Kaspersky has false positives by downgrading a virus as PUA

[desbest]

Kaspersky has false positives by downgrading a virus as PUA (potentially unwanted software).

I have personally been infected with these viruses on my computer, so I know that they are not PUA but instead they are a virus. They made explorer.exe and searchapp.exe (called searchui.exe in earlier windows versions) crash on my computer nearly every day. It degraded the speed and performance of my computer and caused third party software crash to crash much more often.

 

I have no idea how these viruses got onto my computer. I did not download them and I was the only person within the physical proximity of my computer. Maybe a third party software exploit was used to download them (eg. an itunes exploit). What I find mysterious is how they both have a digital signature which allows them to evade antivirus detection.

 

I uploaded the files to Kaspersky Open TIP today. (threat intelligence portal)

 

“facebook-messenger-for-windows-7-2-1-4623-en-win_0491186471.exe”

“Flash32-32-0-0-465.ocx_333907.msi”

 

It should not have the orange caution triangle badge saying “adware and other” but it should instead have the red warning square badge saying “malware”.

[Berny]

@desbest Welcome. Only Kaspersky Virus Lab can confirm or deny a FP.

[desbest]

Why were my hyperlinks removed from my post?

Does that mean the Open TIP website is outdated, inaccurate or misleading? How can I get Kaspersky Virus Lab confirm to me personally if it’s false positive or not?

I clicked the button on Open TIP to “submit to reanalyse” and posted in the comment form why I think it should be reanalysed and considered a virus instead of PUA.

[Berny]

@desbest The Moderator Team is disabling (potential) malicious links.

Please wait for the verdict from Kaspersky Virus Lab.

[Wesly.Zhang]

Hello, @desbest 

Do you think you have downloaded and use a fake facebook message ? As I see, this software have a valid facebook.Inc digital certification. Please check the installation file whether has a digital certification or not.

Flash32-32-0-0-465.ocx_333907.msi, Do you use flash player? If you use a chinese version flash player browsers plugin, you will encounter some bad AD, But it is maintained by a Chinese company authorized by adobe, so it will embed advertising features in this plug-in. It is a commercial software. If it is rashly defined as a malicious program, it will be warned by a lawyer's letter, which will involve judicial proceedings.

I give you advice that uninstall flash play plugin, everything will be OK.

Regards.

[desbest]

That's not what I see.

Notice how the digital certificate doesn’t say Adobe or Facebook,

 

 

 

[Wesly.Zhang]

Hello, @desbest 

I don’t know the facebook messenger you provided is from what place. But the ordinary build is in here: https://www.microsoft.com/en-us/p/messenger/9wzdncrf0083, I think you should use official source. Where do you download the installation file?

BTW. If there is anyone know that this build ( digital signature: bronze paradise ) is official installation file, Please let us know. 

I don’t know whether was the flash build handled by your country local services company. If you don’t use flash play, you can uninstall it without any problem.

Regards.

[desbest]

The only country in the world that has a Flash Player specifically tailored to their country, is China. Everyone else uses the normal version, China is the exception.

 

To answer your question, I’ll repeat again, I do not know where the file came from as I did not personally download it onto my computer. Also I was the only person within the physical proximity of my computer. I have no idea how it got onto my computer. It could have been downloaded through a third party software without my consent.

 

The file name of the facebook messenger software is not referring to the version found on the Microsoft Store that uses WebRTC [two] [test] and Electron technology. It’s referring to the facebook messaging plugin that used Skype technology starting from 2011 to provide real-time communication for facebook users to allow voice and video calls to happen. All because years ago WebRTC was an emerging technology that did not have widespread and sufficient adoption in web browsers.

 

Provided that the user downloaded the correct file, the software should look like this when run.

 

 

 

 

[Wesly.Zhang]

The only country in the world that has a Flash Player specifically tailored to their country, is China. Everyone else uses the normal version, China is the exception.

 

To answer your question, I’ll repeat again, I do not know where the file came from as I did not personally download it onto my computer. Also I was the only person within the physical proximity of my computer. I have no idea how it got onto my computer. It could have been downloaded through a third party software without my consent.

 

The file name of the facebook messenger software is not referring to the version found on the Microsoft Store that uses WebRTC [two] [test] and Electron technology. It’s referring to the facebook messaging plugin that used Skype technology starting from 2011 to provide real-time communication for facebook users to allow voice and video calls to happen. All because years ago WebRTC was an emerging technology that did not have widespread and sufficient adoption in web browsers.

 

Provided that the user downloaded the correct file, the software should look like this when run.

 

 

 

 

Hello, @desbest 

The above two softwares, why do you think they are malicious programs? Do they have any specific malicious behavior? Can you provide me with samples via PM ? I need to confirm whether these two softwares have malicious behavior. Because the definition of PUA is not to damage the system or endanger the security of computer information, but to conduct advertisements, install software, etc.

Regards.

[desbest]

Below is a list of strange behaviour I’ve had over the past year,

 

• explorer.exe and searchapp.exe crashing multiple times nearly every day (in earlier versions of windows 10 it’s called searchui.exe)
• The disk usage continually being at 100% that I had to fix by doing multiple tasks
• Elements from the graphical user interface being missing, as in missing text (see video below)
• Command Prompt showing a white screen and then crashing (see video below)
• Sometimes Windows would behave as if the Alt key on the keyboard was being continually pressed down, so typing “F” would show the “File” menu. I would have to repeatedly press “Alt” to stop this from happening.
• Bad Module Info appearing as a critical error in Reliability Monitor
• When opening Metro/UWP programs in windows, sometimes they show the splash screen for a few seconds to then spontaneously close. I have to open the same program multiple times for this to stop happening
• Reliability Monitor having missing information for weeks, that appeared later on for an unknown reason
• Clicking the hyperlinks for the installed windows updates in “view update history” in “settings”, it fails to work as no web page opens up. This later got corrected without prior intervention for an unknown reason.
• Three crash reports that failed to be sent to Microsoft
• A problem with my audio driver that I had to fix by installing a newer version
• My bluetooth stopped working which I had to fix by uninstalling a software made by my computer manufacturer Acer
• The eject button being greyed out for external hard drives in Windows Explorer on the This PC page
• Windows Search having files missing in search results for files which which were not downloaded from a web browser
• My laptop making a bleeping sound at rare and sporadic ocassaions (see video below)
• Three Windows Updates that have successfully installed appearing in the “uninstall updates” page in Control Panel, but they don’t appear in the “view installed page” in Settings
• The internet cutting off which made me have to fix it by typing in multiple commands in command prompt that I found on the internet
• The laptop was slow
• When shutting down or restarting the computer, sometimes it wouldn’t finish the shut down process in regards to closing the open programs before starting the shut down. If multiple programs were open, it would close some, leave some open. Then I would have to start the shut down process again.
• Windows Updates that wouldn’t install that I had to fix that fault by doing various tasks
• Windows Update trying to install the same update multiple times that was already successfully installed.
• After upgrading Windows 10 1909 to 20H2 and then 21H1, inside the “view update history” page on Windows Update, it did not recognise that there was previously 2 feature updates of a different Windows 10 version. Upon using Registry Editor to find the location where this information is stored, the relevant information (as registry keys) did not exist.

 

There was probably more faults, flaws and discrepancies, but I can’t remember.

 

I have sent you the 2 viruses via PM.

 

Procdump is legitimate software. It’s made by Sysinternals that got brought by Microsoft. Its purpose is to create dump (.dmp) files of every crash that happens on your windows computer, so that these crash dumps can be analysed with Debugging Tools for Windows (WinDbg) and Windows Performance Recorder.

 

 

Link

 

Link

 

[Wesly.Zhang]

Hello,

I have received the sample which you provided. I will analyses them and give you a reply.

As I see, the above behavior are related to program performance issue. You can't think that a program that causes performance problems will be classified as a malicious program. Performance problems do not mean malicious behavior.

Regards.