fixwmi.cmd revisited

  • Thread starter Thread starter Duh_OZ
  • Start date Start date
D

Duh_OZ

Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
==============

AntiVir 7.3.0.21 01.09.2007 BAT/Zapchast.3
BitDefender 7.2 01.11.2007 Trojan.Bat.Zapchast.CU
ClamAV devel-20060426 01.11.2007 Trojan.BAT.Zapchast
Ewido 4.0 01.10.2007 Trojan.Zapchast
Ikarus T3.1.0.27 01.09.2007 Trojan.BAT.Zapchast
Kaspersky 4.0.2.24 01.11.2007 Trojan.BAT.Zapchast
Norman 5.80.02 01.10.2007 BAT/Zapchast.L

==================
@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End

:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer

:SkipSrv
goto End

:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End
============
 
Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)

<snip>

I'm speculating that the batch has found its way into test beds of
testing agencies such as av-comparatives, in which case vendors will
refuse to remove the fp. If I'm right, you can expect McAfee and
Sybari to start alerting again soon, along with several more products
which never used to produce the fp :) The harmless batch will be
deemed malware by decree of av-comparatives and the like ... not by av
company analyists. Like we always used to say back in my engineering
days, bullshit beats science! An engineer's nightmare is a marketeers
dream and vice versa! The marketplace rulez!!! Hey, false positives
sell, man!

:)

Art
http://home.epix.net/~artnpeg
 
no, you are wrong.

<snip>

I'm speculating that the batch has found its way into test beds of
testing agencies such as av-comparatives, in which case vendors will
refuse to remove the fp. If I'm right, you can expect McAfee and
Sybari to start alerting again soon, along with several more products
which never used to produce the fp :) The harmless batch will be
deemed malware by decree of av-comparatives and the like ... not by av
company analyists. Like we always used to say back in my engineering
days, bullshit beats science! An engineer's nightmare is a marketeers
dream and vice versa! The marketplace rulez!!! Hey, false positives
sell, man!

:)

Art
http://home.epix.net/~artnpeg
 
no, you are wrong.

Wrong about what, exactly? It's been well known since the heyday of
DOS av scanners that leading products purposely detect unviable
samples or "crud" that's known to exist in test beds at vx sites on
the internet. The former DR Solly (and now MacAfee) always insisted
that the "cheater" switch /VID be enabled when testing their scanner
so that it had a better chance at higher "detection" rates. FSI
(F-Prot) insisted that the /COLLECT switch be enabled for the same
reason. I know for a fact that Kaspersky makes little or no attempt at
avoiding crud file detection so that it continually fares well in
lousy tests. That's what sells av scanners, as I said.

Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware?
 
"Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware? "

yes, I mean that.
 
"Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware? "

yes, I mean that.

Then I suggest that this sample be part of your false positive testing
test bed. Punish vendors that alert on it and others like it. You have
far more clout than individual users who submit such samples to
vendors in the hope that they will remove detection. Hit them where
it hurts. Lower their ratings on the basis of detecting harmless
files.

Art
http://home.epix.net/~artnpeg
 
Back
Top