topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 2:57 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Websense (Directly and via VirusTotal) - DonationCoder is Malicious  (Read 15080 times)

BillR

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 16
    • View Profile
    • Donate to Member
Random Idea - Maybe a simple way to submit every(?) page of a site to VirusTotal for evaluation?  Several tools will list all links and build a tree and VT has a simple API so I guess this would be primarily a script (with a 16 second delay between submits) and some parsing of the results to build a simple report.
I've also noticed that www.some-site-xyz.com and some-site-xyz.com will return different results in VT even when one redirects to the other.

---------
Websense (Directly and via VirusTotal) - DonationCoder is Malicious   :o

http://csi.websense....4-bb68-a2b8006ae41e#

https://www.virustot...analysis/1390140476/

https://www.donation...AndRunRobotSetup.exe

Requested reclassification as productivity software because:

FARR - Program launcher for MS Windows.
Other software is also available on donationcoder.com, much of it productivity related such as ScreenshotCaptor (enhanced print/capture screen) and JottiQ (MS Windows Explorer context menu extension to submit files to Jotti.org -- security productivity).

-----
File detected:   FindAndRunRobotSetup.exe
File threat classification:   Malicious
....
The Websense ThreatSeeker Intelligence Cloud is now reclassifying this URL due to the malicious file it drops. If you suspect someone from your organization went to this URL, inspect their machines for possible malware infection. The assessment overview below does not include the results of this file analysis.
-----
Scroll to the bottom to see FARR.exe analysis
« Last Edit: January 19, 2014, 09:42 AM by BillR, Reason: Typo - Why can\'t I notice these before I submit? »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #1 on: January 19, 2014, 07:24 PM »
Thanks for the report.  Another false alarm by some lazy site -- FARR does no such thing.
Let me go look.

Notice that VirusTotal shows dozens of analyzers all report FARR as clean, only "Websense ThreatSeeker" has incorrectly listed it.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #2 on: January 19, 2014, 07:30 PM »
Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #3 on: January 19, 2014, 08:04 PM »
What you can do if you feel a website has been incorrectly categorized.

Ask your Help Desk or IT administrator to change a website's category (they can override the Websense category). You can also suggest that Websense researchers reevaluate a categorization by e-mailing [email protected].

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #4 on: January 19, 2014, 08:04 PM »
thx rg

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,958
    • View Profile
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #5 on: January 19, 2014, 08:42 PM »
Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

towards the top of the page -- under "Classification" there's a link "suggest different classification".

That's bizzare -- it's an incredibly specific report -- I wonder did they get two different reports mixed up or someting :-\
Tom

BillR

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 16
    • View Profile
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #6 on: January 20, 2014, 12:37 PM »
Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

I've found reporting any reputation/blacklist false positives quite painful.   :(  In some cases I can't request a review unless I'm registered but registration requires a non-hotmail/gmail/... and non-mailinator/... account and a business phone and review/approval by the marketing(?) dept. OR purchasing the software.  In another, I had to resort to private correspondence with the contractor supporting the blacklist site (found his email from a different project years ago) because my email address was improperly treated as blacklisted on the registration page (a configuration/programming error triggered a review) and of course I couldn't use the website contact admin form to report a problem because I was under review.

Mouser and other authors, if you don't already, you might try submitting any published program version to the three AV meta-scan sites VirusTotal, Jotti.org, and Metascan-Online just to see if there is a problem and to get the (slow?!) review process started.  Between them they cover at least 25 *nix and MS Windows-based antimalware engines plus another three dozen Windows-based engines (although many primarily use signatures from one of the same few sources like BitDefender).  Most of these are primarily/just signature oriented.  Won't guarantee AV-conflict-free installations with actual installed antimalware products but I assume it should help.  

Mouser or others may disabuse me of the efficacy of this idea, of course. For example the new freeware-ish version of XYplorer (a great file manager) is still listed as malware by four engines a couple of weeks later.

The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsuppo...ntivirus-vendors.htm

tomos
towards the top of the page -- under "Classification" there's a link "suggest different classification".
Yes, tried that.  Don't expect it to work since I think the real problem is the evaluation of the file.  Of Jotti (~25 engines), VirusTotal (48), and Metascan-Online (40) only Antiy flags FARR. (Antiy FP review already requested.)

BTW, URLvoid also passes DC site as a whole.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #7 on: January 20, 2014, 07:16 PM »
It's only a matter of time before one of these self-appointed watchdogs gets hauled into court for defamation and damages.

You can't just label something malicious or suspicious and not take responsibility for your actions. Or in cases like this, not to take appropriate action when in error.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #8 on: January 20, 2014, 07:26 PM »
The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsuppo...ntivirus-vendors.htm

Another awesome page on techsupportalert, thanks for that  :up:

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #9 on: January 21, 2014, 07:13 AM »
From websense email reply:

Hello,

The site you submitted has been reviewed and determined safe for browsing. The site will resume its filtering under the following category:

https://www.donation...AndRunRobotSetup.exe  – Information Technology

Categorization updates should be reflected in the next scheduled database publication, and will be available shortly to Real-Time Updates subscribers.

Thank you for your inquiry,

Samana
Websense Labs

BillR

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 16
    • View Profile
    • Donate to Member
Re: Websense (Directly and via VirusTotal) - DonationCoder is Malicious
« Reply #10 on: January 21, 2014, 10:32 AM »
So a quick summary:
  • WebSense corrected its rating. 
  • rgdot documented FP process:
    suggest that Websense researchers reevaluate a categorization by e-mailing [email protected].
  • N.A.N.Y. Challenge 2014 idea suggested: website oriented VT auto-submission tool.  (I originally wrote "2104".  I hope for a much better solution by then but don't expect to see it personally.)  Or maybe this already exists?
  • This challenge to Mouser's equanimity has passed.  :D