Jump to content

lmgava

Members
  • Posts

    12
  • Joined

  • Last visited

Reputation

0 Neutral
  1. @David, thank you for the suggestions, but in my case I don't need a hosting services, I just wanted to use the redirection service provided by no-ip.com It works, and it's a valid solution. I don't know exactly what you mean with "a long standing in being use for malicious activity". I know they offers domain registrations, name resolution for dynamic ip addresses, the redirection service I'm using, this kind of things. Talking about the specific: DarkComet it's a software that can certainly be labeled as "malicious" in most cases, depending on its use. If an antivirus wants to mark it as potentially dangerous and report it, it's perfectly understandable and it's ok. DarkComet it's using no-ip to resolve the IPs it needs to call back to overcame the need for a static IP. That's one of the things a service like no-ip does. MysteryFCM has replied saying this is not a false positive, but to me this looks like the definition of a false positive. I'll explain. A person following the link (http) luis.no-ip.net is unknowingly using that redirector service, which is also used by DarkComet. That fact has nothing to do with the actual redirection taking place in this case. Who cares who other is using that service ? What has to do with my redirection request ? This person is getting a big "MALICIOUS SITE" pop up blocking the action. Ignoring that message what does would cause ? The primary DNS of that person would resolve the no-ip.net domain, and in the end his PC would contact the "incriminated" machine, that machine would see the "luis" subdomain in the url, and seeing a redirection is set up in my account would redirect the visiting PC to my page. All would work with no problems for anyone. 5 seconds later a copy of DarkComet connects to the same no-ip machine the other side of the world to resolve the dynamic ip for one of its malicious users, so what ? That has nothing to do with the previous redirection to my page. What's happening it's a legitimate action has been blocked. When a legitimate action is blocked and not blocking it wouldn't take negative consequences with it, that's the definition of a false positive. Again, this approach can help a person with a DarkComet installed as a backdoor on his machine, but it's certainly wrong in any other case. So it's disrupting a perfectly valid usage of this service, indiscriminately. That's how things work, all this is beyond my control and so I'm not spending energy trying to change it.
  2. I see. I googled around, I found DarkComet is a "RAT" tool and unfortunately for me the author ha selected no-ip.com (.net, etc.) as the way to solve the problem to call home the dynamic ip of its users. So now when my redirection is served for my third level domain "luis" on no-ip.net the machine doing so is probably the same resolving the hosts for people using this DarkComet. So that machine in your view is used to help a tool potentially malicious with all that follow. But that machine is just providing a dynamic dns service, the same way it's providing it to me in addition to the redirection in my case. What can i do about it ? Nothing I guess, like when people use a packer to pack viruses and then I use the same packer for my executables. My executables becomes "bad" too. That's the problem with all this antivirus-antimalware industry, this is a nice example. This woudn't be a problem if people using AV tools were able to use them just as the tools they are. In reality the majority are simple users obeying to what they see on the screen. "IT'S BAD HE SAID!". I'll just put myself in the exclude list and be done with it. People visiting my pages in the future using malwarebyte's antimalware (if it will ever happen, don't know) will probably run in terror, but if anyone will ask me about it I'll redirect him here to see what this is all about. Thanks anyway for your time.
  3. It seems to complain for the luis.no-ip.net redirector, because if I access the site directly using (HTTP)://freeshell.de/~luis/ (that's the target in the redirector) it does not complain. The page it's my own personal page, hosted on freshell, and I'm using a redirector service to be able to move the page without changing the url.
  4. Another EXE, same thing. Are you simply white listing these specific exes ? Isn't possible to use a more general approach to avoid this specific FP ? Becasue it seem you are fixing it for any new exe I post, but obviously this can go on forever since we are talking about a compiler generating code an not a specific immutable program. I don't know if this compiler has been used to create the threat reported here, but if it's indeed the case now I have to assume a lot of executables generated by this compiler will be continually marked as infected for the forseeable future ? Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.04.07.02 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 luis :: ARCHIMEDE [administrator] Protection: Enabled 07/04/2013 15:35:42 MBAM-log-2013-04-07 (15-35-48).txt Scan type: Custom scan (C:\Users\luis\AppData\Roaming\PureBasic\Tools\ShowASM\ShowASM.exe|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P Objects scanned: 1 Time elapsed: 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\luis\AppData\Roaming\PureBasic\Tools\ShowASM\ShowASM.exe (Trojan.EOFail) -> No action taken. (end) ShowASM.zip Thank you.
  5. Thanks, that specific exe is not reported anymore but I found another one, again generated by the same compiler giving the same false positive. Since the alert is the same (Trojan.EOFail) I post this in the same thread, I hope is ok. Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.04.05.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 luis :: ARCHIMEDE [administrator] Protection: Enabled 05/04/2013 18:27:29 MBAM-log-2013-04-05 (18-27-39).txt Scan type: Custom scan (C:\Program Files (x86)\PureBasic\SDK\DLL Importer\DLL Importer.exe|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P Objects scanned: 1 Time elapsed: 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Program Files (x86)\PureBasic\SDK\DLL Importer\DLL Importer.exe (Trojan.EOFail) -> No action taken. (end) The new exe DLL Importer.zip Thank you.
  6. PB It's a compiler -> http://www.purebasic.com/ Many exe I built recently are reported as "Trojan.EOFail" Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.04.04.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 luis :: ARCHIMEDE [administrator] Protection: Enabled 05/04/2013 00:57:24 MBAM-log-2013-04-05 (00-57-40).txt Scan type: Custom scan (D:\Work\PureBasic\Projects\_TEST\scaledpi\scaledpi.exe|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P Objects scanned: 1 Time elapsed: 3 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 D:\Work\PureBasic\Projects\_TEST\scaledpi\scaledpi.exe (Trojan.EOFail) -> No action taken. (end) A sample exe: scaledpi.zip Thank you.
  7. Ehm, sorry, "add the moment" should be "at the moment". BTW: is there no way to edit a post to correct a mistake ?
  8. Hi, I would like the ability to add a comment when I add an IP to the ignore list of Website Blocking. For example I could write the name of the domain, a comment describing why I added to the ignore list, if I posted the IP to the false positives section of the forum and why, etc. At the moment in the ignore list tab there are two fileds for row: "category' and "item". A third field could be the above mentioned "comment", "remarks", or what you like more. You should able to edit that field double clicking on the specific row. Thanks.
  9. Homepage http://virtuawin.sourceforge.net/downloads.php Log file mbam-log-2012-09-25 (13-18-01).txt I'm using this one: http://downloads.sourceforge.net/virtuawin/VirtuaWin_setup_4.3.exe Don't know if you need to check the unicode version too or if a fix for the ascii one is enough. Thank you.
  10. Homepage: http://windv.mourek.cz/ Logfile mbam-log-2012-08-26 (17-18-19).txt WinDV files WinDV.zip Thank you.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.