Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'
-
<p><strong>Reproduction steps:</strong></p>
<p><span></span>Visit a virus link and avp block the download</p>
<p><strong>Actual result:</strong></p>
<p><span></span>Web AV give a incorrect report that Clean Object moved to quarantine</p>
<p><strong>Expected Result:</strong></p>
<p><span></span>Web AV only report Object Blocked</p>
<p></p>
<p>see screenshot about the incorrect report</p>
<p><img src="forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" /><img src="https://forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" width="1000" height="619" /></p>
<p></p>
<p>This is a link that you can used to reproduce. Actually any malicious link is ok.</p>
<p>http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D</p>
<p></p>
<p>upload traces and the screenshot:</p>
<p>https://cloud.qainfo.ru/s/LPcLJbautATgiZ5</p><p>Are there any changes after following the recommendations from the message above?</p>
-
<p>Are there any changes after following the recommendations from the message above?</p>
-
<p>@ilya-zadonsky</p>
<p>Negative, sir.</p>
<p><img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cry.gif" alt="cry" /></p><p>@xzz123</p>
<p></p>
<p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"</a> as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
<hr />
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
<p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
<p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
<p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe</a></p>
<p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p>Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me. -
<p>@xzz123</p>
<p></p>
<p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"</a> as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
<hr />
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
<p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
<p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
<p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
<p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
<p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
<p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
<p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe</a></p>
<p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p><p>@wesly-zhang</p>
<p>Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.<img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-smile.gif" alt="smile" /></p>
<p>No additinal notification is ignored.</p>
<p>And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....</p> -
<p>Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.</p>
<p>Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy</p> -
<p>This problem also reproduce with 2019 patch(b)</p>
-
<p>@xzz123</p>
<p></p>
<p>Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.</p>
<div>
<div><span></span></div>
<div><span>ThreatsManagement::GetThreatsByIDs: Threat: </span><span>https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up</span><span>= detect: status: <span style="color: #ff0000;"><strong>Clear object</strong></span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></span></div>
</div>
<p></p>
<p>When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.</p>
<div>
<div><span></span></div>
<div>ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: <span style="color: #339966;">Blocked</span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></div>
</div>
<p></p>
<p></p>
<pre class="language-markup"><code>15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c02';'
15:08:09.326 0xa50 INF SqliteCache Value not found in cache
15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c03';'
15:08:09.326 0xa50 INF SqliteCache Value not found in cache
15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4</code></pre> -
<p>Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.</p>
<p>Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy</p><p>@helios_07</p>
<p></p>
<p>Yes, You are right, Me too, now. <img src="../../../plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-wink.gif" alt="wink" /></p> -
<p>@xzz123 said in Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine': ></p>
<p>This problem also reproduce with 2019 patch(b)</p>
<p></p>
<p>Really? Oops...</p> -
<p>Issue not fixed in build 554.</p>
<p>can be reproduced in 2018 version</p>
