As per requested by a dear friend I was analyzing False Positive (FP) case of a software package as per mentioned below:
Some users are using the product as network analysis tools, which is the software is meant to be. However many AntiVirus scanner products are producing alerts related to the product like the following information:
The definition of the product itself as per mentioned in the vendor's page is as per below:
The above explanation is a straight forward sentence explaining the product and its functionality. The vendor itself aware of the False Positive(FP) caused by some AntiVirus scanner and mentioned in its page the statement below:
As per stated above, The Blocklist Manager 2.7.7 ships with an addon called the Angry IP Scanner which causing some FP's.
2. Goal & Challenge
Regarding to the above background, I would like to investigate the below challenge list by my poor blog writting, with the goal to improve Software maker knowhow in developing software with avoiding FP and AntiVirus products to prevent such False Positive occur in the future. This report will be useful to you if you came into analyzing a false positive case.
3. Proof of Concept (binary analysis)
For the start let's analyze the installer Blocklist_Manager_Install_2.7.7.exe binary itself, I manually trace it and found the following details for this binary, I put my comment in the bracket:
4. Proof of Concept (Behavior Analysis)
I am not going to judging anything here, the above binary analysis result cannot tell much unless we run and test the samle itself. I just want to see how the product is working, so I just run it in my RAT. And below is the screenshot as evidence and some pointers.
4.2. A suspicious object in the file list is:
%ProgramFiles%\Bluetack\Blocklist Manager\Tools\ipscan.exe (which is the Angry IP Scanner tool) size: 111,104 bytesWith the following details:
4.3. How the installation goes? How the Angry IP Scanner got installed?
The installation goes smoothly well, so does the uninstall procedure. Below are the pics I took from my RAT during running and tests it, during the installation it was announced the additional tools to be installed, and among them the user is having the option to choose the tools to install too.
Installation binary executed:
Announcement of what will be installed.. you can see the full text here.
Select the component to install..
Installation directory snapshot..
Blocklist Manager products upon execution..
Under the .\Tools directory of the base installation file there is the Angry IP Scanner (ipscan.exe) software which can be executed from the binary call from Blocklist Manager software or directly executing the binary. The snapshot looks like this:
I was using it to scan some of my network, it shows good result like this:
And the system process shows like below during the scanning..
Above looks OK to me. I also run the checking on memory and ports over and over I did not see any malicious act of the software except the port scanning commands provided by this tool. No memory leaks, no nasty stuffs, no infection.
The tools directory itself contains the data as per below:
*) If you take a close look to the date of each programs abive, it shows the different dates, this is might be caused by the vendor was collecting many useful tools together in one packages to ship in the Blocklist Manager 2.7.7
Furthermore, the uninstall process also runs well as per expected...(sorry, sue to limitation of the storage I cannot snapshot every pic..)
4.4. What's wrong behind the installation?
This is the important part, during the installation as per described above, the list of the file was copied to the installation directory, BUT the installer is not only doing that, I detected the below operation of the installer which is triggering alert in some AV scanning software. It is not allowed to change/modify/delete system files for any installation of the 3rf party software:
4.5. The False Positive of the Angry IP Scanner (ipscan.exe)
Currently if you scan Angry IP Scanner(ipscan.exe), it will show the following result:
Followings are some of factors which causing the above False Positive/FP :
ゼロデイ・ジャパン/Zero Day JP http://0day.jp
アドリアン・ヘンドリック / Hendrik ADRIAN
Sponsored by: 株式会社ケイエルジェイテック