fixwmi.cmd revisited

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari.   Fast forward to 2007.    I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
==============

AntiVir    7.3.0.21   01.09.2007  BAT/Zapchast.3
BitDefender  7.2  01.11.2007  Trojan.Bat.Zapchast.CU
ClamAV devel-20060426  01.11.2007  Trojan.BAT.Zapchast
Ewido  4.0  01.10.2007  Trojan.Zapchast
Ikarus  T3.1.0.27  01.09.2007  Trojan.BAT.Zapchast
Kaspersky  4.0.2.24  01.11.2007  Trojan.BAT.Zapchast
Norman  5.80.02  01.10.2007   BAT/Zapchast.L

==================
@echo on
 cd /d c:\temp
 if not exist %windir%\system32\wbem goto TryInstall
 cd /d %windir%\system32\wbem
 net stop winmgmt
 winmgmt /kill
 if exist Rep_bak rd Rep_bak /s /q
 rename Repository Rep_bak
 for %%i in (*.dll) do RegSvr32 -s %%i
 for %%i in (*.exe) do call :FixSrv %%i
 for %%i in (*.mof,*.mfl) do Mofcomp %%i
 net start winmgmt
 goto End

:FixSrv
 if /I (%1) == (wbemcntl.exe) goto SkipSrv
 if /I (%1) == (wbemtest.exe) goto SkipSrv
 if /I (%1) == (mofcomp.exe) goto SkipSrv
 %1 /RegServer

:SkipSrv
 goto End

:TryInstall
 if not exist wmicore.exe goto End
 wmicore /s
 net start winmgmt
:End
============


Re: fixwmi.cmd revisited


Quoted text here. Click to load it

<snip>

I'm speculating that the batch has found its way into test beds of
testing agencies such as av-comparatives, in which case vendors will
refuse to remove the fp. If I'm right, you can expect McAfee and
Sybari to start alerting again soon, along with several more products
which never used to produce the fp :) The harmless batch will be
deemed malware by decree of av-comparatives and the like ... not by av
company analyists. Like we always used to say back in my engineering
days, bullshit beats science! An engineer's nightmare is a marketeers
dream and vice versa! The marketplace rulez!!! Hey, false positives
sell, man!

:)

Art
http://home.epix.net/~artnpeg

Re: fixwmi.cmd revisited

no, you are wrong.


Art schrieb:

Quoted text here. Click to load it


Re: fixwmi.cmd revisited

On 14 Jan 2007 11:26:11 -0800, NO-SPAM@av-comparatives.org wrote:

Quoted text here. Click to load it

Wrong about what, exactly?  It's been well known since the heyday of
DOS av scanners that leading products purposely detect unviable
samples or "crud" that's known to exist in test beds at vx sites on
the internet. The former DR Solly (and now MacAfee) always insisted
that the "cheater" switch /VID be enabled when testing their scanner
so that it had a better chance at higher "detection" rates. FSI
(F-Prot) insisted that the /COLLECT switch be enabled for the same
reason. I know for a fact that Kaspersky makes little or no attempt at
avoiding crud file detection so that it continually fares well in
lousy tests. That's what sells av scanners, as I said.

Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware?

Quoted text here. Click to load it

Re: fixwmi.cmd revisited

"Or do you mean that just the sample in question does not exist in
av-comparatives test bed of alleged actual malware? "

yes, I mean that.


Re: fixwmi.cmd revisited

On 14 Jan 2007 23:55:34 -0800, NO-SPAM@av-comparatives.org wrote:

Quoted text here. Click to load it

Then I suggest that this sample be part of your false positive testing
test bed. Punish vendors that alert on it and others like it. You have
far more clout than individual users who submit such samples to
vendors in the hope that they will remove detection. Hit them where
it hurts. Lower their ratings on the basis of detecting harmless
files.

Art
http://home.epix.net/~artnpeg

Site Timeline