Advice Request Driver from Lenovo identified as virus. False positive?

[Jay44]

I downlaoded an driver from Lenovo website. When I installed it, Microsoft defender sayed it has an exe is virus.
I checked sha256 is right.
Nvidia Graphics Driver for Windows 11 (64-bit) - ThinkBook 14 G4+ IAP, ThinkBook 16 G4+ IAP.(Model 21CY0007CD) I don't know if I can post the link to the driver.
I uploaded it on virustotal, some antivirus software said it is virus, but some famous antivirus softwares and sandboxes undetected.

VirusTotal

VirusTotal

www.virustotal.com

Does someone know if it is a false negative?
Thank you!

 

[roger_m]

According to Lenovo it's a false positive.

【問題】從聯想官網下載的驅動被部分防毒偵測有毒(確認過SHA) @電腦應用綜合討論 哈啦板 - 巴哈姆特

我今天在聯想官網下載筆電nvdia顯卡驅動，有檢查過SHA256。 https://pcsupport.lenovo.com/tw/zh/products/laptops-and-netbooks/thinkbook-series/thinkbook-16-g4-plus-iap/21cy/21cy0007cd/downloads/ds555216-nvidia-graphics-driver-for-windows-11-64-bit-thinkbook-14-g4-iap-thinkbook-16-g4-iap...

forum.gamer.com.tw

Please take note that the files from Lenovo official were all safe. You may try another antivirus program to check it again but it is a false positive case.

The link is in Chinese, but your browser should be able to translate it.

 

[Anthony Qian]

Kaspersky whitelisted it and it's very likely to be an FP.

Submitted to Symantec, will update here when I get a reply.

----------------------

Symantec confirmed it's safe to use this file:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

MD5: A503D85CA59A9C99DE15791AE2A6E24D

SHA256: 5510D22D5C978B864458ECF7EFF5D5A1AB5AC2948510251186A0702C5CB8779F

Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update

 

[Jay44]

According to Lenovo it's a false positive.

【問題】從聯想官網下載的驅動被部分防毒偵測有毒(確認過SHA) @電腦應用綜合討論 哈啦板 - 巴哈姆特

我今天在聯想官網下載筆電nvdia顯卡驅動，有檢查過SHA256。 https://pcsupport.lenovo.com/tw/zh/products/laptops-and-netbooks/thinkbook-series/thinkbook-16-g4-plus-iap/21cy/21cy0007cd/downloads/ds555216-nvidia-graphics-driver-for-windows-11-64-bit-thinkbook-14-g4-iap-thinkbook-16-g4-iap...

forum.gamer.com.tw

The link is in Chinese, but your browser should be able to translate it.

Actually it is my post. But I asked Lenovo, and their reason seem to be"no one report it "and " this isn't a known issue". So I think they didn't really check it.

 

[Jay44]

Kaspersky whitelisted it and it's very likely to be a FP.

Submitted to Symantec.

Sorry. I'm not a native English speaker. What is fp means? Thx

 

[harlan4096]

FP -> false positive

 

[Jay44]

FP -> false positive

Thanks! Correct the title.

 

[Jay44]

Kaspersky whitelisted it and it's very likely to be an FP.

Submitted to Symantec, will update here when I get a reply.

----------------------

Symantec confirmed it's safe to use this file:

Thanks for your help. Hope other companies will follow up.
I think Microsoft can't just use sha256 or md5, it needs file upload?

 

[Anthony Qian]

Thanks for your help. Hope other companies will follow up.
I think Microsoft can't just use sha256 or md5, it needs file upload?

Yeah, you cannot submit samples to Microsoft by hash.

 

[upnorth]

Actually it is my post. But I asked Lenovo, and their reason seem to be"no one report it "and " this isn't a known issue". So I think they didn't really check it.

I wouldn't throw VTs assessment ( 27/66 ) in this case under the buss, simply because certain well known vendors does not detect it on VT. Nextron systems THOR APT scanner does very well flag it, but VT should not be used as a bullet proof test as that never been it's purpose.

It could be worth getting some of the not mentioned in this threads AV vendors take a look at it. Try contact Bitdefender, F-Secure and also G-Data.

 

[Jay44]

I wouldn't throw VTs assessment ( 27/66 ) in this case under the buss, simply because certain well known vendors does not detect it on VT. Nextron systems THOR APT scanner does very well flag it, but VT should not be used as a bullet proof test as that never been it's purpose.

It could be worth getting some of the not mentioned in this threads AV vendors take a look at it. Try contact Bitdefender, F-Secure and also G-Data.

All of three can't use hash, so I send downloading url and told them the file is downlaoded by the url(if the website permit).

 

[upnorth]

All of three can't use hash, so I send downloading url and told them the file is downlaoded by the url(if the website permit).

Hash value normally works just fine and can be of help if you " contact " as in either use the phone or chat option if available. But as you have access to the actual file itself, as mentioned in your first post :

I downlaoded an driver from Lenovo website.

of course you should send it to them and then also use include extra information, and the Hash along with your email address so you can get a full support ticket number and a correct feedback.

Most AV vendors simply requires the file to be added in an archive ( rar, zip etc ) and use the password: infected

 

[ScandinavianFish]

The detection names are all over the place, "Coinminer", "Password stealer", "Powershell", "Banker", and lots of just generic detections, true positives often have similar sounding names, as if, for example, it was an password stealer most AV engines would label it as one.

 

[Jay44]

The detection names are all over the place, "Coinminer", "Password stealer", "Powershell", "Banker", and lots of just generic detections, true positives often have similar sounding names, as if, for example, it was an password stealer most AV engines would label it as one.

Did you mean engines use so different name, so it might be false positive (maybe because ML?)

 

[Jay44]

Hash value normally works just fine and can be of help if you " contact " as in either use the phone or chat option if available. But as you have access to the actual file itself, as mentioned in your first post :

of course you should send it to them and then also use include extra information, and the Hash along with your email address so you can get a full support ticket number and a correct feedback.

Most AV vendors simply requires the file to be added in an archive ( rar, zip etc ) and use the password: infected

Hello, I haven't see company's driver be installed virus in recent year's news. Most of the problems appear because driver has bug, right?
I already send mail to Lenovo psirt, but they say they didn't have results yet.

 

[Kongo]

Many of the AV engines that detect it as malicious are AI / ML based. They often tend to throw quite a few false positives.

 

[Jay44]

Many of the AV engines that detect it as malicious are AI / ML based. They often tend to throw quite a few false positives.

I see virustotal's Microsoft temporarily mark it undetected, but back to mark it as virus after few hours.
By the way the virus names on the virustotal's Microsoft and my Microsoft defender are different, it is normal?

 

[Kongo]

I see virustotal's Microsoft temporarily mark it undetected, but back to mark it as virus after few hours.
By the way the virus names on the virustotal's Microsoft and my Microsoft defender are different, it is normal?

Whats the detection of your Microsoft Defender?

 

[Jay44]

Whats the detection of your Microsoft Defender?

Sabsik.FL.A!ml at first. After I rescanned, it became Sabsik.FL.B!ml.

 

[Shadowra]

The "Sabsik.FL.A!ml" detection's on Microsoft Defender is a detection by AI Machine Learning.
Even if the recognized AVs (Kaspersky, GDATA, Bitdefender, F-Secure etc.) do not detect it, I can't say that it is 100% clean... (given the detection Sophos / Malwarebytes)
But on the other hand, Symantec/Norton has removed the detection....

The most likely hypothesis is that Lenovo uses a confuser (to protect source codes) that has potentially been used by a malware, hence the "PowerShell" detections...

If someone has a download link to run it on a virtual machine, I take