Jump to content

False positive


Go to solution Solved by Marcos,

Recommended Posts

Posted
Hi.
 
The three files I hereby submit are part of an Intel driver for the graphics chip Intel HD 520. The whole driver package was originally downloaded from this URL: https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar and my computer worked fine for 2 years until yesterday that it prompted me to restart, and as soon as the computer came on after the restart, the resolution was reset to the minimum one.
 
After some investigation of the incidents that took place before the restart, it turned out that NOD32 quarantined the three files (obviously a false positive), and the driver became unstable.
 
You can download the three files from this URL: ~~  Link removed ~~
 
The password of the archive is: infected
 
Please process this false positive ASAP, as I had to uninstall NOD32 until the issue is resolved. You see, for some reason I can't even exclude the files from future scans, so at random moments NOD32 re-scans them and quarantines them, making my computer unusable.
 
Also, please post an update reply so that I know when to re-install NOD32.
 
Regards,
Petros.
  • Administrators
Posted

The detection is correct. The countersignature on detected files is invalid:

image.png

The certificate used to sign the file was seen to be misused to sign malware.

Posted
39 minutes ago, PrinceOfAbyss said:

The whole driver package was originally downloaded from this URL: https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar

Also, Eset detects this malware upon download of the .rar file:

Quote

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
10/27/2021 10:24:37 AM;HTTP filter;file;https://www.biostar.com.tw/app/en/event/H310_windowstool/win7_8th_i3_i5_Driver_2.0.rar;a variant of Win32/GenCBL.BAK trojan;connection terminated;xxxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (6923508844E6FE0C1DEDD684FE299EBC26D778F3).;014D86856AC05E88D599D269C80D42EE21A1FE93;

 

Posted

Don't take me wrong, I trust my computers' protection to NOD32 for more than 10 years, but how come it's the only one that detects them file as viruses? Plus it only detected them as viruses just yesterday, whereas the driver was installed 2 years ago...

Please, have a look at this post and the subsequent replies for more details.

Anyway, the way I see this, especially since there is no way to whitelist the files, is I can't re-install NOD32, as it messes with the driver of my VGA...

  • Administrators
  • Solution
Posted

The detection is correct, it was released 2 days ago.

For more information about malware misusing this particular certificate, please read https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator

Not all files signed with this certificate are necessarily malicious. However, since the certificate is no longer trusted no file signed with the certificate can be trusted either.

We'll make files from the said archive undetected.

Posted (edited)
3 hours ago, Marcos said:

The detection is correct, it was released 2 days ago.

For more information about malware misusing this particular certificate, please read https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator

Not all files signed with this certificate are necessarily malicious. However, since the certificate is no longer trusted no file signed with the certificate can be trusted either.

We'll make files from the said archive undetected.

Yes please, do so, as my computer is unprotected until that.

Ah, also, please update this topic when the new virus signatures are updated (that whitelist the files), so that I know when to re-install it.

Edited by PrinceOfAbyss
  • Administrators
Posted

The files are no longer detected, they were already "whitelisted" 3 days ago.

Posted
7 hours ago, Marcos said:

The files are no longer detected, they were already "whitelisted" 3 days ago.

I didn't know that! I just checked and indeed they are not quarantined. Thanks a lot! 😀

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...