FP or Great detection(confused)

[Guest]

[bequick]

CIS heuristics has detected two  files and i'm confused, cause they are in the windows directory.PC is scanned with panda internet security 2010, threatfire, MBAM, q-squared anti-malware and they didn't detect anything.The files look a bit suspicious to me too, not just to CIS.) Well, the results from VT:

MBR.exe-Heur.suspicious[at]74069237
http://www.virustotal.com/analisis/42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326-1258136347

and

NIRCMD.exe-Application.Win32.Nircmd.[at]16774100
http://www.virustotal.com/analisis/eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24-1258136422


As You know, eSafe and Sophos are the greatest programs for detection and disinfection.When i see comodo along them, that makes me feel good.)

[ionelp]

Hi bequick,

MBR.exe-Heur.suspicious[at]74069237
http://www.virustotal.com/analisis/42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326-1258136347

This file is a false-positive and a fix will be present within next updates.

NIRCMD.exe-Application.Win32.Nircmd.[at]16774100
http://www.virustotal.com/analisis/eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24-1258136422

This is not a false-positive and detection name is explained here: https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/cis_malware_naming_rules_for_potentially_dangerous_applicationsriskware-t38506.0.html

Thanks for reporting this, we will get back to you after a fix is present for the mentioned FP.

Regards,
Ionel

[bequick]

Thanks.)

[shaogang.he]

[quote ]
MBR.exe-Heur.suspicious[at]74069237
http://www.virustotal.com/analisis/42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326-1258136347
[/quote]
Hi,bequick
This false-positive has been fixed. Please check in virus signature database 2947
Thanks
Shaogang

[bequick]

Confirmed.So, what exactly is MBR.exe?

[dave1234]

Hi Bequick. I checked out MBR.EXE and its a rootkit according to Prevx and others.

Regards
Dave1234.

[bequick]

How it's safe then? 

[OmeletGuy]

Bequick, can you get me MRB.exe, PM it over.


Thanks.

[OmeletGuy]

Thanks

I uploaded it to CIMA:
http://camas.comodo.com/cgi-bin/submit?file=42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326

And Anubis:
http://anubis.iseclab.org/?action=result&task_id=1cbc1002b2fad3b94813a64d1e22fa830&format=html


Will get this looked at again.

[ionelp]

Hi,

File mbr.exe reported on this topic is a third party application designed to verify mbr boot sector of a harddisk for few known mbr-malware. It can be found and downloaded from:

Code:

http://www.gmer.net/

SHA1: e51e0b26d3a8fb28e0e4dcf78b6e4df2da879ff4
MD5: c5ec72a20b4c98db5314e6c46765b148
Size: 77,312 bytes

I checked out MBR.EXE and its a rootkit according to Prevx and others.

"MBR.exe" as filename is known to be associated with malware, but it's not the case here and from what you can see on mentioned website, the file has different characteristics from the one reported here:

Code:

The following file size has been seen:

* 577,536 bytes
* 155,648 bytes
* 1,724,419 bytes
* 100,864 bytes
* 66,048 bytes

You can find more info on application's website.


Regards,
Ionel

[Tags:]