Jump to content
Mattech

Trojan.Agent/Gen-Sefnit Is this a possible False Positive and how can you define a FP?

Recommended Posts

Hi all,

For some reason recently after conducting a update on my SAS free and then doing a scan, despite my antivirus running realtime, scanning daily, like today SAS happened to come across the Trojan aforementioned in my topic name.

I did a little bit of research on its characteristics i.e. browser manipulation (IE and FF), internet slowdown and the other little treats that come with Trojans none of which i was experiencing.

It also came attached in a Program i have no knowledge of on my PC. However SAS happily quarantined it, i scanned again, came back clean, then ran my AV which also came back clean.

I don't think the fact i was using Avant browser made any difference, i just generally thing this is a FP as it featured in one of the latest updates. Although my knowledge of how to pick out FP's isn't very good and i was hoping that the SAS community could help enlighten me also.

Thanks

:-D

Share this post


Link to post
Share on other sites

Hi Mattech ,

The sefnit trojan doesn't always work straight away depending on the version it can lay dormant until activated by a program or by malicious code injection, the reason your AV didn't pick it up is usually because they look for different things.

AVs tend to protect against Worms and wormlike trojans, scanners search out for other malicious trojans it depends on your AV some look for more than others.

Share this post


Link to post
Share on other sites

Additional : If you are still unsure type MRT into your search bar on the start menu, open and run full scan will take a while but is designed to pick out root kits and sefnit is on it's list.

Share this post


Link to post
Share on other sites

A false positive occurs when something is detected by a malware definition that shouldn't be. If you think something is being detected improperly, use the built-in false positive reporter at the end of a scan so we can check out the detected item and determine if it is malware or not.

Share this post


Link to post
Share on other sites

Okay well SAS conducted the removal. However a couple of days later i did another scan revealing a clean system (apart from a couple of tracking cookies) then when i rebooted my PC went into 'SystemRepair' start up.

The repair did a 'System Restore'. So i re-scanned and it revealed the Trojan that went into Quarantine had once again appeared. As did another unwanted file.

I'm kind of thinking 3 possibilities. Either the Trojan is clever and caused the re-store itself however if it was Quarantined surely this would not happen. Or my second guess is that this just 'happened' due to a bad update etc. And third is that this is a FP and putting it into Quarantine is causing issues.

At the end of this scan i will report the file as a FP for investigation but for reference it is under the following pathway:

'C:\PROGRAMDATA\INSTALLMATE\ and so on a number of letters and numbers ending in SETUP.DLL'.

It appears twice under this name, 'Installmate' appears to be an installation programme well respected on the net. This Trojan does not appear to have ever come under this pathway.

GUILTY SPARK - I do not understand your MRT instructions? Please expand?

Thanks again.

Share this post


Link to post
Share on other sites

In the Start menu --- on the Search bar at bottom (maybe different in XP cant remember) --- type MRT --- you should then be presented with a program that says MRT (windows malicious program removal tool - MRT) --- Open this program up and select "View list of malware this tool detects" --- In that list is Sefnit virus.

You can then choose to run the Full Scan and see if it detects it.

Share this post


Link to post
Share on other sites

As feedback MRT came back clear, therfore SAS Quarantine on the second time (because of restore not SAS) seems to have succeeded again. I did not submit it as FP in the end as i wanted to play it safe and just remove it.

Let just hope the odd system repair was a one off...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×