856 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win64 Executable (generic) (42.0%)
Winzip Win32 self-extracting archive (generic) (35.0%)
Win32 Dynamic Link Library (generic) (10.0%)
Win32 Executable (generic) (6.8%)
Generic Win/DOS Executable (3.0%)

 

 

This is what their analysis says when it completes scanning our installer:

Ad-Aware Trojan.Zmutzy.802 20160930

 

 

 

Thank you,

 

Michael

Share this post


Link to post
Share on other sites

I can see the problem now - we're looking at different files.

 

The sha256 for the file submitted to Virus Total is not the same for the file I downloaded from https://correlog.com/Download/co-5-6-3.exe.

 

VT file hash: 34eed7d4b0f4ac49affa3a56d789d326daa6f9ea8acaef4c77933476d00dcfa4

From URL: 9cc3ba54b08be7b21b9e52c8b48d281e8e7797b90f0d5de6d6bf13698a7e3d3d

 

I'll download the file from Virus Total and check it out.

Share this post


Link to post
Share on other sites

I was able to recreate the detection with the correct file. I'll send this to the false positive team and report back here when I get the result.

Share this post


Link to post
Share on other sites

Hi Michael,

 

The detection is a false positive and will be removed within the next few updates.

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Andy,

 

We just release a new version of our CorreLog Security Information and Event Management server and we are getting false positives again.

 

https://correlog.com/Download/co-5-6-4.exe

 

Ad-Aware Trojan.Zmutzy.802 20161004

 

 

MD5 0a1d466738ddfe189c0115fca4e22683

SHA1 e2c881711839a20394fa47fbb14900d61252bf1e
SHA256 edcdbe9ca1abfdac903337df5066d90a09af8181712e166ae74caf3ac8b62d61
ssdeep1572864:bDSp9zlaGGwC/e2OnK6u8sxmvrjBENP5J7wbXVm/xoiamgZE574cQe7nNJAggAqI:bDOzla0t2OnK6DDY5ld+iafSBy4JAgg2
authentihash 7ef0b85ba2c0a65e1e211896e750525c76677dc6bf398be7dce2f2405fb0589f
imphash 78c751010579c51cdad3f096a3cbcc97
File size 91.1 MB ( 95522016 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ad-Aware Trojan.Zmutzy.802 20161004

 

Ad-Aware Trojan.Zmutzy.802 20161004
MD5 8da60b4390eb94bc45380fa4b529da4d
SHA1 ef5f65646150a60fb5f5cbb94c7b6229fb5fbb6d
SHA256 2b196cc96f53a1068489a4cc7b921df15aa2f2f1b10784c4d5fa302d1f657f82
ssdeep1572864:Cc3mg3g05c5FIz+FS0kMs1rZRPPBQfHLmfsO9EMhR:CcWgI6VdrPpQfKksEWR
authentihash ea087e4b7857e25ef3deec18248b6dede22f1469837372ca5d477de01f06aa14
imphash c2efd92ae42b3ea6e0c20d357e055c67
File size 66.6 MB ( 69886360 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (console) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (23.4%)
UPX compressed Win32 Executable (22.9%)
Win64 Executable (generic) (20.7%)
Win32 EXE Yoda's Crypter (19.9%)
Win32 Dynamic Link Library (generic) (4.9%)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ad-Aware Trojan.Zmutzy.802 20161004
MD5 1fd24a835f477ed9e8eba9deadf5487d
SHA1 5fa5fae8c8943ef2ee1df1e2d22fa7306b4862c4
SHA256 5d6955ac1308e649d63537a1ec6c5f49fe0ef752c9acd5ad290b5daeb13fca50
ssdeep
1572864:DZV6g3g05c5FIz+FS0KMs1rZRW++OmLb+Zcwvh5NOoiXiZAMlOk/ujNTauN4TNhM:tUgI6V3raY2wvhRNHWjNNN4TQF
authentihash 534f49930ee88fab2719a1b1f881de4b4bfbe72445a8dd316e84f13eec501c15
imphash c2efd92ae42b3ea6e0c20d357e055c67
File size 86.9 MB ( 91142608 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (23.4%)
UPX compressed Win32 Executable (22.9%)
Win64 Executable (generic) (20.7%)
Win32 EXE Yoda's Crypter (19.9%)
Win32 Dynamic Link Library (generic) (4.9%)

 

 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Ad-Aware Trojan.Zmutzy.802 20161004

 

MD5 b2e3defa20ddbaa2f45369a98611b2ad
SHA1 2a0afe88d7817ef69f1a767002c59a5c7e698a70
SHA256 8c878601f1854fb4e9b2b559c9e7775ac97bd8e0907dec487cfc4c973ebb3c22
ssdeep
1572864:nbhJmzlaGGwC/e27nK6u8sxmvrj0r5td87kOFzbey5mI+8vuYM6E2684jQD7:n2zla0t27nK6DDYr5tuk0zbZoYk184G
authentihash 9fe1ec9289d35c3fd26d6975827ab646d513592d289764170423d5232291acf4
imphash 78c751010579c51cdad3f096a3cbcc97
File size 86.0 MB ( 90224864 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win64 Executable (generic) (42.0%)
Winzip Win32 self-extracting archive (generic) (35.0%)
Win32 Dynamic Link Library (generic) (10.0%)
Win32 Executable (generic) (6.8%)
Generic Win/DOS Executable (3.0%)

 

 

 

 

Thank you ,
Michael

Share this post


Link to post
Share on other sites

Hi Michael,

 

Thanks for letting me know about the new files - they've been removed from detection.

 

Andy

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this