Results 1 to 6 of 6
  1. #1
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    648

    Default False Positives based on VirusTotal

    Hello UT folks,

    I'm curious as to whether there may be an updated engine that may help reduce false positives. We see usually at least one per month. This is based on taking the URL to VirusTotal, and also uploading the file to VirusTotal.

    One example is http://clienttemplates.content.offic...tp02835233.cab

    VT URL analysis:
    https://www.virustotal.com/#/url/94e...f2d7/detection

    VT file analysis:
    https://www.virustotal.com/#/file/40...fed0/detection


    Or maybe the false positives are not from needing a newer clam engine, but perhaps just its configuration being more aggressive. If so, I'm more than happy living with that.

    Just curious really. And it would be nice to not have these false-positives, although I'd rather take a false-positive than a false-negative.

  2. #2
    Newbie
    Join Date
    Nov 2017
    Posts
    10

    Default

    I'm having constant alerts for the exact same file on many of my users. When I scan the file with any other A/V providers, it comes up clean.

    In my case, the file is being flagged by Sanesecurity's signatures which Untangle uses with the virus blocker lite app. I submitted the details to their site here: http://sanesecurity.com/support/false-positives/

    We'll see if it gets removed. I hate white-listing things if I can help it, because you never know if the contents of that specific CAB file may change in the future.

  3. #3
    Newbie
    Join Date
    Nov 2017
    Posts
    10

    Default

    I received word from Sanesecurity that the reason I'm getting this false positive is because I'm running outdated definitions. Based on their support, it was resolved in definitions that were published in October.

    I guess that raises the question of why the definitions are that out of date. According to the console, my signatures are up to date.

  4. #4
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    648

    Default

    Wow

  5. #5
    Newbie
    Join Date
    Nov 2017
    Posts
    10

    Default

    I upgraded to 13.1.1 today, and it appears to have resolved my specific issue. From what I can tell, either the Sanesecurity signatures are being updated only during new releases, or somehow my system wasn't downloading the latest information, and the new update kicked things off again. It would be nice to have some visibility to the signature files so we knew what version was running.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,589

    Default

    Running 13.1.1 here, too, and just in the last few days I'm seeing a number of what I believe are false positives from iOS devices trying to update an app direct from the Apple App Store. I've seen 5 of these in the last 3 days, and I don't think they are all the same device. I suppose it's possible there's some malware that has snuck through Apple's review process, but this seems more like a false-positive case.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2