vbs - false detection

[jessy 0]

Today, when I was starting my vbs file, to run a sql server, it got deleted by nod32.

 

It's a very simple script, and I think you might have detected it by mistake?.

 

the content of the vbs file:

 

CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe"

 

 

[Arakasi 549]

perhaps the command.exe flagged it

i have vbs scripts with create shell objects that dont flag at all.

How do I submit a virus, website or potential false positive sample to ESET's lab? Edited December 23, 2013 by Arakasi

[jessy 0]

I though it maybe was that, (even it was, it would still be a false positive) but it wasn't tried to rename both the filenames, and the extensions, didn't solve the problem.

I know I could just use a cmd file, but I think it's very wrong that eset is detecting legit files.

[Arakasi 549]

Can you PM me the file ?

I would like to test the same file on my database.

[jessy 0]

simply create a new file, with the content of :

 

CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe"

 

you can change the names, or the extensions, it's still detected.

[Arakasi 549]

Will try...

[Arakasi 549]

Haha thats funny

 

Marcos you should try this lol

 

 

This is the flag : "sqlexplorer.exe command.exe"

Edited December 23, 2013 by Arakasi

[jessy 0]

it's not, try change it to like this: "test1.exe test2.exe" or other extension names too, it's still detecting it, no matter what

[jessy 0]

Just a stupid example to show you, it's detected:

CreateObject("WScript.Shell").Exec "test1.jpg test2.png"

 

detection name: VBS/Starter/NAQ trojan

[Arakasi 549]

I changed it to this :
 

CreateObject("WScript.Shell").Exec "command.exe"

 

Doesnt detect

 

CreateObject("WScript.Shell").Exec "sqlexplorer.exe"

 

Doesnt detect.

 

Why are you adding both files inside the quotes like that anyway ?

Usually when creating a shell object, you create it as 1 object for each executable or simlar your going to call a function or action on.

 

Your telling the machine to create 1 shell object with command and sqlexplorer running as the same object.

 

hxxp://msdn.microsoft.com/en-us/library/d5fk67ky%28v=vs.84%29.aspx

 

Why dont you change your code up to use a variable instead of the programs directly.

That will stop ESET from hating your file so bad in the first place.

Use a variable.

Edited December 23, 2013 by Arakasi

[jessy 0]

If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected

[Arakasi 549]

Dim oShell

Set oShell = WScript.CreateObject ("WScript.Shell")

oShell.run "command.exe" or "sqlexplorer.exe"

Edited December 23, 2013 by Arakasi

[Arakasi 549]

If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected

 

pm what drag and drop feature your trying to simulate or implement.

Two heads are better then one.

 

The case where ESET is detecting might be code syntax related, i dont know, but we will have to wait for them to respond to find out how to proceed or what they will do/say.

 

Thanks jessy

Edited December 23, 2013 by Arakasi

[jessy 0]

It's solved now, and it's not detected anymore

[Arakasi 549]

You are absolutely right.

 

A developer or staff most likely saw the thread and reported.

 

Thanks Jessy, you have been great.

Have a happy holidays !