fixwmi.cmd revisited

D

Duh_OZ

Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
==============

AntiVir 7.3.0.21 01.09.2007 BAT/Zapchast.3
BitDefender 7.2 01.11.2007 Trojan.Bat.Zapchast.CU
ClamAV devel-20060426 01.11.2007 Trojan.BAT.Zapchast
Ewido 4.0 01.10.2007 Trojan.Zapchast
Ikarus T3.1.0.27 01.09.2007 Trojan.BAT.Zapchast
Kaspersky 4.0.2.24 01.11.2007 Trojan.BAT.Zapchast
Norman 5.80.02 01.10.2007 BAT/Zapchast.L

==================
@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End

:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer

:SkipSrv
goto End

:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End
============
 
A

Art

Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
Click to expand...

<snip>

I'm speculating that the batch has found its way into test beds of
testing agencies such as av-comparatives, in which case vendors will
refuse to remove the fp. If I'm right, you can expect McAfee and
Sybari to start alerting again soon, along with several more products
which never used to produce the fp :) The harmless batch will be
deemed malware by decree of av-comparatives and the like ... not by av
company analyists. Like we always used to say back in my engineering
days, bullshit beats science! An engineer's nightmare is a marketeers
dream and vice versa! The marketplace rulez!!! Hey, false positives
sell, man!

:)

Art
http://home.epix.net/~artnpeg
 
G

Guest

no, you are wrong.

<snip>

I'm speculating that the batch has found its way into test beds of
testing agencies such as av-comparatives, in which case vendors will
refuse to remove the fp. If I'm right, you can expect McAfee and
Sybari to start alerting again soon, along with several more products
which never used to produce the fp :) The harmless batch will be
deemed malware by decree of av-comparatives and the like ... not by av
company analyists. Like we always used to say back in my engineering
days, bullshit beats science! An engineer's nightmare is a marketeers
dream and vice versa! The marketplace rulez!!! Hey, false positives
sell, man!

:)

Art
http://home.epix.net/~artnpeg
Click to expand...
 
A

Art

no, you are wrong.
Click to expand...

Wrong about what, exactly? It's been well known since the heyday of
DOS av scanners that leading products purposely detect unviable
samples or "crud" that's known to exist in test beds at vx sites on
the internet. The former DR Solly (and now MacAfee) always insisted
that the "cheater" switch /VID be enabled when testing their scanner
so that it had a better chance at higher "detection" rates. FSI
(F-Prot) insisted that the /COLLECT switch be enabled for the same
reason. I know for a fact that Kaspersky makes little or no attempt at
avoiding crud file detection so that it continually fares well in
lousy tests. That's what sells av scanners, as I said.

Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware?
 
G

Guest

"Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware? "

yes, I mean that.
 
A

Art

"Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware? "

yes, I mean that.
Click to expand...

Then I suggest that this sample be part of your false positive testing
test bed. Punish vendors that alert on it and others like it. You have
far more clout than individual users who submit such samples to
vendors in the hope that they will remove detection. Hit them where
it hurts. Lower their ratings on the basis of detecting harmless
files.

Art
http://home.epix.net/~artnpeg
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Univ.bat /a 5
AIM 6.5 causes audio loss and WMI corruption 2

Top