Websense (Directly and via VirusTotal) - DonationCoder is Malicious

[BillR]

Random Idea - Maybe a simple way to submit every(?) page of a site to VirusTotal for evaluation?  Several tools will list all links and build a tree and VT has a simple API so I guess this would be primarily a script (with a 16 second delay between submits) and some parsing of the results to build a simple report.
I've also noticed that www.some-site-xyz.com and some-site-xyz.com will return different results in VT even when one redirects to the other.

---------
Websense (Directly and via VirusTotal) - DonationCoder is Malicious  

http://csi.websense....4-bb68-a2b8006ae41e#

https://www.virustot...analysis/1390140476/

https://www.donation...AndRunRobotSetup.exe

Requested reclassification as productivity software because:

FARR - Program launcher for MS Windows.
Other software is also available on donationcoder.com, much of it productivity related such as ScreenshotCaptor (enhanced print/capture screen) and JottiQ (MS Windows Explorer context menu extension to submit files to Jotti.org -- security productivity).

-----
File detected:   FindAndRunRobotSetup.exe
File threat classification:   Malicious
....
The Websense ThreatSeeker Intelligence Cloud is now reclassifying this URL due to the malicious file it drops. If you suspect someone from your organization went to this URL, inspect their machines for possible malware infection. The assessment overview below does not include the results of this file analysis.
-----
Scroll to the bottom to see FARR.exe analysis

[mouser]

Thanks for the report.  Another false alarm by some lazy site -- FARR does no such thing.
Let me go look.

Notice that VirusTotal shows dozens of analyzers all report FARR as clean, only "Websense ThreatSeeker" has incorrectly listed it.

[mouser]

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

[rgdot]

What you can do if you feel a website has been incorrectly categorized.

Ask your Help Desk or IT administrator to change a website's category (they can override the Websense category). You can also suggest that Websense researchers reevaluate a categorization by e-mailing [email protected].

[mouser]

thx rg

[tomos]

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

-mouser (January 19, 2014, 07:30 PM)

towards the top of the page -- under "Classification" there's a link "suggest different classification".

That's bizzare -- it's an incredibly specific report -- I wonder did they get two different reports mixed up or someting

[BillR]

Has anyone found a way to report a false positive to these Websense jokers?  It never ceases to amaze me how these security services have no problem classifying things as malware for no reason and then make it almost impossible to contact them to have it corrected.

-mouser (January 19, 2014, 07:30 PM)

I've found reporting any reputation/blacklist false positives quite painful.    In some cases I can't request a review unless I'm registered but registration requires a non-hotmail/gmail/... and non-mailinator/... account and a business phone and review/approval by the marketing(?) dept. OR purchasing the software.  In another, I had to resort to private correspondence with the contractor supporting the blacklist site (found his email from a different project years ago) because my email address was improperly treated as blacklisted on the registration page (a configuration/programming error triggered a review) and of course I couldn't use the website contact admin form to report a problem because I was under review.

Mouser and other authors, if you don't already, you might try submitting any published program version to the three AV meta-scan sites VirusTotal, Jotti.org, and Metascan-Online just to see if there is a problem and to get the (slow?!) review process started.  Between them they cover at least 25 *nix and MS Windows-based antimalware engines plus another three dozen Windows-based engines (although many primarily use signatures from one of the same few sources like BitDefender).  Most of these are primarily/just signature oriented.  Won't guarantee AV-conflict-free installations with actual installed antimalware products but I assume it should help.  

Mouser or others may disabuse me of the efficacy of this idea, of course. For example the new freeware-ish version of XYplorer (a great file manager) is still listed as malware by four engines a couple of weeks later.

The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsuppo...ntivirus-vendors.htm

tomos

towards the top of the page -- under "Classification" there's a link "suggest different classification".

-tomos (January 19, 2014, 08:42 PM)

Yes, tried that.  Don't expect it to work since I think the real problem is the evaluation of the file.  Of Jotti (~25 engines), VirusTotal (48), and Metascan-Online (40) only Antiy flags FARR. (Antiy FP review already requested.)

BTW, URLvoid also passes DC site as a whole.

[40hz]

It's only a matter of time before one of these self-appointed watchdogs gets hauled into court for defamation and damages.

You can't just label something malicious or suspicious and not take responsibility for your actions. Or in cases like this, not to take appropriate action when in error.

[mouser]

The best summary of how to report file false positives that I know about is by Chiron on TechSupportAlert (please chime in if you know of other good ones, especially any that automate reporting!):

http://www.techsuppo...ntivirus-vendors.htm

Another awesome page on techsupportalert, thanks for that 

[mouser]

From websense email reply:

Hello,

The site you submitted has been reviewed and determined safe for browsing. The site will resume its filtering under the following category:

https://www.donation...AndRunRobotSetup.exe  – Information Technology

Categorization updates should be reflected in the next scheduled database publication, and will be available shortly to Real-Time Updates subscribers.

Thank you for your inquiry,

Samana
Websense Labs

[BillR]

So a quick summary:

• WebSense corrected its rating. 
• rgdot documented FP process:

  suggest that Websense researchers reevaluate a categorization by e-mailing [email protected].

  -rgdot (January 19, 2014, 08:04 PM)
• N.A.N.Y. Challenge 2014 idea suggested: website oriented VT auto-submission tool.  (I originally wrote "2104".  I hope for a much better solution by then but don't expect to see it personally.)  Or maybe this already exists?
• This challenge to Mouser's equanimity has passed.