追追追! 到底是哪家誤報msconfig??(頁 1) - 防毒軟體討論區 - AVPClub Security Forums

vaio3388 2008-8-16 22:06

追追追! 到底是哪家誤報msconfig??

2008.08.14 05:04:43

[url]http://www.virustotal.com/analisis/8404921a91ea4f3d7b02207131e3db07[/url]

當時有10家 AntiVirus 發現可疑威脅
分別是:

[color=DarkOrange]Avira             Worm/Brontok.DO [/color]
[color=DarkOrange]Avast             Win32:Trojan-gen {Other}[/color]
F-Secure          Email-Worm.Win32.Brontok.do
[color=DarkOrange]Fortinet          W32/Brontok.DO@mm [/color]
GData             Email-Worm.Win32.Brontok.do
[color=DarkOrange]Ikarus          Email-Worm.Win32.Brontok.do [/color]
Kaspersky       Email-Worm.Win32.Brontok.do
[color=DarkOrange]Prevx1          Worm[/color]
ViRobot          I-Worm.Win32.Brontok.163840
[color=DarkOrange]Webwasher-Gateway  Worm.Brontok.DO[/color]

2008.08.16 08:49:02

[url]http://www.virustotal.com/zh-tw/analisis/c12558d1b3fa84b3d31d12a5c39fbaee[/url]

目前有10家 AntiVirus 發現可疑威脅
分別是:

[color=DarkOrange]Avira             Worm/Brontok.DO [/color]
[color=DarkOrange]Avast             Win32:Trojan-gen {Other} [/color]
[color=DarkOrange]Fortinet          W32/Brontok.DO@mm[/color]
GData             Win32:Trojan-gen
[color=DarkOrange]Ikarus          Email-Worm.Win32.Brontok.do[/color]
Norman          W32/Rontokbro.GHE
[color=DarkOrange]Prevx1          Worm [/color]
Sunbelt          Email-Worm.Win32.Brontok.do
VBA32             Email-Worm.Win32.Brontok.do
[color=DarkOrange]Webwasher-Gateway  Worm.Brontok.DO [/color]

相隔2天發現一個現象

[color=DarkOrange]維持警報:[/color]
Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
Fortinet          W32/Brontok.DO@mm
Ikarus             Email-Worm.Win32.Brontok.do
Prevx1             Worm
Webwasher-Gateway Worm.Brontok.DO

[color=Blue]新增警報:[/color]
Norman  W32/Rontokbro.GHE
Sunbelt Email-Worm.Win32.Brontok.do
VBA32 Email-Worm.Win32.Brontok.do

[color=Red]取消警報:[/color]
[color=Red]*F-Secure Email-Worm.Win32.Brontok.do
*GData    Email-Worm.Win32.Brontok.do
*Kaspersky  Email-Worm.Win32.Brontok.do [/color]
ViRobot    I-Worm.Win32.Brontok.163840

[color=Red]*採用卡巴斯基 AVP引擎的廠商已經不警報了[/color]

而  GData  Email-Worm.Win32.Brontok.do (AVP引擎  改為不報)
GData  Win32:Trojan-gen (另一個Avast引擎警報!)

究竟是2天維持警報小紅傘...等  誤報?

還是取消警報  卡巴斯基...等 AVP引擎  誤報?

又或者  新增警報的Norman...等誤報?

:quuu:

期待有高手能釋疑!!

sun88990 2008-8-16 22:11

回復 1# 的帖子

Kaspersky Labs分析師最新回覆
Hello,

msconfig.exe_

No malicious code was found in this file.

Please quote all when answering.

--
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: [email]newvirus@kaspersky.com[/email]
[url]http://www.kaspersky.com/[/url]

[url]http://www.kaspersky.com/virusscanner[/url] - free online virus scanner.
[url]http://www.kaspersky.com/helpdesk.html[/url] - technical support.

sun88990 2008-8-16 22:32

回復 1# 的帖子

卡巴斯基又回覆了~
Hello.
This false alarm is already fixed.

Please quote all when answering.
-----------------
Regards, Vyacheslav Zakorzhevsky
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: [email]newvirus@kaspersky.com[/email]
[url]http://www.kaspersky.com[/url] [url]http://www.viruslist.com[/url]
--
的確是誤報~

vaio3388 2008-8-16 22:51

[quote]原帖由 [i]sun88990[/i] 於 2008-8-16 22:32 發表 [url=http://www.avpclub.ddns.info/discuz/redirect.php?goto=findpost&pid=105693&ptid=12891][img]http://www.avpclub.ddns.info/discuz/images/common/back.gif[/img][/url]
卡巴斯基又回覆了~
Hello.
This false alarm is already fixed.

Please quote all when answering.
-----------------
Regards, Vyacheslav Zakorzhevsky
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 7 ... [/quote]

那麼以下這幾家都誤報囉:hangg
-------------------------------------------------
維持警報:
Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
Fortinet          W32/Brontok.DO@mm
Ikarus             Email-Worm.Win32.Brontok.do
Prevx1             Worm
Webwasher-Gateway Worm.Brontok.DO

新增警報:
Norman  W32/Rontokbro.GHE
Sunbelt Email-Worm.Win32.Brontok.do
VBA32 Email-Worm.Win32.Brontok.do

sun88990 2008-8-16 22:58

回復 4# 的帖子

是的~~~~~
我明天會上報給那些防毒廠商~

ㄚ一 2008-8-16 23:16

說不定根本就是之前賽門鐵克誤報的另一個翻版...

vaio3388 2008-8-16 23:35

[quote]原帖由 [i]ㄚ一[/i] 於 2008-8-16 23:16 發表 [url=http://www.avpclub.ddns.info/discuz/redirect.php?goto=findpost&pid=105700&ptid=12891][img]http://www.avpclub.ddns.info/discuz/images/common/back.gif[/img][/url]
說不定根本就是之前賽門鐵克誤報的另一個翻版... [/quote]

願聞其詳
謝謝!:l}

uegajde 2008-8-17 08:35

回復 5# 的帖子

我已經回報給Avira了

sun88990 2008-8-17 09:31

回復 6# 的帖子

又是交換樣本的下場?:quuu:

uegajde 2008-8-17 09:46

回復 9# 的帖子

應該是吧.. 又不是我丟樣本給Avira害它誤報:hug:
我要怎麼知道Avira為何誤報這檔呢
而且Avira他們又不會跟我說為啥誤報.樣本又哪來的...
我有附上Kaspersky的回覆應該很快就修正了
(疑~我忘了假日他們有上班嗎?)

[[i] 本帖最後由 uegajde 於 2008-8-17 09:49 編輯 [/i]]

integear 2008-8-17 10:06

Sunbelt跟VBA32都是與Kaspersky有直接樣本交換的廠商(但是實驗證明VBA32確實會自行修改威脅特徵碼區位):fdqyt: .

sun88990 2008-8-18 08:47

Huey:

Thanks for reporting this false positive. It will be corrected in Monday's definitions release.

Best,

Eric L. Howes
Sunbelt Software
--
此誤報將於下次更新時修復.

查看完整版本: 追追追! 到底是哪家誤報msconfig??