2

Ran Kaspersky Rescue 10 overnight and the system came out clean, except for an obscure shortcut (one amongst hundreds). Kaspersky reports the trojan as:

trojan-downloader.win32.pif.xx

and according to this Microsoft link, Kaspersky could indeed have found a valid infection. I have carefully checked the .lnk file in a binary editor and in Notepad, with nothing obviously suspicious.

Virus scanners use various sophisticated heuristics (such as SHA256 hashes) to detect infections, but these are susceptible to false positives. Is there any manual way to determine definitively if the shortcut is infected or whether Kaspersky has just stumbled on a (rare) false positive?

UPDATE

I found this online scanner. After uploading my .lnk file, Kaspersky again found the above-mentioned trojan...but 55 other scanners found nothing. The shortcut was running this command:

%SystemRoot%\system32\cmd.exe /c start "Send USB" /min /low C:\Batch\SendToUSB.bat

After making one trivial change of removing /low from the above command, every scanner now shows the shortcut as clean including Kaspersky. I also scanned cmd.exe, the batch file itself and a few other shortcuts with similar commands. Nothing detected.

With a high degree of confidence, this appears to be a false positive.

Improve this question
5
  • The only way you can check for a false-positive, is if you know that something is a virus or not. Given that you need a scanner for that in the first place, the answer would therefor be: scan with different scanners, but keep in mind, that another program may not find this virus because it doesn't know how to scan for it. just checking the binary data of a file is not enough.
    – LPChip
    Commented Apr 26, 2016 at 10:34
  • Your microsoft link is not working
    – manjesh23
    Commented Apr 26, 2016 at 10:35
  • 2
    @manjesh23 it works for me.
    – LPChip
    Commented Apr 26, 2016 at 10:48
  • @LPChip, Then not sure what is wrong with my machine. Thank you for the update.
    – manjesh23
    Commented Apr 26, 2016 at 10:49
  • @Ramhound: It was "Send OPC to USB.lnk" if you think the name is relevant. This was one of many shortcuts to many batch files I use for various C++ and Delphi development projects. All shortcuts and batch files were created or written by myself. That Kaspersky flagged this obscure shortcut as a threat made me immediately think "false positive", hence the question.
    – AlainD
    Commented Apr 26, 2016 at 21:46

1 Answer 1

Reset to default
1

A "false positive" is defined as when the anti-malware software detected a problem, but it wasn't actually malicious. There is no surefire direct simple process that will 100% rule out a false positive. If there were, we would automate that technique, and make that part of the anti-malware software.

So the answer to your question,

"Is there any manual way to determine definitively".

is: only one. That way is to manually analyze the threat, which you said you did in Notepad. If you applied sufficient expertise (e.g., understand the format of the file, and what it can do), then you've done all that you can "definitely" do. That is all that the world's best anti-malware authors/experts can do. There is nothing else that is more "definitive", nor any other simpler process that is "definitive".

One approach you can use is to cast this up to a vote. Upload the file to http://VirusTotal.com and quickly see what other anti-malware thinks of the file.

Anti-malware software vendors will often publish further info, about detected threats, on their website. Searching for "Kaspersky Threat Database led me to Kaspersky VirusWatchLite, and then you can enter "trojan-downloader.win32.pif.xx" into the filter box. This tells you that Kaspersky added the threat in April 2010. Unlike some other threats, this threat doesn't seem to have a hyperlink to more info.

Or you could try searching for "trojan-downloader.win32.pif.xx" on the web. This showed me that "trojan-downloader.win32.pif.us" had some info about it, with the top Google search result being the Microsoft hyperlink that you provided. So, it appears you already found that path to check out.

In the end, since the process of determining if something is actually malicious is making a decision that is not completely automatable, ultimately you must make your own decision.

Update: I now see your update. (I don't know how I missed it before.) I see you found VirusTotal as well. Well, it looks like you're finding the correct approaches. Consider my answer to be a vote of confidence that you're doing the right things. Consider yourself satisfied. Or, if you can't do that, play around with it some more, learning about the exact format of a Windows shortcut, and checking every single byte in a hex editor.

Improve this answer
1
  • Thanks. VirusTotal was useful because you could see what multiple virus scanners were "thinking". It was helpful to see Kaspersky raise exactly the same alert on the website as it did on a local scan (and all the others detect nothing). I appreciate that scanners must use heuristics to detect threats, otherwise they would be too slow to be useful in real-time. But even clever rules-of-thumb occasionally fail and give false positives or fail to detect real threats. That's life.
    – AlainD
    Commented Apr 26, 2016 at 21:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .