B
Bear Bottoms
Of course I didn't and of course they are.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Of course I didn't and of course they are.
D
David H. Lipman
From: "Bear Bottoms said:I sent you via your gmail a link to the zip file that contained the well
known files like notepad.exe, 7zip.exe, etc. which your program alerted to
as malware. None of these are malware, and if you have a white list as you
say you do, why isn't at the least notepad.exe on it and why is your
program alerting on one of the most common Windows programs as malware?
I'm just sayin....
You can NOT whitelist based solely on a name such as; calc.exe and notepad.exe!
I have seen *numerous* examples named that way to obfuscate their malicious intent. Often
using the legitimate utility icon. But, Microsoft does not UPX pack its executables so
there is the first clue it is malicious.
B
Bear Bottoms
Fine-I didn't define parameters or intend to in my example-there is aYou can NOT whitelist based solely on a name such as; calc.exe and notepad.exe!
I have seen *numerous* examples named that way to obfuscate their malicious intent. Often
using the legitimate utility icon. But, Microsoft does not UPX pack its executables so
there is the first clue it is malicious.
point...my question stands as to why notepad.exe (which I know is a
legitimate Windows file) is alerted on.
I'm just sayin...
D
David H. Lipman
From: "Bear Bottoms said:Fine-I didn't define parameters or intend to in my example-there is a point...my
question stands as to why notepad.exe (which I know is a legitimate Windows file) is
alerted on.
I'm just sayin...
You wrote it yourself...
"Sorry to say the results were a lot of false positives..."
That is why "...why notepad.exe ... is alerted on."
That is assuming it is the legitimate OS copy. I have stated why the name "notepad.exe"
can NOT be whitelisted.
Even if you presume to whitelist the legitimate "notepad.exe" in it normal OS location,
the file could become trojanized.
I
idbeholda
To clarify the problem to this, I don't whitelist based solely on
filenames alone, which is silly. The blacklist and whitelist focus
around hash values, which can potentially create a problem if there is
a hash collision. This is why at the time of this post there are
technically 11 databases, however only 8 are currently implemented at
this point in time, which are the following:
Malware Blacklist Database - MD5 based
(http://www.tot-ltd.org/blacklist/0-F/0000-FFFF)
System Whitelist Database - MD5 based
(http://www.tot-ltd.org/whitelist/0-F/0000-FFFF)
Default Malware Install Path Database - Self-explanatory, checked
against both black and whitelist.
(http://www.tot-ltd.org/installation.db)
Default Trojan Port List - Checks active ports and programs against a
port list
(http://www.tot-ltd.org/ports/)
API Based Heuristics - Self-explanatory
(http://www.tot-ltd.org/API)
User Definable Heuristics - Antiquated method of heuristics, but still
used for general purpose, non-api related heuristics
Downloaded from http://www.tot-ltd.org/heuristics.dat
Parental Control Scan Database -
Included in installation as offensive.dat
Executable Packer Database - Contains several thousand headers for
different executable packers
http://www.tot-ltd.org/packer.db
Usually, when/if a false positive comes up, it's usually a piece of
malware that implements (sometimes modified) components from third
party applications or a non-system critical file that would usually be
listed as greyware. MW.GEN is a sign that I use in the blacklist
database for definitions from google's malware blacklist. I also use
ClamAV.net's database, in addition to any other site that makes
searchable copies of their databases online. I do not discriminate
when it comes to information harvesting, but I generally try to do my
best to verify that the information that I collect is indeed viable
via cross-referencing hashes, and checking directly against my own
personal malware archive. This is how I maintain the blacklist.
The whitelist consists solely of hashes used from http://www.nsrl.nist.gov/
, and known, clean install discs for various flavors of windows. A
similar method is implemented to the one illustrated above. Why the
application components in question tested positive? I can't tell you
right offhand. It could be any number of reasons. What I can say, is
that perhaps we have two different versions of notepad. I'm running
Windows XP 32 bit, which may differ from your version of notepad on
Vista, depending on if you run 32 or 64-bit. All I can tell you at
this point is that I know the version of notepad that's on my system
doesn't throw any flags, nor have any of the other systems that I've
tested it on, including one install of Vista 32bit. The reason I
don't have every commercial application whitelisted is because I
simply don't have the time, resources, or hard drive space to do that
with at this point in time, even with 1TB of space at hand.
Honestly, I won't know until I take a good look at them and know for
sure. However, given the fact that I already work a primary job
nearly 40 hours a week, do a lot of paid freelance work (add ~20+
hours/week for that), in addition to helping raise a family, it might
take me a day or two until the problem (if there is one to be found)
can be fixed. Nevermind the fact that I don't even make money off of
this project at all. Ironically, the server averages around 300000
hits per month. A full 2/3 of the traffic is almost entirely centered
around either the database entries themselves, or downloading of the
free version of the malware scanner, or any of the other projects that
are up and running. I can also post screenshots to prove these
claims, if there is any question of legitimacy. The only reason I
mention this last part is to illustrate exactly what kind of time
schedule I have to work with, and the sheer volume of traffic volume
that is processed on an almost daily basis.
I'm not saying that the false positive claims are legit or a hoax. I
won't know for sure, but if there is an issue within the database
itself that needs resolved, I'll do my best to have it done within
24-48 hours. I don't have anyone hired to do this stuff, I do it on
my own. I only ask that you be patient.
Sincerely,
Erick
http://www.tot-ltd.org
filenames alone, which is silly. The blacklist and whitelist focus
around hash values, which can potentially create a problem if there is
a hash collision. This is why at the time of this post there are
technically 11 databases, however only 8 are currently implemented at
this point in time, which are the following:
Malware Blacklist Database - MD5 based
(http://www.tot-ltd.org/blacklist/0-F/0000-FFFF)
System Whitelist Database - MD5 based
(http://www.tot-ltd.org/whitelist/0-F/0000-FFFF)
Default Malware Install Path Database - Self-explanatory, checked
against both black and whitelist.
(http://www.tot-ltd.org/installation.db)
Default Trojan Port List - Checks active ports and programs against a
port list
(http://www.tot-ltd.org/ports/)
API Based Heuristics - Self-explanatory
(http://www.tot-ltd.org/API)
User Definable Heuristics - Antiquated method of heuristics, but still
used for general purpose, non-api related heuristics
Downloaded from http://www.tot-ltd.org/heuristics.dat
Parental Control Scan Database -
Included in installation as offensive.dat
Executable Packer Database - Contains several thousand headers for
different executable packers
http://www.tot-ltd.org/packer.db
Usually, when/if a false positive comes up, it's usually a piece of
malware that implements (sometimes modified) components from third
party applications or a non-system critical file that would usually be
listed as greyware. MW.GEN is a sign that I use in the blacklist
database for definitions from google's malware blacklist. I also use
ClamAV.net's database, in addition to any other site that makes
searchable copies of their databases online. I do not discriminate
when it comes to information harvesting, but I generally try to do my
best to verify that the information that I collect is indeed viable
via cross-referencing hashes, and checking directly against my own
personal malware archive. This is how I maintain the blacklist.
The whitelist consists solely of hashes used from http://www.nsrl.nist.gov/
, and known, clean install discs for various flavors of windows. A
similar method is implemented to the one illustrated above. Why the
application components in question tested positive? I can't tell you
right offhand. It could be any number of reasons. What I can say, is
that perhaps we have two different versions of notepad. I'm running
Windows XP 32 bit, which may differ from your version of notepad on
Vista, depending on if you run 32 or 64-bit. All I can tell you at
this point is that I know the version of notepad that's on my system
doesn't throw any flags, nor have any of the other systems that I've
tested it on, including one install of Vista 32bit. The reason I
don't have every commercial application whitelisted is because I
simply don't have the time, resources, or hard drive space to do that
with at this point in time, even with 1TB of space at hand.
Honestly, I won't know until I take a good look at them and know for
sure. However, given the fact that I already work a primary job
nearly 40 hours a week, do a lot of paid freelance work (add ~20+
hours/week for that), in addition to helping raise a family, it might
take me a day or two until the problem (if there is one to be found)
can be fixed. Nevermind the fact that I don't even make money off of
this project at all. Ironically, the server averages around 300000
hits per month. A full 2/3 of the traffic is almost entirely centered
around either the database entries themselves, or downloading of the
free version of the malware scanner, or any of the other projects that
are up and running. I can also post screenshots to prove these
claims, if there is any question of legitimacy. The only reason I
mention this last part is to illustrate exactly what kind of time
schedule I have to work with, and the sheer volume of traffic volume
that is processed on an almost daily basis.
I'm not saying that the false positive claims are legit or a hoax. I
won't know for sure, but if there is an issue within the database
itself that needs resolved, I'll do my best to have it done within
24-48 hours. I don't have anyone hired to do this stuff, I do it on
my own. I only ask that you be patient.
Sincerely,
Erick
http://www.tot-ltd.org
D
Dustin
To clarify the problem to this, I don't whitelist based solely on
filenames alone, which is silly. The blacklist and whitelist focus
around hash values, which can potentially create a problem if there is
a hash collision. This is why at the time of this post there are
technically 11 databases, however only 8 are currently implemented at
this point in time, which are the following:
Malware Blacklist Database - MD5 based
(http://www.tot-ltd.org/blacklist/0-F/0000-FFFF)
System Whitelist Database - MD5 based
(http://www.tot-ltd.org/whitelist/0-F/0000-FFFF)
Default Malware Install Path Database - Self-explanatory, checked
against both black and whitelist.
(http://www.tot-ltd.org/installation.db)
Default Trojan Port List - Checks active ports and programs against a
port list
(http://www.tot-ltd.org/ports/)
API Based Heuristics - Self-explanatory
(http://www.tot-ltd.org/API)
User Definable Heuristics - Antiquated method of heuristics, but still
used for general purpose, non-api related heuristics
Downloaded from http://www.tot-ltd.org/heuristics.dat
Parental Control Scan Database -
Included in installation as offensive.dat
Executable Packer Database - Contains several thousand headers for
different executable packers
http://www.tot-ltd.org/packer.db
Usually, when/if a false positive comes up, it's usually a piece of
malware that implements (sometimes modified) components from third
party applications or a non-system critical file that would usually be
listed as greyware. MW.GEN is a sign that I use in the blacklist
database for definitions from google's malware blacklist. I also use
ClamAV.net's database, in addition to any other site that makes
searchable copies of their databases online. I do not discriminate
when it comes to information harvesting, but I generally try to do my
best to verify that the information that I collect is indeed viable
via cross-referencing hashes, and checking directly against my own
personal malware archive. This is how I maintain the blacklist.
The whitelist consists solely of hashes used from http://www.nsrl.nist.gov/
, and known, clean install discs for various flavors of windows. A
similar method is implemented to the one illustrated above. Why the
application components in question tested positive? I can't tell you
right offhand. It could be any number of reasons. What I can say, is
that perhaps we have two different versions of notepad. I'm running
Windows XP 32 bit, which may differ from your version of notepad on
Vista, depending on if you run 32 or 64-bit. All I can tell you at
this point is that I know the version of notepad that's on my system
doesn't throw any flags, nor have any of the other systems that I've
tested it on, including one install of Vista 32bit. The reason I
don't have every commercial application whitelisted is because I
simply don't have the time, resources, or hard drive space to do that
with at this point in time, even with 1TB of space at hand.
Honestly, I won't know until I take a good look at them and know for
sure. However, given the fact that I already work a primary job
nearly 40 hours a week, do a lot of paid freelance work (add ~20+
hours/week for that), in addition to helping raise a family, it might
take me a day or two until the problem (if there is one to be found)
can be fixed. Nevermind the fact that I don't even make money off of
this project at all. Ironically, the server averages around 300000
hits per month. A full 2/3 of the traffic is almost entirely centered
around either the database entries themselves, or downloading of the
free version of the malware scanner, or any of the other projects that
are up and running. I can also post screenshots to prove these
claims, if there is any question of legitimacy. The only reason I
mention this last part is to illustrate exactly what kind of time
schedule I have to work with, and the sheer volume of traffic volume
that is processed on an almost daily basis.
I'm not saying that the false positive claims are legit or a hoax. I
won't know for sure, but if there is an issue within the database
itself that needs resolved, I'll do my best to have it done within
24-48 hours. I don't have anyone hired to do this stuff, I do it on
my own. I only ask that you be patient.
Sincerely,
Erick
http://www.tot-ltd.org
As a former developer of an antimalware program, I know perfectly well the
time table conditions. You're doing a good job. Keep at it.
I
idbeholda
It would appear the files that BB sent me are clean, so I'll go ahead
and add them to the whitelist database. However, due to the nature
of the whitelist database update (adding in hashes for windows-based
drivers as well), the update will take place over the course of the
next few days, and hopefully be completed by sunday.
aacd9b8e5e5e369c3518b86486cfc9d4
2d1c72072fec74fb0eca850ef8f9f93e
f3a37421dbd1aaa36558c97572c91c5a
3a93d3f85cdd2e5ebae705eab5dfd255
0f726644c5a8ca0f94a184ce917c66d4
4fb3d48e16b8f44f163b4cb749ac9a4f
8bdb45faf996428e39922f2da5718298
daf60e13e96ecb67f0edaa89c6b01b8d
7924bcce665ac92fc04cd45a46fe3e3d
ae70ae6f0760793d4893c3735eec7292
582f3a0ba61d8f0d50c66b592808b6d6
6701ddaf68bede6bbeea9d514d73a35b
329c3a58d5b5070a2a17c16c097fce4a
d6abc3c44e97beeea534e33e93ae97b4
0e135526e9785d085bcd9aede6fbcbf9
Sorry for any inconvenience.
http://www.tot-ltd.org
and add them to the whitelist database. However, due to the nature
of the whitelist database update (adding in hashes for windows-based
drivers as well), the update will take place over the course of the
next few days, and hopefully be completed by sunday.
aacd9b8e5e5e369c3518b86486cfc9d4
2d1c72072fec74fb0eca850ef8f9f93e
f3a37421dbd1aaa36558c97572c91c5a
3a93d3f85cdd2e5ebae705eab5dfd255
0f726644c5a8ca0f94a184ce917c66d4
4fb3d48e16b8f44f163b4cb749ac9a4f
8bdb45faf996428e39922f2da5718298
daf60e13e96ecb67f0edaa89c6b01b8d
7924bcce665ac92fc04cd45a46fe3e3d
ae70ae6f0760793d4893c3735eec7292
582f3a0ba61d8f0d50c66b592808b6d6
6701ddaf68bede6bbeea9d514d73a35b
329c3a58d5b5070a2a17c16c097fce4a
d6abc3c44e97beeea534e33e93ae97b4
0e135526e9785d085bcd9aede6fbcbf9
Sorry for any inconvenience.
http://www.tot-ltd.org