#149 Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'
-
Accepted
Reproduction steps:
Visit a virus link and avp block the download
Actual result:
Web AV give a incorrect report that Clean Object moved to quarantine
Expected Result:
Web AV only report Object Blocked
see screenshot about the incorrect report
This is a link that you can used to reproduce. Actually any malicious link is ok.
http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D
upload traces and the screenshot:
https://cloud.qainfo.ru/s/LPcLJbautATgiZ5
System Settings
Operating system: Win 10, x64
System: whatever
Product: KTS
Language: en-US
Product Logs: https://cloud.qainfo.ru/s/LPcLJbautATgiZ5
-
-
@xzz123 said in [Web\_Antivirus\_give\_incorrect\_report\_'Clean Object Move to Quarantine'](/post/764): >
This problem also reproduce with 2019 patch(b)
Really? Oops...
-
-
Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.
ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.
ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Blocked type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x015:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c02';' 15:08:09.326 0xa50 INF SqliteCache Value not found in cache 15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c 15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0 15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3 15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c03';' 15:08:09.326 0xa50 INF SqliteCache Value not found in cache 15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c 15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&q=MEMZ.zip&e=1530349352&ip=124.79.173.114&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2 15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4
-
-
-
Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.
No additinal notification is ignored.
And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....
-
According to the traces, AVP collectly detected "http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?
21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng asl_link: objId:0190a918
21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms
21:54:34.677 0x8 INF aveng AVP !EMU (DT)
21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051
21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051
21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr
21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc
21:54:34.677 0x8 WRN aveng PROC ST:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051
21:54:34.677 0x8 WRN aveng AVP CANCELED
21:54:34.677 0x8 INF aveng AVP LEAVE http://bbs.huorong.cn/forum.php?mod=attachment&aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe
Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.
-
-
-
If this behavior could be reproduced stably, Try to clear ichecker and iswift database. After do that, check again.
Settings -> Protection -> File-Antivirus -> Advanced settings -> uncheck ichecker and iswift technology-> recheck them.
-
-
This link should work
Choose one of three orange button so that download will begin》And30.06.2018 14.34.06;Detected object (file) cannot be disinfected;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=//MEMZ/Geometry dash auto speedhack.bat;Trojan.BAT.Memz.b;Trojan program;06/30/2018 14:34:0630.06.201814.34.06;Clean object (file) moved to Quarantine by the user;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;https://development56.baidupan.com/2018063014bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=PV0QpJywr3_BKXYev9Ryyg&q=MEMZ.zip&e=1530342444&ip=223.11.177.84&fi=3943706&up=;06/30/2018 14:34:06 -
Hi, @xzz123
I simple test this behavior, Nothing happened. Please PM the sample.
This link you have provided couldn't download the sample directly without registering.