8. Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

#149 Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

  • Accepted

    , last edited by Jarvis

    Reproduction steps:

    Visit a virus link and avp block the download

    Actual result:

    Web AV give a incorrect report that Clean Object moved to quarantine

    Expected Result:

    Web AV only report Object Blocked

    see screenshot about the incorrect report

    This is a link that you can used to reproduce. Actually any malicious link is ok.

    http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D

    upload traces and the screenshot:

    https://cloud.qainfo.ru/s/LPcLJbautATgiZ5

    System Settings

    Operating system: Win 10, x64

    System: whatever

    Product: KTS

    Language: en-US

    Product Logs: https://cloud.qainfo.ru/s/LPcLJbautATgiZ5

  • Issue not fixed in build 554.

    can be reproduced in 2018 version

  • @xzz123 said in [Web\_Antivirus\_give\_incorrect\_report\_'Clean Object Move to Quarantine'](/post/764): >

    This problem also reproduce with 2019 patch(b)

    Really? Oops...

  • @helios_07

    Yes, You are right, Me too, now. wink

  • , last edited by Wesly.Zhang

    @xzz123

    Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.

    ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Blocked type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0

    15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c02';'
15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect:  status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
15:08:09.326	0xa50	INF	SqliteDataDb	sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data"  where "key" = x'010000008cb9fed65c03';'
15:08:09.326	0xa50	INF	SqliteCache	Value not found in cache
15:08:09.326	0xa50	ERR	amfcd	RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
15:08:09.326	0xa50	INF	amfcd	ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
15:08:09.326	0xa50	INF	amfcd	RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4

  • This problem also reproduce with 2019 patch(b)

  • H

    Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.

    Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy

  • , last edited by xzz123

    @wesly-zhang

    Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.smile

    No additinal notification is ignored.

    And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....

  • , last edited by Wesly.Zhang

    @xzz123

    According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?

    21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng asl_link: objId:0190a918

    21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms

    21:54:34.677 0x8 INF aveng AVP !EMU (DT)

    21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051

    21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051

    21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr

    21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc

    21:54:34.677 0x8 WRN aveng PROC ST:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051

    21:54:34.677 0x8 WRN aveng AVP CANCELED

    21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe

    Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.

  • @ilya-zadonsky

    Negative, sir.

    cry

  • Are there any changes after following the recommendations from the message above?

  • @xzz123

    If this behavior could be reproduced stably, Try to clear ichecker and iswift database. After do that, check again.

    Settings -> Protection -> File-Antivirus -> Advanced settings -> uncheck ichecker and iswift technology-> recheck them.

  • , last edited by Wesly.Zhang

    @xzz123

    Somethings wrong or ... I still doesn't  reproduce this behavior. Interesting......

    Waiting for KL response.

  • @wesly-zhang

    This link should work

    Choose one of three orange button so that download will begin》
    And
    30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.2018
    14.34.06;
    Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06

  • Hi, @xzz123

    I simple test this behavior, Nothing happened. Please PM the sample.

    This link you have provided couldn't download the sample directly without registering.

Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.