Jump to content

False Positive when detecting Universal Virus Sniffer


Go to solution Solved by Marcos,

Recommended Posts

Today, for the first time, I discovered that ESET began to detect the modules of the Universal Virus Sniffer program.

We use this program to analyze and clean up infected systems.

It can be said that this is our best help tool for users protected by the ESET product.

If for better logging the ESET Log Collector is used, then for cleaning and collecting samples that are not detected by the product, we use the uVS. 

Quote

Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here 2023/03/13 21:10:31;Real-time file system protection;file;E:\soft\avirus\Universal Virus Sniffer latest\ayedge;Suspicious Object;cleaned up by deletion (after next restart);NT AUTHORITY\system;Event occurred when trying to access a file with the following application: C:\Windows\System32\SearchProtocolHost.exe (D7F955DF3682F3C9F51F4CE16B4DA8E77EC1C198).;7B666291C6ABD8C367FF250DF205BBF08830CDE3;01/05/2023 12:20:12

Please exclude this detection, especially since most anti-virus programs do not interfere with uVS.

 

"We used uVS tool for many years to analyze our customer’s systems and make scripts to solve a lot of different issues. You must run this tool manually and open the script from the tool, so it is not possible to make executable scripts or something like this, which can be used by cybercriminals. I would like to ask you to exclude uVS from any detections by ESET. Also, you can see that other antiviruses mostly don’t detect it. It is not dangerous tool; it is very useful tool."

 

developer page:

hxxp://dsrt.dyndns.org:8888/

Program download page

hxxp://dsrt.dyndns.org:8888/files/uvs_v413.zip

Edited by safety
Link to comment
Share on other sites

If you trust the app, just exclude it from Eset real-time scanning by hash value.

On the other hand, quite a few vendors at VT are detecting it as Crysis ransomware: https://www.virustotal.com/gui/file/544d3f6d678b5f2a9c51fe43df6d58e18104f97009fdf659c79cb6fbc3077448

Edited by itman
Link to comment
Share on other sites

@Itman,

We will rule it out, this is not a problem, but on the other hand, now every user who creates a log or autorun image in uVS or executes a system cleanup script through uVS will face this.

In terms of ransomware, I consider ESET to have the best signatures, when not only the type of threat is determined - Ransomware, but also the correct version of Ransomware, as it was recently: many define the type of encryption as RYUK, but ESET defines it as FONIX.

The base Crysis has a standard file size: File size 92.50 KB (94720 bytes)

And it does not change for a greater variety of its variants.

https://www.virustotal.com/gui/file/5cec86494711c0700e876922ad52c7aec3caabecd7a2577ce4a7f0cd40b0aa31/details

 

 

Edited by safety
Link to comment
Share on other sites

15 hours ago, safety said:

Here the correct detection is only for SOPHOS.

It detected it as a PUA.

Your posted Eset Detection log entry shows the app was detected as suspicious. You might review your Eset real-time Detection Engine settings. As I recollect, the aggressive setting for one or more categories - in this case, the Suspicious category - will result in a higher incidence of blocking and quarantining.

Edited by itman
Link to comment
Share on other sites

@itman,

The detection of the uVS module as a "Suspicious Object" was with balanced settings for Suspicious Applications. But detection continues even when detection for suspicious applications is turned off.

uvs_false_positive1.jpg.979c87bf73defe5b1254ef859c36c951.jpg

 

Edited by safety
Link to comment
Share on other sites

The Universal Virus Sniffer is a legitimate tool used for analyzing malware samples and identifying malicious code within them. However, some antivirus software programs may flag the Universal Virus Sniffer as a potentially unwanted program or even a virus, resulting in false positive detections.

False positives can occur when an antivirus program mistakenly identifies a legitimate program or file as malicious. This can happen due to various reasons such as the program's behavior, code, or signature being similar to that of a known virus. In such cases, it is recommended to report the false positive to the antivirus vendor so that they can investigate and fix the issue.

If you are using the Universal Virus Sniffer and it is being detected as a virus by your antivirus software, you can add an exception for the program in your antivirus settings to prevent it from being blocked or deleted. However, it is important to make sure that the Universal Virus Sniffer is downloaded from a trusted source and is not actually infected with malware.

Link to comment
Share on other sites

  • Administrators

The fact that an application is intentionally detected as a potentially unsafe, unwanted or whatever despite its author or whoever claims it's clean doesn't mean that it's a false positive.

Link to comment
Share on other sites

Detection of potentially dangerous applications has been disabled.

After enabling balanced settings.

Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here 2023/03/15 22:12:39;Advanced Memory Scanner;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\zaapgx;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;D2C3CE6152273A201369C127EA11576086ED3300;
 

Quote

 

uVS is a lesser known program, developed since 2009, with original and unique methodology, designed for IT professionals, and perhaps there will be more difficult for users without sufficient knowledge of Windows.

Support Features (create and import) custom lists of safe, known files, signatures, white EDS, malware search criteria (simple and compound conditions with the logic AND, OR, NOT) allow the researcher to create his own mini-virlab, integrate personal lists and databases into common ones in the interests of the IT community. Mechanism auto_script, developed in uVS, reduces the time spent on analysis infected system and writing a working script to a reasonable minimum.

 

 

Please exclude this detection.

 

 

Link to comment
Share on other sites

44 minutes ago, safety said:

Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here 2023/03/15 22:12:39;Advanced Memory Scanner;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\zaapgx;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;D2C3CE6152273A201369C127EA11576086ED3300;

It's an AMS detection. As such, no way to exclude it as far as I am aware of other than disabling Potentially Dangerous Application Detection category as you previously did:

Eset_AMS.thumb.png.015556186da95510d716037434e554ce.png

 

 

Link to comment
Share on other sites

  • Administrators

You can create a detection exclusion with "Win32/UniversalVirusSniffer.A" and another one with "Suspicious object" and the file hash should it still be detected.

Link to comment
Share on other sites

21 minutes ago, itman said:

It's an AMS detection. As such, no way to exclude it as far as I am aware of other than disabling Potentially Dangerous Application Detection category as you previously did:

Eset_AMS.thumb.png.015556186da95510d716037434e554ce.png

 

 

while the problem was solved by changing the settings in uVS bFixedName=1 in settings.ini in the [Settings] section uVS can be launched in two modes, with the module name changed, and with the default name.

This is used to prevent blocking by malicious programs.

uVS_start_1.jpg.8c6976ffb953c43feecb87d6f77de6ba.jpg

 

 

Edited by safety
Link to comment
Share on other sites

31 minutes ago, Marcos said:

You can create a detection exclusion with "Win32/UniversalVirusSniffer.A" and another one with "Suspicious object" and the file hash should it still be detected.

For some reason, different hashes in memory are found when UniversalVirusSniffer.A is detected, for Suspicious Object the hash does not change:

Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here

2023/03/15 19:46:52;Real-time file system protection;file;E:\soft\avirus\Universal Virus Sniffer latest\ymalrr;Suspicious Object;cleaned up by deletion (after next restart);NT AUTHORITY\system;Event occurred when trying to access a file with the following application: C:\Windows\System32\SearchProtocolHost.exe (D7F955DF3682F3C9F51F4CE16B4DA8E77EC1C198).;7B666291C6ABD8C367FF250DF205BBF08830CDE3;01/05/2023 12:20:12

2023/03/15 19:48:52;Real-time file system protection;file;E:\soft\avirus\Universal Virus Sniffer latest\ymalrr;Suspicious Object;cleaned up by deletion (after next restart);NT AUTHORITY\system;Event occurred when trying to access a file with the following application: C:\Windows\System32\SearchProtocolHost.exe (D7F955DF3682F3C9F51F4CE16B4DA8E77EC1C198).;7B666291C6ABD8C367FF250DF205BBF08830CDE3;01/05/2023 12:20:12

2023/03/15 22:12:39;Advanced Memory Scanner;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\zaapgx;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;D2C3CE6152273A201369C127EA11576086ED3300;

2023/03/15 22:46:57;Advanced Memory Scanner;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\luybti;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;3B9FDB6B0057015B703E43423CC9CEB02DE88C26;

2023/03/15 23:01:47;Advanced memory scan engine;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\ncuozk;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;7C41E1D7C63C6BAE2E8ACBFF8783DE669FA43A18;

2023/03/15 23:02:22;Advanced memory scan engine;file;RAM » E:\soft\avirus\Universal Virus Sniffer latest\oqqlhp;modified Win32/UniversalVirusSniffer.A potentially dangerous application;saved;;;DE0EC16389ED7DE2730D3604FC4DB63991AAF8A0;

 

 

Edited by safety
Link to comment
Share on other sites

  • Administrators
  • Solution
17 minutes ago, safety said:

For some reason, different hashes in memory are found when UniversalVirusSniffer.A is detected, for Suspicious Object the hash does not change:

That's pretty much expected. "Suspicious object" is not detected in memory and its hash is same unless the file has been modified. A detection exclusion by hash and name was suggested only for "Suspicious object" detection. The PUA should be excluded only by name, not by hash.

Link to comment
Share on other sites

11 hours ago, Marcos said:

That's pretty much expected. "Suspicious object" is not detected in memory and its hash is same unless the file has been modified. A detection exclusion by hash and name was suggested only for "Suspicious object" detection. The PUA should be excluded only by name, not by hash.

returned the old uVS launch type ( bFixedName=0), and added exceptions: by hash: 7B666291C6ABD8C367FF250DF205BBF08830CDE3 and the name of the detector: Win32/UniversalVirusSniffer.A

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...