Malicious file marked as clean

Question

Malicious file marked as clean

nikAizuddin opened this issue 3 years ago · 1 comments

Hi, I tried to scan a malicious file from https://capesandbox.com/analysis/110788/ using Saferwall, unfortunately it is marked as clean which is different compared to result in VirusTotal.

Also I tried to scan directly using mpclient, the output only shows EngineScanCallback(): Scanning input:

root@multiav-pod:/opt/windows-defender# sha256sum /malware 
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c  /malware
root@multiav-pod:/opt/windows-defender# ./mpclient /malware
main(): Scanning /malware...
EngineScanCallback(): Scanning input
root@multiav-pod:/opt/windows-defender#

To verify that my build is working, I have no problem scanning eicar file:

root@multiav-pod:/opt/windows-defender# ./mpclient /eicar
main(): Scanning /eicar...
EngineScanCallback(): Scanning input
EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified.
root@multiav-pod:/opt/windows-defender#

Notes

I'm using a different repo extra2000/saferwall/tree/rootless-podman-upstream because I'm using Podman and then build with extra2000/saferwall-box (branch dev)

So I'm not sure if it just me or anyone else is having the same issue too.

Answer 1 · 2021-01-07T17:36:54.000Z

By the way, I just tried Windows Defender from malice-plugins. Also unable to detect this malware file:

[vagrant@windefender-box ~]$ curl https://capesandbox.com/file/sample/110788/50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c/ --output samplefile
[vagrant@windefender-box ~]$ sha256sum samplefile
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c  samplefile
[vagrant@windefender-box ~]$ podman run --init --rm -v ./samplefile:/malware/samplefile:ro,z --security-opt seccomp=/opt/windefender/src/seccomp.json malice-plugins/windefender samplefile
{"windows_defender":{"infected":false,"result":"","engine":"1.1.17700.4","updated":"20210107"}}

Here just to verify that the build is working:

[vagrant@windefender-box ~]$ curl https://secure.eicar.org/eicar.com --output eicar.com
[vagrant@windefender-box ~]$ podman run --init --rm -v ./eicar.com:/malware/eicar.com:ro,z --security-opt seccomp=/opt/windefender/src/seccomp.json malice-plugins/windefender eicar.com
{"windows_defender":{"infected":true,"result":"Virus:DOS/EICAR_Test_File","engine":"1.1.17700.4","updated":"20210107"}}

Looks like this is not Saferwall problem, so I'm closing this issue.