Submitting files to online scanners - a warning

G

Guest

Some while ago I post a question about submitting suspect files to online
scanners. I didn't know whether a QUARANTINED file is somehow 'neutralised'
by the antivirus product during the quarantining process. If so, then of
course it would be useless to send it to an online scanner, because all the
scanners would find it harmless in its neutralised state. No one at that time
could answer my question, though Bill Sanderson suggested a way of testing it
using the eicar file.

I can now answer the question - not using the eicar file, but using a recent
real life detection, today.

While I was scanning my system with Superantispyware, the AVG resident
shield popped up with a threat detection - C:\Windows\System32\Panda
Sotware\ActiveScan2\pskahk.dll. (Superantispyware itself detected nothing.)

I was pretty sure this was a false positive. I sent it to
http://virusscan.jotti.org/ and got all negative responses. I sent it to the
Virustotal.com scanner and again got all negative responses EXCEPT for Ewido,
which reported 'Trojan Agent' (not surprising because Ewido is built into the
AVG engine); but also, more worryingly, Ikarus reported 'Win32.SuspectCrc'.

So I quarantined the file and emailed a copy of it to AVG to ask their advice.

But THEN I sent the quarantined file to the virustotal scanner again - and
this time ALL THE RESPONSES WERE NEGATIVE.

The conclusion is really important. If you send a suspect QUARANTINED file
to the online scanners, you'll always get a negative response. It seems that
you MUST send the file BEFORE quarantining it, not after.

Incidentally, in order to send the file from its original location (as
opposed to sending it from quarantine, which isn't a problem), I could find
no way to do that except to turn off the AVG resident shield temporarily.
Otherwise it just blocked the file.
 
G

Guest

Alan D said:
While I was scanning my system with Superantispyware, the AVG resident
shield popped up with a threat detection - C:\Windows\System32\Panda
Sotware\ActiveScan2\pskahk.dll. (Superantispyware itself detected nothing.)

Just in case anyone out there has picked up the same alert on AVG - I just
heard from Ewido that this is a false positive and will be corrected in the
next update.

The main point of this thread, however, remains - I'll say it again just to
be clear. If you submit a file from quarantine to Totalscan or Jotti, they
will find it clean even if the original file was infected. There's no point
in doing that. You have to find a way to send the original, unmodified file.
 
D

Dave M

Excellent feedback and detective work. I really appreciate your confirming
what I'd only suspected before. Thanks for that, Alan.
 
G

Guest

Dave M said:
Excellent feedback and detective work. I really appreciate your confirming
what I'd only suspected before. Thanks for that, Alan.

You're welcome Dave. It does raise a problem though. My first reaction when
something comes up is to quarantine it immediately. But to let the scanners
do their job, it seems you have to leave the file in situ and actually
disable your real time antivirus protection so you can submit it to the
online scanner(s). Then you can reactivate the RTP and quarantine the file.

In this case I felt in my bones that this was a false positive, so I wasn't
too worried about doing this - but if I'd been wrong, all that messing about
couldn't have been a good idea.... Can anyone think of a better approach?

The alternative of course is not to use the online file scanners at all, but
to email the quarantined file to your AV support team (which I also did).
 
D

Dave M

....a possibility that may or may not work. If you zip the file before
quarantine it would render it non-functional, and the multiscanners may be
able to unpack that format... apparently from doing some modest reading
they do have the ability to recognize some packed formats, with zip being
very common that could work. I could understand them not being able to
work with encrypted files from quarantine. Give it a quick shot with your
FP...
 
G

Guest

Dave M said:
....a possibility that may or may not work. If you zip the file before
quarantine it would render it non-functional, and the multiscanners may be
able to unpack that format... apparently from doing some modest reading
they do have the ability to recognize some packed formats, with zip being
very common that could work. I could understand them not being able to
work with encrypted files from quarantine. Give it a quick shot with your
FP...

Nice idea Dave, but the AVG virus vault now seems to be protesting at my
casually whisking files in and out of quarantine. There are two files locked
up (the other one one being a copy of the first that was stashed away in
System Restore), and last time I tried to release them I got two AVG errors
in Event Viewer (the files 'could not be unplaned from Clean Drv removal,
error: 2' - whatever that means.) I hope that doesn't mean my System Restore
points are now messed up.
Anyway, I'm going to leave them there in quarantine until they've fixed the
signatures. AVG goes nuts if it spots them on the loose.

However, thinking about your suggestion: in order to zip the files I'm
pretty sure you'd still need to disable the antivirus RTP (it dives in to the
rescue if you so much as wave a cursor over the file icon), so I'm not sure
you'd gain much.
 
G

Guest

Alan D said:
Anyway, I'm going to leave them there in quarantine until they've fixed the
signatures.

Which I see they've now done, with today's update.

The Ewido part of AVG has been coming up with more of these fps than I'd
like, really.....
 
D

Dave M

I don't know why I asked you to look at it... I've got that Panda dll on my
system, but by the time I submitted it to VirusTotal they'd already fixed
the FP yesterday. So much for that experiment...
 
R

Robinb

sometimes it is better to find a false possitive and report it to avg then
to find nothing at all. Of course this is a "catch 22" because you do not
know if it really found something. But on the other hand at least you know
the program is actually protecting you even though it gave you a false
positive.

robin
 
B

Bill Sanderson MVP

Thanks - interesting report. In this case, I believe that the quarantine
process has encrypted the file--or otherwise changed it in a way which
alters the CRC.

I also suspect as you do, that this is a false positive, and that apparently
this file has an identical hash to some malware.

This is something I have never spent the time to test--thanks for doing it,
and posting.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top