Window trojan virus. Was it in the software?

Thread Starter

camerart

Joined Feb 25, 2013
3,731
Hi,
I updated an application, as usual, but Windows defender blocked and deleted it.
I check the WD log, and it shows the trojan, first in quaranteen, then in deleted.
It's name is 'Trojan:Win32/Bearfoos.A!'
I contacted the application owner, and he assures me that the software is clean.
I think he's trustworthy, but sophisticated hacked could impersonate him.
I think as the name suggests, it is a trojan and piggy backing into Window, as I allow the update.
any thoughts please?
C
 

sagor

Joined Mar 10, 2019
914
Load the file into “virustotal.com”. That site will test the file against over 50 antivirus programs and return a fail/pass count. If you get one or two fails but over 50 “good” replies, then odds are good that the file is safe and you hit a false positive. If you get dozens of “fail” of more, then odds are it is indeed infected with something.
you may have to temporarily disable your antivirus in order to upload that file for testing. Just don’t run that file on your system while antivirus is off.
 

Thread Starter

camerart

Joined Feb 25, 2013
3,731
Load the file into “virustotal.com”. That site will test the file against over 50 antivirus programs and return a fail/pass count. If you get one or two fails but over 50 “good” replies, then odds are good that the file is safe and you hit a false positive. If you get dozens of “fail” of more, then odds are it is indeed infected with something.
you may have to temporarily disable your antivirus in order to upload that file for testing. Just don’t run that file on your system while antivirus is off.
Hi S,
Here's the result!
----------------------------------------------

Security vendors' analysis
Do you want to automate checks?
Bkav ProW32.AIDetectMalware
CynetMalicious (score: 100)
RisingTrojan.Generic@AI.89 (RDML:HtkftPFaurEiAHd9x6UeOA)
Acronis (Static ML)Undetected
AhnLab-V3Undetected
AlibabaUndetected
ALYacUndetected
Antiy-AVLUndetected
ArcabitUndetected
AvastUndetected
AVGUndetected
Avira (no cloud)Undetected
BaiduUndetected
BitDefenderUndetected
BitDefenderThetaUndetected
ClamAVUndetected
CMCUndetected
CrowdStrike FalconUndetected
CybereasonUndetected
CylanceUndetected
DeepInstinctUndetected
DrWebUndetected
ElasticUndetected
EmsisoftUndetected
eScanUndetected
ESET-NOD32Undetected
FortinetUndetected
GDataUndetected
GoogleUndetected
Gridinsoft (no cloud)Undetected
IkarusUndetected
JiangminUndetected
K7AntiVirusUndetected
K7GWUndetected
KasperskyUndetected
KingsoftUndetected
LionicUndetected
MalwarebytesUndetected
MAXUndetected
MaxSecureUndetected
McAfeeUndetected
MicrosoftUndetected
NANO-AntivirusUndetected
Palo Alto NetworksUndetected
PandaUndetected
QuickHealUndetected
Sangfor Engine ZeroUndetected
SecureAgeUndetected
SentinelOne (Static ML)Undetected
Skyhigh (SWG)Undetected
SophosUndetected
SUPERAntiSpywareUndetected
SymantecUndetected
TACHYONUndetected
TEHTRISUndetected
TencentUndetected
Trellix (FireEye)Undetected
TrendMicroUndetected
TrendMicro-HouseCallUndetected
VaristUndetected
VBA32Undetected
VIPREUndetected
VirITUndetected
ViRobotUndetected
WebrootUndetected
WithSecureUndetected
XcitiumUndetected
YandexUndetected
ZillyaUndetected
ZoneAlarm by Check PointUndetected
ZonerUndetected
Avast-MobileUnable to process file type
BitDefenderFalxUnable to process file type
Symantec Mobile InsightUnable to process file type
TrustlookUnable to process file type
-----------------------------------------------
C
 

sagor

Joined Mar 10, 2019
914
Should have posted the link to the results, it would be easier to look at it. However, seems there are only 2 detections at the top of your list, the rest are negative. That suggests a false positive. Even Microsoft shows "undetected", so how did your system detect it in the first place? Maybe "Defender" is over-zealous.
Some false positives come about from the way archives/programs are packed (compressed).
The big name anti-virus sites did not detect any virus, so one can assume it is safe. That said, I've once seen a new virus that was so new, that it was not detected until 2 days later, when antivirus programs got updated signature files. If still not sure, wait a couple of days and re-test the file.
Nothing is 100% safe, but your scan results suggest it is 99% safe.
 

Thread Starter

camerart

Joined Feb 25, 2013
3,731
Should have posted the link to the results, it would be easier to look at it. However, seems there are only 2 detections at the top of your list, the rest are negative. That suggests a false positive. Even Microsoft shows "undetected", so how did your system detect it in the first place? Maybe "Defender" is over-zealous.
Some false positives come about from the way archives/programs are packed (compressed).
The big name anti-virus sites did not detect any virus, so one can assume it is safe. That said, I've once seen a new virus that was so new, that it was not detected until 2 days later, when antivirus programs got updated signature files. If still not sure, wait a couple of days and re-test the file.
Nothing is 100% safe, but your scan results suggest it is 99% safe.
Hi S,
Even Microsoft shows "undetected", so how did your system detect it in the first place? Maybe "Defender" is over-zealous.
I think the software I downloaded from, what I consider to be a clean site, is fine, but Windows defender caught the 'Trojan:Win32/Bearfoos.A!' which tried to piggy back on the software, when I allowed it into my system.
Once the trojan was 'killed' I think the software will be able to be downloaded and work as it should. I just wanted to see what others think first.
Thanks.
C
 
Top