False Positive Win.Malware.Ursu-9887615-0 (Pafish)

[m4st3rh4nd]

Official download from Microsoft https://download.sysinternals.com/files/SysinternalsSuite.zip

File Hash: SHA256 0c3d0d3c521c2afec946dba36ae47b114b04b8a2ca4f7d95c88883e2c2bc023d MD5 cc7a9ec9b74bab01d87e566cbf356623

Engine version: 1.3.1

Also https://clamav.net/ "This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox."

[micahsnyder]

@m4st3rh4nd we're aware of the issue with https://clamav.net/. DNS configuration for clamav.net is split between two different service providers. We've had some trouble with the certificate for https://clamav.net/ as a result, and I have not been able to get it fixed.

If you navigate to https://www.clamav.net/ instead, it should work okay.

I would normally ask you to submit false positives to https://www.clamav.net/reports/fp. The Cisco Talos Threat Research Team have a pipeline set up to triage false positive reports. However, this ZIP larger than 25MB and the FP reporting form probably won't work unless you find the specific file within that matches and submit that. It was built to handle files smaller than 25MB and design changes are needed to fix it. I will forward your report to our Threat Research team for manual investigation.

[micahsnyder]

@m4st3rh4nd I went to confirm the FP before forwarding and ran into some trouble.

The hashes you provide do not match that of the SysInternalsSuite.zip from the URL.

The current SysInternalsSuite.zip does not match with "Win.Malware.Ursu-9887615-0" in my own testing. So I cannot reproduce the issue.

[m4st3rh4nd]

Yes Yes Indeed. My Mistake. Its not SysInternalsSuite. I looked into My "SysInternalsSuite.zip" and found that i've added pafish64.exe (https://github.com/a0rtega/pafish/releases/download/v0.6/pafish64.exe) which was/is causing Win.Malware.Ursu-9887615-0 and the different hashes

pafish64.exe: SHA256 ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f MD5 4b6229d1b32d7346cf4c8312a8bc7925

[micahsnyder]

I'm not familiar with Pafish. Pretty much everyone seems to think this one is malware: https://www.virustotal.com/gui/file/ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f

Based on the goal of the project, I'm not surprised:

The goal of this project is to collect techniques commonly observed in malware samples to evade analysis systems. This allows analysts to study them and test whether the analysis environments are properly implemented.

I don't think it is practical for us to drop sigs or tailor sigs to ignore pafish detections.

If you want to add your own rule to ignore it, you can do so with an .fp signature: https://docs.clamav.net/manual/Signatures/AllowLists.html