Skip to main content
Topic: Detected As Malicious Program (Read 222 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Detected As Malicious Program

Below some my analysis for Foobar2000.

Hybrid Analysis scan this as malicious program HERE

VirusTotal with 3/66 detection HERE

Is this FALSE POSITIVE, need clarification for file intergrity.

Website Link -
SHA-256 - 2fdd5465cf9afaed94a5d7dbdcb9252fb8cd1753b323283f6983ec75db20c250


Re: Detected As Malicious Program

Reply #1
Very false positive. Virustotal has those few engines that mark absotely everything as malware. Including Windows binaries such as rundll32 and cmd.exe.

Hybrid analysis shows:
Accesses potentially sensitive information from local browsers
foobar2000 can read proxy information from IE, that should be it.
Contains ability to open the clipboard
Properties dialog allows filling tag data from clipboard
Found a string that may be used as part of an injection method
No idea what they mean by this. Can't anything that runs be used as injection method?
Modifies auto-execute functionality by setting/creating a value in the registry
Only thing written to registry is install location and file association info. No autorun stuff.
Spawns a lot of processes
Installer calls the foobar binary a couple of times to write registry info. More times if it asks old instance to close.
Writes data to a remote process
If they try to suggest non-local process it's simply untrue.
Reads the active computer name
Not sure where this is used but wouldn't surprise me if they saw some ability in NSIS installer to do this.
Marks file for deletion
Installer has to delete its temporary files. Also several features will delete temporary files when done.
Opens the MountPointManager (often used to detect additional infection locations)
Reading drive letters is pretty much needed if one allows selecting which drives to add to media library.

SimplePortal 1.0.0 RC1 © 2008-2019