topic Re: False positive on VirusTotal in VirusTotal

False positive on VirusTotal

RD1111 — Tue, 03 Apr 2018 23:20:49 GMT

Can you please address this false positive

https://www.virustotal.com/#/file/ff32c2227af54f738c2bab0301bc0a101b64d6f1715865fc220ea1064ec1399a/details

Re: False positive on VirusTotal

dparris — Tue, 03 Apr 2018 23:24:25 GMT

I will see what I can do to get this verdict changed

Re: False positive on VirusTotal

dparris — Tue, 03 Apr 2018 23:50:25 GMT

This has been submitted for manual evaluation. I've confirmed that Virus Total has this rated at 6/66

Re: False positive on VirusTotal

dparris — Thu, 05 Apr 2018 18:29:03 GMT

You requested the verdict be changed to benign, but was instead changed to grayware. According to our internal annalysis team this is a Greyware app.

Re: False positive on VirusTotal

RD1111 — Thu, 05 Apr 2018 22:12:50 GMT

Can you explain what "Grayware" is? Why not greenware or some other color. We operate above board with over 1m subscribers. Why would you not list this app in your whitelist?

Re: False positive on VirusTotal

dparris — Thu, 05 Apr 2018 23:09:06 GMT

https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfire-features/wildfire-grayware-verdict

The WildFire grayware verdict classifies files that behave similarly to malware, but are not malicious in nature or intent. A grayware verdict might be assigned to files that do not pose a direct security threat, but display otherwise obtrusive behavior (for example, installing unwanted software, changing various system settings, or reducing system performance). Examples of grayware software can typically include adware, spyware, and Browser Helper Objects (BHOs). The grayware verdict allows you to quickly distinguish malicious files on the network from grayware, and to prioritize accordingly.

Antivirus signatures are not generated for grayware and security policies cannot be enforced based on the grayware verdict. However, logs and reports can continue to alert to endpoints downloading grayware, enabling you to take any necessary action.

Re: False positive on VirusTotal

RD1111 — Thu, 05 Apr 2018 23:16:30 GMT

Thank you for claryfying - but this does not answer my initial question. Please see below:

- This app does is not marketed to anyone who did not specifically request to download and install it.

- This app is not obtrusive, distruptive, does not change any system settings without users explicit permission, does not in any way reduce system performance - in fact it does the opposite.

- This app does not include any adware or spyware or BHOs - in fact its designed to remove or block these types of files/behaviours

- This app has gone through extensive 3rd party validation and is currently certified by AppEsteem (https://customer.appesteem.com/vendors/REALD/171117-PEF-REALD-00039)

Per above - how does this app qualify as a grayware?

Thank you

Re: False positive on VirusTotal

dparris — Fri, 06 Apr 2018 17:56:33 GMT

Our Malware Reverse Engineers manually reviewed the software and from their analysis the software exhibits characteristics that malware also performs. Some of these things could be self signed certs or software that isn't signed at all. Proxy changes are also listed as potentaly harmful and this program was seen to perform that.

As I am not the one who analyzes the software itself, I can't speak to why they determined it to be Greyware. If you look at it in Virus Total it says that it's Clean and not Malware. This was the goal, correct?

Re: False positive on VirusTotal

RD1111 — Fri, 06 Apr 2018 18:21:11 GMT

Our software is not self signed and we use DigiCert and other reputable 3rd party certs. We do not use Proxies.

Can you tell me where you are detecting this info.

We do not want our software categories incorrectly and greyware classification is certainly not accetable.

We just want to know the facts. If you say we are using proxies or 1st party certs or display behaviour consistent with malware - please show us where you are seeing this or provide any evidence to prove this. Nothing that you have mentioned is consistent with how our software works.

Please advise further

Re: False positive on VirusTotal

RD1111 — Wed, 11 Apr 2018 19:16:22 GMT

Any updates on this?

Re: False positive on VirusTotal

dparris — Wed, 11 Apr 2018 19:19:34 GMT

The verdict for this file has been set, there will not be any changes. As far as Palo Alto is conserned this file is Greyware.

Re: False positive on VirusTotal

RD1111 — Wed, 11 Apr 2018 22:12:01 GMT

Can you please provide contact info for your legal department?

Re: False positive on VirusTotal

ghamilton — Thu, 12 Apr 2018 16:39:21 GMT

Hi,

I'm part of the product management team here at Palo Alto Networks focusing on WildFire.

We'd like to help out.

A couple questions:

1. Is your primary concern the representation of this file on VT?

2. Pending on your response, what is your concern with the verdict of grayware? Customer's rarely block or restrict file access based on grayware and VT should no longer reflect a hit after the sample is reanalyzed.

Re: False positive on VirusTotal

RD1111 — Thu, 12 Apr 2018 20:27:38 GMT

Hello and thank you for your help.

Our biggest concern is that our app does not fit into your Grayware criteria.

I have clearly explained what our app does and asked your team to specifically point out how our application is classified under your Grayware definition and your staff has yet to reply with specific examples. Your definition is broad and does not explicitly or directly addresses our application. Your definition of Grayware includes business and technology practices that are a) not applicable to us b) completely the opposite of what our app does c) missleading and counter intuitive.

Please advise as to next steps.

Thank you

Re: False positive on VirusTotal

RD1111 — Wed, 18 Apr 2018 01:57:51 GMT

Hello again

Looks like you guys are flagging us again.

Can you please remove the blocking and whitelist us.

Thank you

Re: False positive on VirusTotal

RD1111 — Wed, 18 Apr 2018 18:01:48 GMT

Please advise if you received last post.

Re: False positive on VirusTotal

brcook — Wed, 18 Apr 2018 18:17:14 GMT

Hello,

We took your advice to escalate to our legal department, and recommend that your attorney contact our Corporate Legal Counsel, Ms. Wee, directly at lwee@paloaltonetworks.com if you wish to discuss the matter further.

Thank you.

Re: False positive on VirusTotal

RD1111 — Wed, 18 Apr 2018 18:21:48 GMT

Thank you
We are simply asking you to remove the blocking as its inacurate.