8. Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

#149 Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

  • Accepted

    Are there any changes after following the recommendations from the message above?

    System Settings

    Operating system: Win 10, x64

    System: whatever

    Product: KTS

    Language: en-US

    Product Logs: https://cloud.qainfo.ru/s/LPcLJbautATgiZ5

  • @ilya-zadonsky

    Negative, sir.

    cry

  • , last edited by Wesly.Zhang

    @xzz123

    According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?

    21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_link: objId:0190a918

    21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng AVP !EMU (DT)

    21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051

    21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051

    21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr

    21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc

    21:54:34.677 0x8 WRN aveng PROC ST:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AVP CANCELED

    21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe

    Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.

  • , last edited by xzz123

    @wesly-zhang

    Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.smile

    No additinal notification is ignored.

    And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....

  • H

    Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.

    Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy

  • This problem also reproduce with 2019 patch(b)

  • , last edited by Wesly.Zhang

    @xzz123

    Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Blocked type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c02';'
15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect:  status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c03';'
15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4

  • @helios_07

    Yes, You are right, Me too, now. wink

  • @xzz123 said in [Web\_Antivirus\_give\_incorrect\_report\_'Clean Object Move to Quarantine'](/post/764): >

    This problem also reproduce with 2019 patch(b)

    Really? Oops...

  • Issue not fixed in build 554.

    can be reproduced in 2018 version

Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.