FP - AMI Bios\amiflash.zip>AFUWIN.exe and amiflash.zip>AFUWINGUI.exe

This ZipFile, amiflash.zip, includes two (2) EXE files that were listed as parts of the zipfile in the results of scan several hours ago, 14-09-2010, as suspicious parts of the zipfile. The zipfile is not Password-protected, it is the original zipfile as downloaded and received from the well-known BIOS maker, AMI. Unless, perhaps it became infected by a malicious agent on my PC, after the download. The zipfile is found on my system drive in Program Files\AMI Bios subfolder.
AFUWIN.exe Heur.Suspicious@26444084
AFUWINGUI.exe Heur.Suspicious@19985234

Am running CIS 4.1.150349.920 with Virus Signature Database now showing 6043. Date/time of updating is not available, this might be a later VDB number if it was updated automatically since the scan was started around 2:20 AM Central Daylight Time (-500) this date, 14-09-2010. Scan finished approx. 5 or 6 hours ago. The 2nd attached file, Results.txt, is provided as FYI, is not malicious, and gives you the original BIOS identifying data, derived from this PC by the AMI utility, mbid.exe.

***BTW, Website submittal (Method 1) is not working! Your webpage is demanding, “Please enter Malware Name” “*Required” but there is NO SLOT or text window for entering this information on this page except in the Comments text window, and entering it there does not satisfy your webpage, the page keeps on demanding the said entry. Impossible to enter. Frustrating. Webpage URL in my Firefox address bar is: Comodo Antivirus Database | Submit Files for Malware Analysis
Please fix your webpage.

This ZipFile is thought to be probably good, because it was downloaded from the Support website of AMI, the BIOS maker for my PC, HP Pavilion model a1020n. This PC was purchased new in 2005 with the AMI BIOS for this PC and was loaded with OEM (HP) Win XP Home Edition. Windows XP Home was later upgraded to XP Professional, purchased and licensed properly. The PC is now updated with XP’s SP3 and all the additional patches through Patch Tuesday of this current month, September, 2010. The ZipFile is intended to update this HP PC’s OEM BIOS, and the updater zipfile was selected using the guidance provided on AMI’s support website.

Please evaluate this as an Updater/Installer for the purpose described, and please determine whether its behavior includes anything inappropriate for the intended functions. If nothing inappropriate, please report this. This user of CIS needs to install all recommended updates and security patches from the manufacturers, unless infected with malware. CIS 4.

In responding, please address the question, whether the BIOS update-patch file submitted herewith is ACTUALLY malicious, or is behaving as intended. Your consideration will be gratefully appreciated.

[attachment deleted by admin]

Hello R&Ddude,

Thank you for letting us know about this. We’ll check the files and get back to you soon.
Regarding the website, the “Malware Name:” field is only available to edit when you check the “False-Positive” radio button.

Best regards,
FlorinG

Hi,R&Ddude

This False Positive has been fixed. You can check with Virus Signature Database version 6078 and confirm it.

Chunli.chen

Thanks for the report on these FPs. I checked in CIS More… tab > About, and found VSD Version 6081, so I started a rescan from Windows Explorer (not IE) context (right-click) menu on the whole AMI Bios subfolder including the subject zipfile, and CIS reported 49 objects scanned with 0 threats. Success!! My congratulations.

For the Record, I should correct one mis-statement in my original submittal message. At that time, this Windows XP SP3 had NOT been updated with the current M$ 2nd Tuesday patches. I was thinking not too well, tired from working a late night shift the night before, and ought to have said that I was updated through the August patches to the point prior to September Patch Tuesday. The Patch Tuesday offerings had not yet been pushed to me, at that time, although the date had rolled over to the 14th, the Second Tuesday. (Current status: All patches downloaded; installation is being deferred until the morning.)

FlorinG,
With respect for your prompt reply and helpfully intended remark: And, not even then! Yes, the radio button for FP was selected! Selected and re-selected, closed and reopened and re-selected; and yet, there was no Malware Name field made available. I expect to try again with another file or three in the morning, and hope that the field will be available by then. If not, I will forward it to this forum.
My thanks to you or to the responsible parties, for making this alternate method available. The continuing failure of the My Pending Files (Defense + tab) and the Submit Files (Antivirus tab) in CIS 4.1 are troublesome but perhaps beneficial, since the Forum allows us to include a very thorough explanation and set of data on FPs. And, time-consuming. :-\

There are 24 files now accumulated in My Pending Files, and all of them have Submitted dates from 18th August through 10th September, but none of them is recognized when Lookup… is selected. Actually, the Online Lookup Results window lists 23 as “Unknown” (with question-marked blue balloon) and the 24th one shows “Error” (yellow triangle). Upon a second run of Lookup…, the result is similar, except that the “Error” triangle is applied to a different file in a completely unrelated subfolder branch. Upon accepting the invitation to Submit these Unknown files (again), the report on all 24 files is, “Already submitted.” How sweet is that? Cognitive dissonance. On both the first run and the second run. And this has consistently been the state of things, ever since 4.1.150349.920 was distributed, and maybe prior to that.

And just last night, CIS Scanner found 15 more suspicious items (15 includes 4 Eicar testfile detections, and those are valid and desired), and CIS has Quarantined most of them.

In short, you may expect some more FP submittals, folks. And now, a good night to all, at 0246 CDT (-500).