Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Detected As Malicious Program (Read 863 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Detected As Malicious Program

Below some my analysis for Foobar2000.

Hybrid Analysis scan this as malicious program HERE

VirusTotal with 3/66 detection HERE

Is this FALSE POSITIVE, need clarification for file intergrity.

Website Link - https://www.foobar2000.org/
SHA-256 - 2fdd5465cf9afaed94a5d7dbdcb9252fb8cd1753b323283f6983ec75db20c250
 

Re: Detected As Malicious Program

Reply #1
Very false positive. Virustotal has those few engines that mark absotely everything as malware. Including Windows binaries such as rundll32 and cmd.exe.

Hybrid analysis shows:
Quote
Accesses potentially sensitive information from local browsers
foobar2000 can read proxy information from IE, that should be it.
Quote
Contains ability to open the clipboard
Properties dialog allows filling tag data from clipboard
Quote
Found a string that may be used as part of an injection method
No idea what they mean by this. Can't anything that runs be used as injection method?
Quote
Modifies auto-execute functionality by setting/creating a value in the registry
Only thing written to registry is install location and file association info. No autorun stuff.
Quote
Spawns a lot of processes
Installer calls the foobar binary a couple of times to write registry info. More times if it asks old instance to close.
Quote
Writes data to a remote process
If they try to suggest non-local process it's simply untrue.
Quote
Reads the active computer name
Not sure where this is used but wouldn't surprise me if they saw some ability in NSIS installer to do this.
Quote
Marks file for deletion
Installer has to delete its temporary files. Also several features will delete temporary files when done.
Quote
Opens the MountPointManager (often used to detect additional infection locations)
Reading drive letters is pretty much needed if one allows selecting which drives to add to media library.