Jump to content

False positive


Go to solution Solved by Marcos,

Recommended Posts

Hi.
 
The three files I hereby submit are part of an Intel driver for the graphics chip Intel HD 520. The whole driver package was originally downloaded from this URL: https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar and my computer worked fine for 2 years until yesterday that it prompted me to restart, and as soon as the computer came on after the restart, the resolution was reset to the minimum one.
 
After some investigation of the incidents that took place before the restart, it turned out that NOD32 quarantined the three files (obviously a false positive), and the driver became unstable.
 
You can download the three files from this URL: ~~  Link removed ~~
 
The password of the archive is: infected
 
Please process this false positive ASAP, as I had to uninstall NOD32 until the issue is resolved. You see, for some reason I can't even exclude the files from future scans, so at random moments NOD32 re-scans them and quarantines them, making my computer unusable.
 
Also, please post an update reply so that I know when to re-install NOD32.
 
Regards,
Petros.
Link to comment
Share on other sites

  • Administrators

The detection is correct. The countersignature on detected files is invalid:

image.png

The certificate used to sign the file was seen to be misused to sign malware.

Link to comment
Share on other sites

39 minutes ago, PrinceOfAbyss said:

The whole driver package was originally downloaded from this URL: https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar

Also, Eset detects this malware upon download of the .rar file:

Quote

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
10/27/2021 10:24:37 AM;HTTP filter;file;https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar;a variant of Win32/GenCBL.BAK trojan;connection terminated;xxxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (6923508844E6FE0C1DEDD684FE299EBC26D778F3).;014D86856AC05E88D599D269C80D42EE21A1FE93;

 

Link to comment
Share on other sites

Don't take me wrong, I trust my computers' protection to NOD32 for more than 10 years, but how come it's the only one that detects them file as viruses? Plus it only detected them as viruses just yesterday, whereas the driver was installed 2 years ago...

Please, have a look at this post and the subsequent replies for more details.

Anyway, the way I see this, especially since there is no way to whitelist the files, is I can't re-install NOD32, as it messes with the driver of my VGA...

Link to comment
Share on other sites

  • Administrators
  • Solution

The detection is correct, it was released 2 days ago.

For more information about malware misusing this particular certificate, please read https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator

Not all files signed with this certificate are necessarily malicious. However, since the certificate is no longer trusted no file signed with the certificate can be trusted either.

We'll make files from the said archive undetected.

Link to comment
Share on other sites

3 hours ago, Marcos said:

The detection is correct, it was released 2 days ago.

For more information about malware misusing this particular certificate, please read https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator

Not all files signed with this certificate are necessarily malicious. However, since the certificate is no longer trusted no file signed with the certificate can be trusted either.

We'll make files from the said archive undetected.

Yes please, do so, as my computer is unprotected until that.

Ah, also, please update this topic when the new virus signatures are updated (that whitelist the files), so that I know when to re-install it.

Edited by PrinceOfAbyss
Link to comment
Share on other sites

7 hours ago, Marcos said:

The files are no longer detected, they were already "whitelisted" 3 days ago.

I didn't know that! I just checked and indeed they are not quarantined. Thanks a lot! 😀

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...