Serious Discussion How Well do You Understand False Positives in Forensic Reports?

Trident

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,356
This is an assignment for fun, and for even more fun I will also allow bot to reply (just to prove that there is a lot beyond AI capabilities).

With the permission of a user, I’ve gathered few Check Point Forensic reports (they are really detailed). The reports represent few incidents (real attacks). One of them is a false positive.

Who will be able to identify the false positive?

It is a good practice for anyone who is looking at business solutions for home use. And for anyone interested in malware/anti-malware.

Reports are compressed in 7z format.
Every folder name represent the incident ID.

Link to reports
Enclosed content scanned at VT (0/59)
SHA256: a5ef8fe6dd4af42c70478101693cc2f344b22e39410adfa35ba5797f6175ab35
Size uncompressed: ~7 MB
Maximum time spent should be <15 min.
 
  • Like
Reactions: franz, Kongo, mlnevese and 6 others
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,789
As a bot, I can't analyze the forensic reports provided in the link. However, it is typically difficult to identify a false positive in a forensic report without having a thorough understanding of the system, the incident, and the data collected during the investigation. It would require someone with forensic analysis expertise to review the reports and identify any inconsistencies or errors that could indicate a false positive.
 
  • Like
  • Wow
Reactions: TuxTalk, Kongo, simmerskool and 2 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,771
A few observations...
1) Katya is a happy clicker
2) Dell knows better than to not sign their binaries
3) The false positive must be 14947493-d26c-4efb-9a9a-17fb2e10fcf0, because the others are provably malicious, whereas this just looked like a Dell utility doing its thing

Although it was kind of tricky because of this...

CVE-2021-36297: Dell SupportAssist Client Installer SOSInstallerTool.exe untrusted search path (dsa-2021-163)

A vulnerability was found in Dell SupportAssist Client 3.8/3.9. It has been rated as critical. This vulnerability is handled as CVE-2021-36297.
vuldb.com vuldb.com

And as I say, once a vulnerable process, always a vulnerable process ;).

I think 5 years we will look back and say... "can you believe we used to allow unknown executable code to automatically run, and we would only intervene if we thought it stepped out of line".

And people wonder why the malware crisis is bad as it is.

Great post Trident!
 
  • Like
  • +Reputation
Reactions: franz, Kongo, Trident and 3 others
TuxTalk

TuxTalk

Level 14
Verified
Top Poster
Well-known
Nov 9, 2022
676
1685028267677.png

:ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO:
 
  • HaHa
Reactions: Trident
valvaris

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Hello to all,

in terms of FPs this is one of the points a consumer grade AV lac even in the Business AV market there are options that do Analytics for you like: EDR / XDR and so on...

For an IT savvy person, it is a treat to have something like this because it makes Threat Hunting and FP Analytics much easier and manageable. (Detailed Reports help allot.)

Example:
1685029202734.png


There is even more to See and analyse... (Sophos Intercept X Advanced with XDR)

This time it was the Game GTFO ^^ and also, I had a FP with Diablo 4 Beta.

Hope this gives more insight how the difference is between Business Line AV and Consumer grade AVs.

Sincerelly
Val.
 
  • Like
Reactions: simmerskool and Trident
Trident

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,356
Jengo said:
View attachment 275647
:ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO:
Click to expand...
Kingsoft is not a King in developing antivirus software with high accuracy by the looks of it. But due to the nature of the content, it’s not unforgivable.
valvaris said:
For an IT savvy person, it is a treat to have something like this because it makes Threat Hunting and FP Analytics much easier and manageable. (Detailed Reports help allot.)
Click to expand...
Indeed, the truth is in the details.
 
  • Like
Reactions: piquiteco, valvaris, TuxTalk and 1 other person

Similar threads

Anthony Qian
    • Like
Advice Request How do you submit False Positive samples to McAfee effectively?
Replies
10
Views
2,331
McAfee
Anthony Qian
Anthony Qian
Bot
    • Like
    • +Reputation
    • Thanks
Opera browsers in 2020, what’s next?
Replies
3
Views
3,154
Opera
DSD27
DSD27
Exterminator
    • Like
False positives still cause threat alert fatigue
Replies
1
Views
1,794
Malware Analysis Archive
frogboy
frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top