Project

General

Profile

ENG frm #5542

Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

Added by Forum Synchronizer 11 months ago. Updated about 1 month ago.

Status:
Accepted
Priority:
3
Assignee:
Post:
β-tester:
xzz123
Product:
KTS
OS:
Win 10, x64
Fixed in:

#1 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>Hi, @xzz123</p>
<p></p>
<p>I simple test this behavior, Nothing happened. Please PM the sample.</p>
<p></p>
<p><img src="https://cloud.qainfo.ru/index.php/apps/files_sharing/ajax/publicpreview.php?x=1858&y=664&a=true&file=2018-06-30_133113.png&t=l4rSYUrO7jVltyh&scalingup=0" alt="" width="1262" height="664" /></p>
<p></p>
<p>This link you have provided couldn't download the sample directly without registering.</p>

#3 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@xzz123</p>
<p></p>
<p>Somethings wrong or ... I still doesn't  reproduce this behavior. Interesting......</p>
<p></p>
<p><img src="https://cloud.qainfo.ru/index.php/apps/files_sharing/ajax/publicpreview.php?x=1858&y=664&a=true&file=2018-06-30_162935.png&t=fsBvbnFK42DwyO1&scalingup=0" alt="" width="1273" height="664" /></p>
<p></p>
<p>Waiting for KL response.</p>

#4 Updated by Forum Synchronizer 11 months ago

<p>@xzz123</p>
<p></p>
<p>Somethings wrong or ... I still doesn't  reproduce this behavior. Interesting......</p>
<p></p>
<p><img src="https://cloud.qainfo.ru/index.php/apps/files_sharing/ajax/publicpreview.php?x=1858&y=664&a=true&file=2018-06-30_162935.png&t=fsBvbnFK42DwyO1&scalingup=0" alt="" width="1273" height="664" /></p>
<p></p>
<p><img src="https://cloud.qainfo.ru/index.php/apps/files_sharing/ajax/publicpreview.php?x=1858&y=664&a=true&file=2018-06-30_163115.png&t=S2P8Wn8OmxGSNGc&scalingup=0" alt="" width="1028" height="636" /></p>
<p></p>
<p>Waiting for KL response.</p>

#5 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@xzz123</p>
<p></p>
<p>If this behavior could be reproduced stably, Try to clear ichecker and iswift database. After do that, check again.</p>
<p></p>
<p>Settings > Protection -> File-Antivirus -> Advanced settings -> uncheck ichecker and iswift technology> recheck them.</p>
<p></p>
<p></p>
<p></p>

#6 Updated by Forum Synchronizer 11 months ago

Ilya.Zadonsky:
<p>Are there any changes after following the recommendations from the message above?</p>

#7 Updated by Forum Synchronizer 11 months ago

xzz123:
<p>@ilya-zadonsky</p>
<p>Negative, sir.</p>
<p><img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cry.gif" alt="cry" /></p>

#8 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@xzz123</p>
<p></p>
<p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"&lt;/a&gt;&nbsp;as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
<hr />
<p><strong><span style="color: #ff0000;">21:54:34.669 0x1160 INF bl [LicenseNotificationsControllingLogic] This type of notification is ignored</span></strong></p>
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
<p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
<p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
<p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe&lt;/a&gt;&lt;/p>
<p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p>

#9 Updated by Forum Synchronizer 11 months ago

<p>@xzz123</p>
<p></p>
<p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"&lt;/a&gt;&nbsp;as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
<hr />
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
<p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
<p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
<p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe&lt;/a&gt;&lt;/p>
<p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p>

#10 Updated by Forum Synchronizer 11 months ago

xzz123:
<p>@wesly-zhang</p>
<p>Actually if you can reproduce it, than you can reproduce it in any broswer.</p>
<p>No additinal notification is ignored.</p>

#11 Updated by Forum Synchronizer 11 months ago

<p>@wesly-zhang</p>
<p>Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.<img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-smile.gif" alt="smile" /></p>
<p>No additinal notification is ignored.</p>
<p>And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....</p>

#12 Updated by Forum Synchronizer 11 months ago

Helios_07:
<p>Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.</p>
<p>Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy&lt;/p>

#13 Updated by Forum Synchronizer 11 months ago

xzz123:
<p>This problem also reproduce with 2019 patch(b)</p>

#14 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@xzz123</p>
<p></p>
<p>Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.</p>
<div>
<div><span></span></div>
<div><span>ThreatsManagement::GetThreatsByIDs: Threat: </span><span>https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up&lt;/span&gt;&lt;span&gt;= detect: status: <span style="color: #ff0000;"><strong>Clear object</strong></span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></span></div>
</div>
<p></p>
<p>When a threat local in the zip,rar,7zip or some compressed package, AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.</p>
<div>
<div><span></span></div>
<div>ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect: status: <span style="color: #339966;">Blocked</span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></div>
</div>
<p></p>
<p></p>

15:08:09.326    0xa50    INF    SqliteDataDb    sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c02';'
15:08:09.326    0xa50    INF    SqliteCache    Value not found in cache
15:08:09.326    0xa50    ERR    amfcd    RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326    0xa50    INF    amfcd    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect:  status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326    0xa50    INF    amfcd    RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
15:08:09.326    0xa50    INF    SqliteDataDb    sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c03';'
15:08:09.326    0xa50    INF    SqliteCache    Value not found in cache
15:08:09.326    0xa50    ERR    amfcd    RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326    0xa50    INF    amfcd    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
15:08:09.326    0xa50    INF    amfcd    RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4

#15 Updated by Forum Synchronizer 11 months ago

<p>@xzz123</p>
<p></p>
<p>Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.</p>
<div>
<div><span></span></div>
<div><span>ThreatsManagement::GetThreatsByIDs: Threat: </span><span>https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up&lt;/span&gt;&lt;span&gt;= detect: status: <span style="color: #ff0000;"><strong>Clear object</strong></span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></span></div>
</div>
<p></p>
<p>When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.</p>
<div>
<div><span></span></div>
<div>ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect: status: <span style="color: #339966;">Blocked</span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></div>
</div>
<p></p>
<p></p>

15:08:09.326    0xa50    INF    SqliteDataDb    sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c02';'
15:08:09.326    0xa50    INF    SqliteCache    Value not found in cache
15:08:09.326    0xa50    ERR    amfcd    RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326    0xa50    INF    amfcd    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect:  status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326    0xa50    INF    amfcd    RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
15:08:09.326    0xa50    INF    SqliteDataDb    sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c03';'
15:08:09.326    0xa50    INF    SqliteCache    Value not found in cache
15:08:09.326    0xa50    ERR    amfcd    RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326    0xa50    INF    amfcd    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
15:08:09.326    0xa50    INF    amfcd    RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4

#16 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@helios_07</p>
<p></p>
<p>Yes, You are right, Me too, now. <img src="../../../plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-wink.gif" alt="wink" /></p>

#17 Updated by Forum Synchronizer 11 months ago

Wesly.Zhang:
<p>@xzz123 said in [Web\_Antivirus\_give\_incorrect\_report\_'Clean Object Move to Quarantine'](/post/764): ></p>
<p>This problem also reproduce with 2019 patch(b)</p>
<p></p>
<p>Really? Oops...</p>

#18 Updated by Forum Synchronizer 8 months ago

xzz123:
<p>Issue not fixed in build 554.</p>
<p>can be reproduced in 2018 version</p>


Description

<p><strong>Reproduction steps:</strong></p>
<p><span></span>Visit a virus link and avp block the download</p>
<p><strong>Actual result:</strong></p>
<p><span></span>Web AV give a incorrect report that Clean Object moved to quarantine</p>
<p><strong>Expected Result:</strong></p>
<p><span></span>Web AV only report Object Blocked</p>
<p></p>
<p>see screenshot about the incorrect report</p>
<p><img src="forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" /><img src="https://forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" width="1000" height="619" /></p>
<p></p>
<p>This is a link that you can used to reproduce. Actually any malicious link is ok.</p>
<p>http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D&lt;/p>
<p></p>
<p>upload traces and the screenshot:</p>
<p>https://cloud.qainfo.ru/s/LPcLJbautATgiZ5&lt;/p>

Also available in: Atom PDF