topic False positive submission in VirusTotal

False positive submission

young_kcd — Mon, 08 Mar 2021 01:14:57 GMT

File Hash: lots of files (all versions we have distributed since the service started)

Files to download : https://drive.google.com/file/d/1UU_LUlLwhNan-Z657WEMD9gOtDyfFvET/view?usp=sharing

Link to Virustotal report for the file: https://www.virustotal.com/gui/file/e6ed2f92fe26eb85dc5019654da03c11b7b3a03adb0e6de065c54d9c71c5ded1/detection

Current VirustTotal Verdict: Generic.ml (2 / 67)

Description:

Our product is developed with C# .NET framework and we use .NET Reactor to secure it. .Net Reactor is a tool for code protection and anti-debug. This service is utility tools for small businesses in South Korea.
And all our binaries signed with EV Code Signing certificate. About 5 month ago, we noticed that our product was treated as a malware by multiple anti-virus softwares.
The problem was an option of .NET Reactor. We received advice from .NET Reactor team and turned off the 'Native EXE' option in their software since Oct 15th, 2020. KST
After changing the option, most false positive detection have disappeared. However, TotalVirus keeps histories of previous versions of our binaries which are not distributing anymore.
ex.https://www.virustotal.com/gui/file/6693d1f5eec019580667d10a52d6623777ba774ee7714bac3e7f3a38e06cd5a0/detection

And Paloalto keeps 'Generic.ml' after it.

https://drive.google.com/file/d/1UU_LUlLwhNan-Z657WEMD9gOtDyfFvET/view?usp=sharing

These are all the binaries we have distributed. Some are clean by Paloalto and some are treated as a malware by Paloalto.

Please review all the files.

Thank you

Re: False positive submission

young_kcd — Tue, 09 Mar 2021 13:10:22 GMT

I tested all binaries of our product in VirusTotal.

These are specific version of files that is detected by paloalto.

All detection name are generic.ml

1.0.1.2\CashNotePos.UI.exe
1.0.0.3\CashNotePos.exe
1.0.0.5\CashNotePos.Manager.exe
1.0.1.7\CashNotePos.UI.exe
1.0.1.9\CashNotePos.UI.exe
1.0.0.5\CashNotePos.exe
1.0.0.6\CashNotePos.exe
1.0.1.17\CashNotePos.UI.exe
1.0.0.7\CashNotePos.exe
1.0.0.9\CashNotePos.Manager.exe
1.0.1.18\CashNotePos.UI.exe

SHA-256 of each files above

f2b8adf78d71a9fac993e2ac3772bec04937c20d88e56975f8f28d1b13d18389
2e1e551405694404d2940ff334f74bef7e1f88856dfdbadf1445aafc7ad4ac05
6693d1f5eec019580667d10a52d6623777ba774ee7714bac3e7f3a38e06cd5a0
2e940a779dfe7b3e99df92681180ef580e75de394e4c79307d261d09c2a4aadb
ced0bb043d0c8a9f8e99d212b3b2f5d5eebabf25ed15ff1279e9ddf92b36fcfd
2735aad2170ac6c570912139be73e6f86d1d33572841688e44c68675fc33515f
b430cf4b86912c4313516f7bf2fcfe32d82da3eec616fafd661c444c208c3ab5
3d5384768343049fc3572e9ef3bc7e121271f5a5de8575bb695ac05c379ff40a
b430cf4b86912c4313516f7bf2fcfe32d82da3eec616fafd661c444c208c3ab5
e6ed2f92fe26eb85dc5019654da03c11b7b3a03adb0e6de065c54d9c71c5ded1
92f2c87c72ac271b066cd1bbdb37e10e18b471eb29823898e3f5e259d89fba57

Re: False positive submission

young_kcd — Fri, 26 Mar 2021 00:53:01 GMT

detected count by Paloalto increased to 40.

Our company is using Paloalto product. Even though it is not anti-virus software

How long should we wait for this to proceed?

I think we've been waiting enough so far.

1.0.0.0_CashNotePos.Manager.exe 20b35ac4208e550178b98eea32291eea4333482b417d6fa1804b46cf1daed821
1.0.0.0_CashNotePos.UI.PayNotePaymentUI.exe be5b3d27dc52f7b2b65058dd8bb3fcf3835dc41abf1967f67cb06aee3bf6e842
1.0.0.1_CashNotePos.Manager.exe 3d654b01f01166d66d671b7852f76e07dd524dfc7ea634658d90e2d5d3a892b4
1.0.0.1_CashNotePos.exe 3a2f2af31619a9b354469610b38f52d0895902750a52d7582578447c06d28e3a
1.0.0.10_CashNotePos.Manager.exe 6f35c45a2e181970a7fb915731885a53d9475975b3fa47a8993159f64dd7c8fd
1.0.0.12_CashNotePos.Helper.exe 5cde0a5e3bfea047acaf8a23e727cd8314948c8b5151d35994bc041c9b244c0d
1.0.0.13_CashNotePos.Helper.exe 47c32df676ed72c7ac0f9fc060bc7b23f4f6df00567c5faf6e94c46dad73664a
1.0.0.2_CashNotePos.Helper.exe ce632f72cd5e6769440bcd456a2b8efeac87f798a4ee3f985ffb9e98fb070308
1.0.0.2_CashNotePos.Manager.exe 9a0d5d2f4963595d8787911069b1ce13982f3b1a28da3a16757790572883abbc
1.0.0.2_CashNotePos.exe cbcb39642401b534e808d97292770588bf4c96737d875cd3aece8eb5aac4b295
1.0.0.3_CashNotePos.Manager.exe d0765398107aed3ffec41e884436dbd84d68113a2929601f5b7844088d76a842
1.0.0.3_CashNotePos.Printer.exe 708d5b4f236f973314bd1202f6ac546fad6d5eb8af28f98465b3403d83ab263a
1.0.0.3_CashNotePos.exe 2e1e551405694404d2940ff334f74bef7e1f88856dfdbadf1445aafc7ad4ac05
1.0.0.4_CashNotePos.Manager.exe fbb536adf3826a2cff84ed929dc0cc165e4b42270f463f58c39f59c6ec2d2a72
1.0.0.4_CashNotePos.Printer.exe 4fcc5fbb61e23fc6ed48f9dba16f28d2a4926fe2d1e2f8346abe8420f19acb28
1.0.0.5_CashNotePos.Helper.exe 87e6c940b46256848cba3e046b9a58429b83d6f657b3728849cd8e3a4ee45644
1.0.0.5_CashNotePos.Manager.exe 6693d1f5eec019580667d10a52d6623777ba774ee7714bac3e7f3a38e06cd5a0
1.0.0.5_CashNotePos.Printer.exe ba3809226de85b9786ea8fda2f47a024fe5448561d37beb9a0b27d693d7fbd7c
1.0.0.5_CashNotePos.exe 2735aad2170ac6c570912139be73e6f86d1d33572841688e44c68675fc33515f
1.0.0.56_CashNotePos.Helper.exe c942bda90d2e4937946df801f6006ff1d8815984b5784ad9160be97ad94baf91
1.0.0.6_CashNotePos.Helper.exe 13be8b3907c5c1f18edb7c4b34019694c3cbc62e281cace0704ed3f0bdf1e3da
1.0.0.6_CashNotePos.Printer.exe a058491e80c94e2c411f9ced1ad22b4ea53efa020632647dc2b5f932ebc6d6ef
1.0.0.6_CashNotePos.exe b430cf4b86912c4313516f7bf2fcfe32d82da3eec616fafd661c444c208c3ab5
1.0.0.7_CashNotePos.Printer.exe 503ea9f82ff58574d4b65beeb6a66e97fed67808185121524b0118a58a0d060c
1.0.0.7_CashNotePos.exe b430cf4b86912c4313516f7bf2fcfe32d82da3eec616fafd661c444c208c3ab5
1.0.0.8_CashNotePos.Printer.Tool.exe e8aebbb0c95d3ba0b5169f47f37153c30dc89e70ee2eae6523aa601e2397be8b
1.0.0.8_CashNotePos.Printer.exe b72a7e8c54b49e82ea5223878c16b35ab5f067073f26540a2815f1505439d30a
1.0.0.9_CashNotePos.Manager.exe e6ed2f92fe26eb85dc5019654da03c11b7b3a03adb0e6de065c54d9c71c5ded1
1.0.0.9_CashNotePos.Printer.exe 48cdc589be714086adfd2396c16fe2bcf73bc0d67c4b45f43b0ad28b300f1587
1.0.1.1_CashNotePos.UI.exe 01688b68abc75c1cf4bdc31f32e16e985b24b5da19621b6453d3f88b36b9ae8b
1.0.1.17_CashNotePos.UI.exe 3d5384768343049fc3572e9ef3bc7e121271f5a5de8575bb695ac05c379ff40a
1.0.1.18_CashNotePos.UI.exe 92f2c87c72ac271b066cd1bbdb37e10e18b471eb29823898e3f5e259d89fba57
1.0.1.19_CashNotePos.UI.exe 47510427bfd7921d551994ceac7362b164e7107e693b591186e43974a3a7138c
1.0.1.2_CashNotePos.UI.exe f2b8adf78d71a9fac993e2ac3772bec04937c20d88e56975f8f28d1b13d18389
1.0.1.3_CashNotePos.UI.exe c9e6497befe72e12dc6ab9cdba40f7a1b512a990c1d19abe97045b3475094af4
1.0.1.4_CashNotePos.UI.exe 00ec840807a9e621587bcb6340300452ec71859e8ea69e9753e6c82c5f06858e
1.0.1.5_CashNotePos.UI.exe 12f3c29858a3a5b9b18073eba0612689e780c468837afdcb954f6eb9936c40b8
1.0.1.6_CashNotePos.UI.exe 8c9da1ef8ab6c1591ac5a8753195cf115774f08d09ced6e5b3b770958330b8af
1.0.1.7_CashNotePos.UI.exe 2e940a779dfe7b3e99df92681180ef580e75de394e4c79307d261d09c2a4aadb
1.0.1.9_CashNotePos.UI.exe ced0bb043d0c8a9f8e99d212b3b2f5d5eebabf25ed15ff1279e9ddf92b36fcfd

Re: False positive submission

dparris — Fri, 26 Mar 2021 13:22:36 GMT

If you are a Palo Alto customer please open a case with support to fix this error.

Re: False positive submission

young_kcd — Mon, 29 Mar 2021 07:10:59 GMT

Our company uses Paloalto firewall product via a reseller in South Korea.

So we don't have any direct account for Paloalto at the moment.

Do we need to buy something to submit false positive cases? (even though it's unusual, we want it if you proceed this)

Then which one should we buy?

We have been waiting more than 3 weeks.

Re: False positive submission

rnorouzi — Tue, 30 Mar 2021 13:18:04 GMT

under review

Re: False positive submission

rnorouzi — Tue, 30 Mar 2021 18:18:37 GMT

since you are Palo Alto customer , please open Tac case . This form is for non Palo Alto customers .