Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'
-
Reproduction steps:
Visit a virus link and avp block the download
Actual result:
Web AV give a incorrect report that Clean Object moved to quarantine
Expected Result:
Web AV only report Object Blocked
see screenshot about the incorrect report
This is a link that you can used to reproduce. Actually any malicious link is ok.
upload traces and the screenshot:
-
Reproduction steps:
Visit a virus link and avp block the download
Actual result:
Web AV give a incorrect report that Clean Object moved to quarantine
Expected Result:
Web AV only report Object Blocked
see screenshot about the incorrect report
This is a link that you can used to reproduce. Actually any malicious link is ok.
upload traces and the screenshot:
Hi, @xzz123
I simple test this behavior, Nothing happened. Please PM the sample.
This link you have provided couldn't download the sample directly without registering.
Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me. -
Hi, @xzz123
I simple test this behavior, Nothing happened. Please PM the sample.
This link you have provided couldn't download the sample directly without registering.
@wesly-zhang
This link should work
https://www.lanzous.com/i1bhydg
Choose one of three orange button so that download will begin》
And
30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.2018
14.34.06;Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06
-
@wesly-zhang
This link should work
https://www.lanzous.com/i1bhydg
Choose one of three orange button so that download will begin》
And
30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.2018
14.34.06;Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06
Somethings wrong or ... I still doesn't reproduce this behavior. Interesting......
Waiting for KL response.
-
@wesly-zhang
This link should work
https://www.lanzous.com/i1bhydg
Choose one of three orange button so that download will begin》
And
30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.2018
14.34.06;Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06
If this behavior could be reproduced stably, Try to clear ichecker and iswift database. After do that, check again.
Settings -> Protection -> File-Antivirus -> Advanced settings -> uncheck ichecker and iswift technology-> recheck them.
-
Reproduction steps:
Visit a virus link and avp block the download
Actual result:
Web AV give a incorrect report that Clean Object moved to quarantine
Expected Result:
Web AV only report Object Blocked
see screenshot about the incorrect report
This is a link that you can used to reproduce. Actually any malicious link is ok.
upload traces and the screenshot:
Are there any changes after following the recommendations from the message above?
-
Are there any changes after following the recommendations from the message above?
-
According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?
21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_link: objId:0190a918
21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng AVP !EMU (DT)
21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051
21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051
21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr
21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc
21:54:34.677 0x8 WRN aveng PROC ST:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AVP CANCELED
21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe
Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.
Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me. -
According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?
21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_link: objId:0190a918
21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng AVP !EMU (DT)
21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051
21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051
21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr
21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc
21:54:34.677 0x8 WRN aveng PROC ST:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AVP CANCELED
21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe
Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.
@wesly-zhang
Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.
No additinal notification is ignored.
And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....
-
Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.
-
This problem also reproduce with 2019 patch(b)
-
Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.
ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.
ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Blocked type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c02';' 15:08:09.326 0xa50 INF SqliteCache Value not found in cache 15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c 15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0 15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3 15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c03';' 15:08:09.326 0xa50 INF SqliteCache Value not found in cache 15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c 15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2 15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4 -
Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.
Yes, You are right, Me too, now.
-
@xzz123 said in Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine': >
This problem also reproduce with 2019 patch(b)
Really? Oops...
-
Issue not fixed in build 554.
can be reproduced in 2018 version
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login© 2026 АО «Лаборатория Касперского»