FP or Great detection(confused)

bequick · November 13, 2009, 6:28pm

CIS heuristics has detected two files and i’m confused, cause they are in the windows directory.PC is scanned with panda internet security 2010, threatfire, MBAM, q-squared anti-malware and they didn’t detect anything.The files look a bit suspicious to me too, not just to CIS.:)) Well, the results from VT:

MBR.exe-Heur.suspicious[at]74069237
http://www.virustotal.com/analisis/42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326-1258136347

and

NIRCMD.exe-Application.Win32.Nircmd.[at]16774100
http://www.virustotal.com/analisis/eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24-1258136422

As You know, eSafe and Sophos are the greatest programs for detection and disinfection.When i see comodo along them, that makes me feel good.:))

e_xistense · November 13, 2009, 6:46pm

Hi bequick,

This file is a false-positive and a fix will be present within next updates.

This is not a false-positive and detection name is explained here: https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/cis_malware_naming_rules_for_potentially_dangerous_applicationsriskware-t38506.0.html

Thanks for reporting this, we will get back to you after a fix is present for the mentioned FP.

Regards,
Ionel

bequick · November 13, 2009, 6:50pm

Thanks.:))

system · November 14, 2009, 1:59am

MBR.exe-Heur.suspicious[at]74069237 http://www.virustotal.com/analisis/42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326-1258136347

Hi,bequick This false-positive has been fixed. Please check in virus signature database 2947 Thanks Shaogang

bequick · November 14, 2009, 11:47am

Confirmed.So, what exactly is MBR.exe?

dave1234 · November 14, 2009, 4:32pm

Hi Bequick. I checked out MBR.EXE and its a rootkit according to Prevx and others.

Regards
Dave1234.

bequick · November 14, 2009, 5:07pm

How it’s safe then? ???

OmeletGuy · November 14, 2009, 6:17pm

Bequick, can you get me MRB.exe, PM it over.

Thanks.

OmeletGuy · November 14, 2009, 7:10pm

Thanks

I uploaded it to CIMA:
http://camas.comodo.com/cgi-bin/submit?file=42855149b90c059b62ebc4027188361860fb6ffd9e4a2aa074c665181a2b9326

And Anubis:
http://anubis.iseclab.org/?action=result&task_id=1cbc1002b2fad3b94813a64d1e22fa830&format=html

Will get this looked at again.

e_xistense · November 16, 2009, 12:55pm

Hi,

File mbr.exe reported on this topic is a third party application designed to verify mbr boot sector of a harddisk for few known mbr-malware. It can be found and downloaded from:


http://www.gmer.net/

SHA1: e51e0b26d3a8fb28e0e4dcf78b6e4df2da879ff4
MD5: c5ec72a20b4c98db5314e6c46765b148
Size: 77,312 bytes

I checked out MBR.EXE and its a rootkit according to Prevx and others.

“MBR.exe” as filename is known to be associated with malware, but it’s not the case here and from what you can see on mentioned website, the file has different characteristics from the one reported here:


The following file size has been seen:

* 577,536 bytes
* 155,648 bytes
* 1,724,419 bytes
* 100,864 bytes
* 66,048 bytes

You can find more info on application’s website.

Regards,
Ionel