Перейти к содержимому


Фото
- - - - -

False positive: FanControl

DPH:Trojan.SoftLoader

  • Please log in to reply
1 ответов в теме

#1 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 10 Июнь 2023 - 13:29

Good day!

 

I'm reporting a false positive.

Some time ago around May 15, Dr.Web started to report FanControl as "Probably DPH:Trojan.SoftLoader".

 

To reproduce:

  1. Download a recent release from the FanControl releases page, for example: V159/FanControl_net_7_0.zip
  2. Unpack
  3. Run FanControl.exe

Observed behaviour:

  1. If the file does not exist, FanControl.exe will unpack FanControl.sys (actually an ancient winring0.sys from 2008, as per file signatures)
  2. Dr.Web kicks in and moves both files to quarantine, app won't run.

Expected behavior: This shouldn't happen.

 

Before signature/engine updates of mid-May 2023, everything worked as expected.

 

==> Please review and take according action. Thank you in advance!

 

 

 

FanControl releases inspected:
v159:
v157:
v156:
v155:
v154:
v153:
v152:
    FanControl.sys
    sha256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
    https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5/
    HackTool.VulnDriver/x64!1.D7DB (CLASSIC)

Program modules
Dr.Web Security Space 
Dr.Web Security Space (12.0)
Dr.Web Virus-Finding Engine 
drweb32.dll (7.00.59.12300)
Dr.Web Scanning Engine 
dwengine.exe (12.6.15.05180)
Dr.Web Anti-rootkit Server 
dwarkdaemon.exe (12.6.15.05180)
Dr.Web Anti-rootkit API 
dwarkapi.dll (12.6.22.202304190)
Dr.Web Thunderstorm Cloud Client SDK 
ccsdk.dll (12.0.29.02162)
Dr.Web Thunderstorm Cloud Client SDK 
cloud-client.dll (13.0.4.04130)
Dr.Web Scanning Watcher 
dwwatcher.exe (12.6.15.05180)
Dr.Web Control Service 
dwservice.exe (12.12.12.04270)
Dr.Web WSC Service 
wsc-service.exe (1.0.0.04150)
Dr.Web DWS License Client 
drweb-dws-client-lic.dll (1.0.0.01270)
Dr.Web Updater 
drwupsrv.exe (12.0.53.07181)
Dr.Web antimalware boot driver 
dwelam.sys (12.06.00.10110)
Dr.Web SpIDer Agent for Windows 
spideragent.exe (12.11.10.04280)
Dr.Web SpIDer Agent admin-mode module for Windows 
spideragent_adm.exe (12.11.10.04280)
Dr.Web Scanner SE 
dwscanner.exe (12.11.8.12280)
Dr.Web Console Scanner 
dwscancl.exe (12.6.15.05180)
Dr.Web File System Monitor 
spiderg3.sys (12.6.2.11161)
Dr.Web Protection for Windows 
dwprot.sys (12.06.17.4060)
Dr.Web Shellguard anti-exploit module 
dwsguard32.dll (12.06.14.5050)
Dr.Web Shellguard anti-exploit module 
dwsguard64.dll (12.06.14.5050)
Dr.Web device Guard for Windows 
dwdg.sys (12.06.03.10080)
Dr.Web Firewall for Windows driver 
drweblwf.sys (12.05.11.3061)
Dr.Web Shell Extension 
drwsxtn.dll (12.10.2.07290)
Dr.Web Shell Extension 
drwsxtn64.dll (12.10.2.07290)
Dr.Web SysInfo 
dwsysinfo.exe (12.5.3.202111100)
Dr.Web SysInfo library 
dwsysinfo.dll (12.5.3.202111100)
Dr.Web AMSI client 
drwamsi32.dll (12.5.8.202112200)
Dr.Web AMSI client 
drwamsi64.dll (12.5.8.202112200)
Dr.Web Security Space setup 
win-space-setup.exe (12.10.16.10140)
Virus databases
drwtoday.vdb 
    709 virus records Date: 2023-06-10 09:59
[...]

 

 



#2 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 347 Сообщений:

Отправлено 13 Июнь 2023 - 17:29

Hello, barranja!

 

FanControl.sys (actually an ancient winring0.sys from 2008, as per file signatures)

This is not false positive. Too many miners use this driver and therefore we detect it.


Сообщение было изменено Kirill Polubelov: 13 Июнь 2023 - 17:36

(exit 0)


Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых