Is wildfire mistaken? false negative?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is wildfire mistaken? false negative?

L0 Member

Hello,

i'm testing wildfire at the moment.

We had a security incident on a corporate notebook there were a lot of dropped "ZeroAccess.Gen Command and Control Traffic" in the thread-log.

We scanned the laptop with different virus/spyware scanners and found a file which i'm uploaded to wildfire and virustotal.

Wildfire says it's Benign.

Virustotal with 24/44 detect ratio says its a backdoor.

Antivirus scan for a928ac4e1a34c4eb035b4ed6a8f7a6cb at 2012-11-27 21:16:41 UTC - VirusTotal

So who is wrong?

Sebastian

2 REPLIES 2

L6 Presenter

I had a similar discussion with "my" Sales Engineer at PA that wildfire claimed "benign" for a malware (in my case a custom made one to test how well behavioural (spelling?) analysis works).

A major flaw with wildfire, in my opinion, is that wildfire will whitelist any signed (by known CA in the chain) applications. To me that is just bad looking at the stolen realtek certs and the others which have been used for the past year or two.

Perhaps this could be the reason in your case?

The other thing is what wildfire triggers on. It seems that it doesnt trigger on downloaders but rather the actual payload. Which I also finds a bit odd because if you trigger on the downloader (which often use at least one exploit) you would have a higher probability to keep your clients clean (or at least get a notify on how the actual malware got in). Otherwise you will (if lucky) only get a warning from Wildfire for the actual payload but the source of the infection will remain unknown (and can infect others when new payload is generated - on the other hand the downloader itself can of course also get new versions to avoid signaturebased detections).

L4 Transporter

Hi Sebastian,

We will take a look at this sample and get back to you. Stay tuned...

Alfred

  • 3458 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!