Welcome Guest.   Make a donation to an author on the site April 24, 2014, 04:13:42 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Read the full one-year retrospective report on DonationCoder.com.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Websense (Directly and via VirusTotal) - DonationCoder is Malicious  (Read 2569 times)
BillR
Supporting Member
**
Posts: 9


View Profile Give some DonationCredits to this forum member
« on: January 19, 2014, 09:38:33 AM »

Random Idea - Maybe a simple way to submit every(?) page of a site to VirusTotal for evaluation?  Several tools will list all links and build a tree and VT has a simple API so I guess this would be primarily a script (with a 16 second delay between submits) and some parsing of the results to build a simple report.
I've also noticed that www.some-site-xyz.com and some-site-xyz.com will return different results in VT even when one redirects to the other.

---------
Websense (Directly and via VirusTotal) - DonationCoder is Malicious   ohmy

http://csi.websense.com/R...2-4b34-bb68-a2b8006ae41e#

https://www.virustotal.co...a724/analysis/1390140476/

http://www.donationcoder..../FindAndRunRobotSetup.exe

Requested reclassification as productivity software because:

FARR - Program launcher for MS Windows.
Other software is also available on donationcoder.com, much of it productivity related such as ScreenshotCaptor (enhanced print/capture screen) and JottiQ (MS Windows Explorer context menu extension to submit files to Jotti.org -- security productivity).

-----
File detected:   FindAndRunRobotSetup.exe
File threat classification:   Malicious
....
The Websense ThreatSeeker Intelligence Cloud is now reclassifying this URL due to the malicious file it drops. If you suspect someone from your organization went to this URL, inspect their machines for possible malware infection. The assessment overview below does not include the results of this file analysis.
-----
Scroll to the bottom to see FARR.exe analysis
« Last Edit: January 19, 2014, 09:42:16 AM by BillR; Reason: Typo - Why can\'t I notice these before I submit? » Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: January 19, 2014, 07:24:45 PM »

Thanks for the report.  Another false alarm by some lazy site -- FARR does no such thing.
Let me go look.

Notice that VirusTotal shows dozens of analyzers all report FARR as clean, only "Websense ThreatSeeker" has incorrectly listed it.
Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: January 19, 2014, 07:30:28 PM »

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.
Logged
rgdot
Supporting Member
**
Posts: 1,516


View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: January 19, 2014, 08:04:05 PM »

Quote
What you can do if you feel a website has been incorrectly categorized.

Ask your Help Desk or IT administrator to change a website's category (they can override the Websense category). You can also suggest that Websense researchers reevaluate a categorization by e-mailing suggest@websense.com.
Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: January 19, 2014, 08:04:46 PM »

thx rg
Logged
tomos
Charter Member
***
Posts: 8,067



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: January 19, 2014, 08:42:57 PM »

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

towards the top of the page -- under "Classification" there's a link "suggest different classification".

That's bizzare -- it's an incredibly specific report -- I wonder did they get two different reports mixed up or someting undecided
Logged

Tom
BillR
Supporting Member
**
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #6 on: January 20, 2014, 12:37:04 PM »

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

I've found reporting any reputation/blacklist false positives quite painful.   Sad  In some cases I can't request a review unless I'm registered but registration requires a non-hotmail/gmail/... and non-mailinator/... account and a business phone and review/approval by the marketing(?) dept. OR purchasing the software.  In another, I had to resort to private correspondence with the contractor supporting the blacklist site (found his email from a different project years ago) because my email address was improperly treated as blacklisted on the registration page (a configuration/programming error triggered a review) and of course I couldn't use the website contact admin form to report a problem because I was under review.

Mouser and other authors, if you don't already, you might try submitting any published program version to the three AV meta-scan sites VirusTotal, Jotti.org, and Metascan-Online just to see if there is a problem and to get the (slow?!) review process started.  Between them they cover at least 25 *nix and MS Windows-based antimalware engines plus another three dozen Windows-based engines (although many primarily use signatures from one of the same few sources like BitDefender).  Most of these are primarily/just signature oriented.  Won't guarantee AV-conflict-free installations with actual installed antimalware products but I assume it should help.  

Mouser or others may disabuse me of the efficacy of this idea, of course. For example the new freeware-ish version of XYplorer (a great file manager) is still listed as malware by four engines a couple of weeks later.

The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsupportale...ple-antivirus-vendors.htm

tomos
towards the top of the page -- under "Classification" there's a link "suggest different classification".
Yes, tried that.  Don't expect it to work since I think the real problem is the evaluation of the file.  Of Jotti (~25 engines), VirusTotal (48), and Metascan-Online (40) only Antiy flags FARR. (Antiy FP review already requested.)

BTW, URLvoid also passes DC site as a whole.
Logged
40hz
Supporting Member
**
Posts: 9,871



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: January 20, 2014, 07:16:11 PM »

It's only a matter of time before one of these self-appointed watchdogs gets hauled into court for defamation and damages.

You can't just label something malicious or suspicious and not take responsibility for your actions. Or in cases like this, not to take appropriate action when in error.
Logged

Don't you see? It's turtles all the way down!
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: January 20, 2014, 07:26:37 PM »

Quote
The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsupportale...ple-antivirus-vendors.htm

Another awesome page on techsupportalert, thanks for that  thumbs up
Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: January 21, 2014, 07:13:59 AM »

From websense email reply:

Quote
Hello,

The site you submitted has been reviewed and determined safe for browsing. The site will resume its filtering under the following category:

http://www.donationcoder..../FindAndRunRobotSetup.exe  – Information Technology

Categorization updates should be reflected in the next scheduled database publication, and will be available shortly to Real-Time Updates subscribers.

Thank you for your inquiry,

Samana
Websense Labs
Logged
BillR
Supporting Member
**
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #10 on: January 21, 2014, 10:32:31 AM »

So a quick summary:
  • WebSense corrected its rating. 
  • rgdot documented FP process:
    suggest that Websense researchers reevaluate a categorization by e-mailing suggest@websense.com.
  • N.A.N.Y. Challenge 2014 idea suggested: website oriented VT auto-submission tool.  (I originally wrote "2104".  I hope for a much better solution by then but don't expect to see it personally.)  Or maybe this already exists?
  • This challenge to Mouser's equanimity has passed.  cheesy
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.036s | Server load: 0 ]