#149 Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'


  • Accepted

    [2018] Titanium BT
    , last edited by Jarvis

    Reproduction steps:

    Visit a virus link and avp block the download

    Actual result:

    Web AV give a incorrect report that Clean Object moved to quarantine

    Expected Result:

    Web AV only report Object Blocked

    see screenshot about the incorrect report

    This is a link that you can used to reproduce. Actually any malicious link is ok.

    http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D

    upload traces and the screenshot:

    https://cloud.qainfo.ru/s/LPcLJbautATgiZ5

    System Settings

    Operating system: Win 10, x64

    System: whatever

    Product: KTS

    Language: en-US

    Product Logs: https://cloud.qainfo.ru/s/LPcLJbautATgiZ5


  • Moderators

    Hi, @xzz123

    I simple test this behavior, Nothing happened. Please PM the sample.

    This link you have provided couldn't download the sample directly without registering.


  • [2018] Titanium BT

    @wesly-zhang

    This link should work

    Choose one of three orange button so that download will begin》
    And
    30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.2018
    14.34.06;
    Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06

  • Moderators
    , last edited by Wesly.Zhang

    @xzz123

    Somethings wrong or ... I still doesn't  reproduce this behavior. Interesting......

    Waiting for KL response.


  • Moderators

    @xzz123

    If this behavior could be reproduced stably, Try to clear ichecker and iswift database. After do that, check again.

    Settings -> Protection -> File-Antivirus -> Advanced settings -> uncheck ichecker and iswift technology-> recheck them.


  • Kaspersky Lab

    Are there any changes after following the recommendations from the message above?


  • [2018] Titanium BT

    @ilya-zadonsky

    Negative, sir.

    cry


  • Moderators
    , last edited by Wesly.Zhang

    @xzz123

    According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?


    21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_link: objId:0190a918

    21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng AVP !EMU (DT)

    21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051

    21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051

    21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr

    21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc

    21:54:34.677 0x8 WRN aveng PROC ST:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AVP CANCELED

    21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe

    Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.


  • [2018] Titanium BT
    , last edited by xzz123

    @wesly-zhang

    Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.smile

    No additinal notification is ignored.

    And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....



  • Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.

    Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy


  • [2018] Titanium BT

    This problem also reproduce with 2019 patch(b)


  • Moderators
    , last edited by Wesly.Zhang

    @xzz123

    Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Blocked type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c02';'
    15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
    15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
    15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect:  status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
    15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
    15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c03';'
    15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
    15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
    15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
    15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4

  • Moderators

    @helios_07

    Yes, You are right, Me too, now. wink


  • Moderators

    @xzz123 said in [Web\_Antivirus\_give\_incorrect\_report\_'Clean Object Move to Quarantine'](/post/764): >

    This problem also reproduce with 2019 patch(b)

    Really? Oops...


  • [2018] Titanium BT

    Issue not fixed in build 554.

    can be reproduced in 2018 version



Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.