Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 4421 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fragments found, how do I go about finding more

knutern007

Running SAV on Ubuntu, I was scanning drives of a Windows-virtual machine (mounted the VMDK-files) and the memory-snapshot of that VM (i.e. the SnapshotXX.vmem), using the following command:

  • savscan -dn -f --no-stop-scan -rec -archive /mnt/windows_mount

I added -dn to see it making progress, -f for full scan, --no-stop-scan to force scanning large files as the pagefile.sys, -rec for recursive scanning (obviously), and all -archive

SAV reports two hits

  1. fragments of a malware in pagefile.sys (the mounted VMDK-files)
  2. fragments of another malware i the VMEM-file

To rule out false positive, how do I go about finding more useful information than of the above?

Kind regards



This thread was automatically locked due to age.
Parents
  • 0

    Hello Knut Erik Hauslo,

    fragments of a malware
    fragments of another malware
    this is not the exact wording of the detections, is it? Both the memory and the pagefile (which is basically also memory) might contain, let's put it this way, sequences of bytes that trigger false positive detections.

    Christian

Reply
  • 0

    Hello Knut Erik Hauslo,

    fragments of a malware
    fragments of another malware
    this is not the exact wording of the detections, is it? Both the memory and the pagefile (which is basically also memory) might contain, let's put it this way, sequences of bytes that trigger false positive detections.

    Christian

Children
  • 0 in reply to QC

    The exact wording is this:

    • Virus fragment 'Nutcracker Boot' found in file ...
    • Virus fragment 'Troj/VGA' found in file ...

    The idea, that sequences of bytes might trigger a false positiv was my idea as well, hence the effort into finding the location within the file. I've also split the pagefile into smaller files, and as expected, it found a lot more. Which supports the idea of a false positive.

    Any other scans with competing scanners did not result in anything.

Unfiltered HTML