Announcement

Collapse
No announcement yet.

False Positives based on VirusTotal

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    False Positives based on VirusTotal

    Hello UT folks,

    I'm curious as to whether there may be an updated engine that may help reduce false positives. We see usually at least one per month. This is based on taking the URL to VirusTotal, and also uploading the file to VirusTotal.

    One example is http://clienttemplates.content.offic...tp02835233.cab

    VT URL analysis:
    https://www.virustotal.com/#/url/94e32e1bf936f7227c4b783ed991913aed754ba0a2ad3b8398eb6489b1cbf2d7/detection


    VT file analysis:
    https://www.virustotal.com/#/file/40e9af9284ff07fdb75c33a11a794f5333712baa4a6cf82fa529fbaf5ad0fed0/detection



    Or maybe the false positives are not from needing a newer clam engine, but perhaps just its configuration being more aggressive. If so, I'm more than happy living with that.

    Just curious really. And it would be nice to not have these false-positives, although I'd rather take a false-positive than a false-negative.
    Tags: clamav, fase positives, virus blocker lite, virus total
  • #2
    I'm having constant alerts for the exact same file on many of my users. When I scan the file with any other A/V providers, it comes up clean.

    In my case, the file is being flagged by Sanesecurity's signatures which Untangle uses with the virus blocker lite app. I submitted the details to their site here: http://sanesecurity.com/support/false-positives/

    We'll see if it gets removed. I hate white-listing things if I can help it, because you never know if the contents of that specific CAB file may change in the future.

    Comment

    • #3
      I received word from Sanesecurity that the reason I'm getting this false positive is because I'm running outdated definitions. Based on their support, it was resolved in definitions that were published in October.

      I guess that raises the question of why the definitions are that out of date. According to the console, my signatures are up to date.

      Comment

      • #4
        Wow

        Comment

        • #5
          I upgraded to 13.1.1 today, and it appears to have resolved my specific issue. From what I can tell, either the Sanesecurity signatures are being updated only during new releases, or somehow my system wasn't downloading the latest information, and the new update kicked things off again. It would be nice to have some visibility to the signature files so we knew what version was running.

          Comment

          • #6
            Running 13.1.1 here, too, and just in the last few days I'm seeing a number of what I believe are false positives from iOS devices trying to update an app direct from the Apple App Store. I've seen 5 of these in the last 3 days, and I don't think they are all the same device. I suppose it's possible there's some malware that has snuck through Apple's review process, but this seems more like a false-positive case.
            Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

            Comment

            Previous template Next
            Working...
            X
            😀
            🥰
            🤢
            😎
            😡
            👍
            👎