Advice Request Driver from Lenovo identified as virus. False positive?

Please provide comments and solutions that are helpful to the author of this topic.

Jay44

Level 1
Thread author
Apr 22, 2022
15
I downlaoded an driver from Lenovo website. When I installed it, Microsoft defender sayed it has an exe is virus.
I checked sha256 is right.
Nvidia Graphics Driver for Windows 11 (64-bit) - ThinkBook 14 G4+ IAP, ThinkBook 16 G4+ IAP.(Model 21CY0007CD) I don't know if I can post the link to the driver.
I uploaded it on virustotal, some antivirus software said it is virus, but some famous antivirus softwares and sandboxes undetected.
Does someone know if it is a false negative?
Thank you!
 
Last edited:
  • Like
Reactions: Nevi and Dave Russo

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,095
According to Lenovo it's a false positive.
Please take note that the files from Lenovo official were all safe. You may try another antivirus program to check it again but it is a false positive case.
The link is in Chinese, but your browser should be able to translate it.
 

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
450
Kaspersky whitelisted it and it's very likely to be an FP.

Submitted to Symantec, will update here when I get a reply.

----------------------

Symantec confirmed it's safe to use this file:
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

MD5: A503D85CA59A9C99DE15791AE2A6E24D

SHA256: 5510D22D5C978B864458ECF7EFF5D5A1AB5AC2948510251186A0702C5CB8779F

Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update
 
Last edited:

Jay44

Level 1
Thread author
Apr 22, 2022
15
According to Lenovo it's a false positive.

The link is in Chinese, but your browser should be able to translate it.
Actually it is my post. But I asked Lenovo, and their reason seem to be"no one report it "and " this isn't a known issue". So I think they didn't really check it.
 
Last edited:

Jay44

Level 1
Thread author
Apr 22, 2022
15
Kaspersky whitelisted it and it's very likely to be an FP.

Submitted to Symantec, will update here when I get a reply.

----------------------

Symantec confirmed it's safe to use this file:
Thanks for your help. Hope other companies will follow up.
I think Microsoft can't just use sha256 or md5, it needs file upload?
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Actually it is my post. But I asked Lenovo, and their reason seem to be"no one report it "and " this isn't a known issue". So I think they didn't really check it.
I wouldn't throw VTs assessment ( 27/66 ) in this case under the buss, simply because certain well known vendors does not detect it on VT. Nextron systems THOR APT scanner does very well flag it, but VT should not be used as a bullet proof test as that never been it's purpose.

It could be worth getting some of the not mentioned in this threads AV vendors take a look at it. Try contact Bitdefender, F-Secure and also G-Data.
 

Jay44

Level 1
Thread author
Apr 22, 2022
15
I wouldn't throw VTs assessment ( 27/66 ) in this case under the buss, simply because certain well known vendors does not detect it on VT. Nextron systems THOR APT scanner does very well flag it, but VT should not be used as a bullet proof test as that never been it's purpose.

It could be worth getting some of the not mentioned in this threads AV vendors take a look at it. Try contact Bitdefender, F-Secure and also G-Data.
All of three can't use hash, so I send downloading url and told them the file is downlaoded by the url(if the website permit).
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
All of three can't use hash, so I send downloading url and told them the file is downlaoded by the url(if the website permit).
Hash value normally works just fine and can be of help if you " contact " as in either use the phone or chat option if available. But as you have access to the actual file itself, as mentioned in your first post :
I downlaoded an driver from Lenovo website.
of course you should send it to them and then also use include extra information, and the Hash along with your email address so you can get a full support ticket number and a correct feedback.

Most AV vendors simply requires the file to be added in an archive ( rar, zip etc ) and use the password: infected
 

Jay44

Level 1
Thread author
Apr 22, 2022
15
The detection names are all over the place, "Coinminer", "Password stealer", "Powershell", "Banker", and lots of just generic detections, true positives often have similar sounding names, as if, for example, it was an password stealer most AV engines would label it as one.
Did you mean engines use so different name, so it might be false positive (maybe because ML?)
 
Last edited:

Jay44

Level 1
Thread author
Apr 22, 2022
15
Hash value normally works just fine and can be of help if you " contact " as in either use the phone or chat option if available. But as you have access to the actual file itself, as mentioned in your first post :

of course you should send it to them and then also use include extra information, and the Hash along with your email address so you can get a full support ticket number and a correct feedback.

Most AV vendors simply requires the file to be added in an archive ( rar, zip etc ) and use the password: infected
Hello, I haven't see company's driver be installed virus in recent year's news. Most of the problems appear because driver has bug, right?
I already send mail to Lenovo psirt, but they say they didn't have results yet. :(
 
Last edited:

Jay44

Level 1
Thread author
Apr 22, 2022
15
Many of the AV engines that detect it as malicious are AI / ML based. They often tend to throw quite a few false positives.
I see virustotal's Microsoft temporarily mark it undetected, but back to mark it as virus after few hours.
By the way the virus names on the virustotal's Microsoft and my Microsoft defender are different, it is normal?
 
  • Like
Reactions: Nevi and Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,581
I see virustotal's Microsoft temporarily mark it undetected, but back to mark it as virus after few hours.
By the way the virus names on the virustotal's Microsoft and my Microsoft defender are different, it is normal?
Whats the detection of your Microsoft Defender?
 
  • Like
Reactions: Nevi and Jay44

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,561
The "Sabsik.FL.A!ml" detection's on Microsoft Defender is a detection by AI Machine Learning.
Even if the recognized AVs (Kaspersky, GDATA, Bitdefender, F-Secure etc.) do not detect it, I can't say that it is 100% clean... (given the detection Sophos / Malwarebytes)
But on the other hand, Symantec/Norton has removed the detection....

The most likely hypothesis is that Lenovo uses a confuser (to protect source codes) that has potentially been used by a malware, hence the "PowerShell" detections...

If someone has a download link to run it on a virtual machine, I take :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top