Advice Request Driver from Lenovo identified as virus. False positive?

Please provide comments and solutions that are helpful to the author of this topic.

Jay44

Jay44

Level 1
Thread author
Apr 22, 2022
15
Shadowra said:
The "Sabsik.FL.A!ml" detection's on Microsoft Defender is a detection by AI Machine Learning.
Even if the recognized AVs (Kaspersky, GDATA, Bitdefender, F-Secure etc.) do not detect it, I can't say that it is 100% clean... (given the detection Sophos / Malwarebytes)
But on the other hand, Symantec/Norton has removed the detection....

The most likely hypothesis is that Lenovo uses a confuser (to protect source codes) that has potentially been used by a malware, hence the "PowerShell" detections...

If someone has a download link to run it on a virtual machine, I take :)
Click to expand...
Thanks for reply.
Because I don't know if I can post link here, I DM you the driver's information page, whink includes a download link.
Thanks for your kindly help again!
 
  • Like
  • Thanks
Reactions: Nevi, [correlate], Kongo and 2 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Microsoft is fast at fixing false positive when reported to them. Though in this case of this driver, Lenovo themselves should contact Microsoft and sort it out quickly and should even pause the delivery of the driver for now. But TBH, Lenovo should have checked this beforehand. Even our resident developer on this forum Andy Ful submits his apps to security vendors prior to releasing a new version to make sure popular AV products don't detect his tools after releasing.

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
www.microsoft.com
 
  • Like
Reactions: plat, Nevi, roger_m and 3 others
Jay44

Jay44

Level 1
Thread author
Apr 22, 2022
15
SeriousHoax said:
Microsoft is fast at fixing false positive when reported to them. Though in this case of this driver, Lenovo themselves should contact Microsoft and sort it out quickly and should even pause the delivery of the driver for now. But TBH, Lenovo should have checked this beforehand. Even our resident developer on this forum Andy Ful submits his apps to security vendors prior to releasing a new version to make sure popular AV products don't detect his tools after releasing.

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
www.microsoft.com
Click to expand...
I want to report to Microsoft at first, but they force me to uploaded file.
BTW, I report to Lenovo psirt this week, they said they have a team on this issue, but don't have results to share yet.
 
Last edited:
  • Like
Reactions: Nevi and [correlate]
Shadowra

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Hello guys!

After testing, I can give you a verdict.
He sent me the link, I was able to download it and test it.

Result : It's a 100% false positive :)

Already, the file is about 780Mb (I downloaded it very quickly, I have fiber optics).
Then, it is signed, but that means nothing, you can also sign a malware you will say...

Well, nothing happened. The installation went smoothly :)

Here are the screenshots.

He used PowerShell once, probably to replace a driver.

1eGxWvwj.png

qASRQTpi.png

mnwP6BbO.png

Nothing has been detected and the virtual amchine is doing very well.
It is a false positive of the antivirus :cool: ;)
 
  • Like
  • +Reputation
  • Applause
Reactions: Trooper, Nevi, peterfat11 and 6 others
Jay44

Jay44

Level 1
Thread author
Apr 22, 2022
15
Shadowra said:
Hello guys!

After testing, I can give you a verdict.
He sent me the link, I was able to download it and test it.

Result : It's a 100% false positive :)

Already, the file is about 780Mb (I downloaded it very quickly, I have fiber optics).
Then, it is signed, but that means nothing, you can also sign a malware you will say...

Well, nothing happened. The installation went smoothly :)

Here are the screenshots.

He used PowerShell once, probably to replace a driver.

1eGxWvwj.png

qASRQTpi.png

mnwP6BbO.png

Nothing has been detected and the virtual amchine is doing very well.
It is a false positive of the antivirus :cool: ;)
Click to expand...
Actually, I downloaded MB at first, and MB detect 11F3.exe as trojan Powershell.

Maybe the new database fixed it?
 
  • Like
Reactions: Nevi and [correlate]
F

ForgottenSeer 69673

roger_m said:
It should be unrelated, as a video driver in unrelated to a BIOS update.
Click to expand...
If you say so but I was just assuming the driver included WITH the NIOS update was why MB was flagging it. Please read again.

CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
 
  • Like
Reactions: Jay44
R

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,132
ticklemefeet said:
If you say so but I was just assuming the driver included WITH the NIOS update was why MB was flagging it. Please read again.
Click to expand...
The detection "Trojan.PowerShell" is in no way related to a BIOS vulnerability. It seems that the download is just for the video driver anyway.
 
  • Like
Reactions: Jay44
F

ForgottenSeer 69673

Ok was posted, then removed. Backdoor

Lenovo issues fixes for laptop backdoors | Malwarebytes Labs

Apr 21, 2022 · Lenovo issues fixes for laptop backdoors UEFI. UEFI is a specification that defines

But yes you are correct, the OP downloaded the driver and it was not because his computer was shipped with the backdoor .

en.viknews.com

Lenovo laptops open to attack — what to do right now

ContentsThree vulnerabilities foundCheck If Your Lenovo Laptop Is Affected And What To DoMore information Security firm ESET today announced that three vulnerabilities in hundreds of Lenovo laptops could potentially leave millions of users at risk. These vulnerabilities allow hackers to inject...
en.viknews.com en.viknews.com
 
Last edited by a moderator:
  • Like
  • Wow
Reactions: roger_m, Jay44 and plat
Jay44

Jay44

Level 1
Thread author
Apr 22, 2022
15
SeriousHoax said:
I submitted it to Microsoft today, and now they have removed the detection. So the false positive is gone.
But it also shows how incompetent or careless the people at Lenovo are. They couldn't even submit a false positive report.
View attachment 266103
Click to expand...
Thank you for your help ☺️
I contact to Lenovo Twitter, Lenovo website support, and ask them if they can report to Microsoft.
Seem they did't do this.🤔
 
  • Like
Reactions: roger_m and SeriousHoax

Similar threads

Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
2,976
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
13,854
Other security for Windows, Mac, Linux
Warencom
W
C
    • Like
Prevent self-developed software from being diagnosed as a virus
Replies
1
Views
1,317
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top