topic Re: Threat Vault and Virus/Win32.WGeneric.aalbaq in General Topics

Threat Vault and Virus/Win32.WGeneric.aalbaq

Curt.Schwarder — Mon, 22 Apr 2019 16:05:40 GMT

Hi all,

Curious if anyone can point me toward amplifying info regarding Threat Vault signatures? From what I can tell, these generic signatures usually tend to generate false positives. It's hard to investigate why the alert is getting triggered when the Threat Vault only shows a hash without any context or information regarding why it's deemed malicious. Is the hash the only thing triggering these? I search for the hash on other my other security systems and I get no results, so I have no idea how to chase it down. This particular case is getting triggered by MSVCR80.DLL, which is pretty common on Windows systems. Any guidance is greatly appreciated.

Re: Threat Vault and Virus/Win32.WGeneric.aalbaq

BPry — Tue, 23 Apr 2019 02:59:30 GMT

@Curt.Schwarder,

Generally what you would do with a signature like this is take the MD5 hash value displayed by threatvault and run it through a search on VirusTotal. However, I'm not currently getting anything off of the displayed signature.

With this being a newer signature I would report the false positives you're seeing to support so they can pass it along internally and see if the signature isn't a bit too broad.

Re: Threat Vault and Virus/Win32.WGeneric.aalbaq

Curt.Schwarder — Tue, 23 Apr 2019 16:08:30 GMT

Thanks! @BPry