Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

False positive on VirusTotal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

False positive on VirusTotal

L2 Linker
17 REPLIES 17

L5 Sessionator

I will see what I can do to get this verdict changed

L5 Sessionator

This has been submitted for manual evaluation.  I've confirmed that Virus Total has this rated at 6/66

L5 Sessionator

You requested the verdict be changed to benign, but was instead changed to grayware. According to our internal annalysis team this is a Greyware app.

Can you explain what "Grayware" is?  Why not greenware or some other color.  We operate above board with over 1m subscribers.  Why would you not list this app in your whitelist?

https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfire-features/wild...

 

The WildFire grayware verdict classifies files that behave similarly to malware, but are not malicious in nature or intent. A grayware verdict might be assigned to files that do not pose a direct security threat, but display otherwise obtrusive behavior (for example, installing unwanted software, changing various system settings, or reducing system performance). Examples of grayware software can typically include adware, spyware, and Browser Helper Objects (BHOs). The grayware verdict allows you to quickly distinguish malicious files on the network from grayware, and to prioritize accordingly.

 

Antivirus signatures are not generated for grayware and security policies cannot be enforced based on the grayware verdict. However, logs and reports can continue to alert to endpoints downloading grayware, enabling you to take any necessary action.

Thank you for claryfying - but this does not answer my initial question.  Please see below:

 

- This app does is not marketed to anyone who did not specifically request to download and install it.  

- This app is not obtrusive, distruptive, does not change any system settings without users explicit permission, does not in any way reduce system performance - in fact it does the opposite.

- This app does not include any adware or spyware or BHOs - in fact its designed to remove or block these types of files/behaviours

- This app has gone through extensive 3rd party validation and is currently certified by AppEsteem (https://customer.appesteem.com/vendors/REALD/171117-PEF-REALD-00039)

 

Per above - how does this app qualify as a grayware?

 

Thank you

Our Malware Reverse Engineers manually reviewed the software and from their analysis the software exhibits characteristics that malware also performs. Some of these things could be self signed certs or software that isn't signed at all. Proxy changes are also listed as potentaly harmful and this program was seen to perform that.

 

As I am not the one who analyzes the software itself, I can't speak to why they determined it to be Greyware. If you look at it in Virus Total it says that it's Clean and not Malware. This was the goal, correct?

 

Our software is not self signed and we use DigiCert and other reputable 3rd party certs.  We do not use Proxies.  

Can you tell me where you are detecting this info.

 

We do not want our software categories incorrectly and greyware classification is certainly not accetable.

 

We just want to know the facts.  If you say we are using proxies or 1st party certs or display behaviour consistent with malware - please show us where you are seeing this or provide any evidence to prove this.  Nothing that you have mentioned is consistent with how our software works.

 

Please advise further

Any updates on this?

The verdict for this file has been set, there will not be any changes. As far as Palo Alto is conserned this file is Greyware. 

Can you please provide contact info for your legal department?

Palo Alto Networks Guru

Hi, 

 

I'm part of the product management team here at Palo Alto Networks focusing on WildFire. 

 

We'd like to help out. 

 

A couple questions:

1. Is your primary concern the representation of this file on VT? 

2. Pending on your response, what is your concern with the verdict of grayware? Customer's rarely block or restrict file access based on grayware and VT should no longer reflect a hit after the sample is reanalyzed.

 

Hello and thank you for your help.

 

Our biggest concern is that our app does not fit into your Grayware criteria.

I have clearly explained what our app does and asked your team to specifically point out how our application is classified under your Grayware definition and your staff has yet to reply with specific examples.  Your definition is broad and does not explicitly or directly addresses our application.  Your definition of Grayware includes business and technology practices that are a) not applicable to us b) completely the opposite of what our app does c) missleading and counter intuitive.

 

Please advise as to next steps.  

Thank you

Hello again

Looks like you guys are flagging us again.

Can you please remove the blocking and whitelist us.

Thank you

  • 9104 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!