Guidelines and Requirements for Reporting a False Positive

[wozofoz]

Before reporting a False Positive, please read the following guidelines and requirements:

 

First, use the latest version of IObit Security 360 and make sure IObit Security 360 has checked for database updates, then do a scan

 

Step 1: Save a scan log

Scan Log Example:

 

IObit Security 360

OS: Windows XP

Version:1.4.1.11

Define Version:1331

Time Elapsed:00:11:11

Objects Scanned:66286

Threats Found:1

|Name|Type|Description|ID|

Trojan.Agent, File, C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, 12-912

 

To read the log of the threat shown above notice that the seperator is comma ( , ).

Name: Trojan.Agent

Type: File

Description: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

ID: 12-912

 

Step 2: Upload the file(s) to VirusTotal @ http://www.virustotal.com/

If you are unsure how to upload files to VirusTotal, see Post # 2

 

NOTE: Do not upload the IObit Security 360 scan log to VirusTotal, this will not give any true results.

You must upload the actual file that the IObit Security 360 scan log has identified as a threat.

In the example above the file would be cvtres.exe

 

When the VirusTotal scan has finished:

• Note the result eg: Result: 0/41

• There is no need to copy the whole scan result, just copy the address from the browser address bar to post here.

The address will look something like this:

 

[noparse]http://www.virustotal.com/analisis/060a33f770835fa60172c4e02f4c1d3d19d643a2e915d478d07a01788ad5fdb2-1267420531[/noparse]

 

Follow this procedure for all the threats listed in the IObit Security 360 scan.

 

Step 3: Post your results in the Forum

When you have the IObit Security 360 scan log and the VirusTotal scan result address you can post them here in the forum.

 

• Go to the section False Positives Report

• Click on New Thread (on the left near the top)

• In the Title box put the name of the file that was listed as a threat.

Using the example given above the Title would be cvtres.exe

There may be more than one threat, in that case you can just choose one.

If this is confusing for you just put the title False Positive ? and we will change it if necessary :smile:

 

• Paste the IObit Security 360 scan log in the reply box

• Write the VirusTotal scan result eg: Result: 0/41

• Paste the VirusTotal scan results address or addresses in the reply box. There is no need to include the whole scan result.

• Click Preview Post and check that it looks ok

• Click Submit New Thread

 

Here is an example of what your post might look like:

 

Title: cvtres.exe

 

This appears to be a False Positive

 

IObit Security 360

OS: Windows XP

Version:1.4.1.11

Define Version:1331

Time Elapsed:00:11:11

Objects Scanned:66286

Threats Found:1

|Name|Type|Description|ID|

Trojan.Agent, File, C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, 12-912

 

VirusTotal scan result 0/41

[noparse]http://www.virustotal.com/reanalisis...db2-1267420531[/noparse]

 

Thanks in advance

 

These first 2 steps are usually enough for the IObit Specialist Team to determine if the threat is a False Positive or not but sometimes it will be necessary to send the file to IObit so it can be checked completely.

If asked to send the file, please see Post # 5

 

Thank you for your assistance :smile:

[wozofoz]

How to upload a file to VirusTotal - 1

 

How to upload a file to VirusTotal:

 

Some users are unsure of how to upload and scan a file at VirusTotal so here is a basic explanation.

Please remember, your file may be stored in a different place so this general example is just the basics of what to do.

The following example is an actual File Path taken from the forum but of course you should replace the various paths: Windows, Microsoft.NET, Framework, v2.0.50727 and cvtres.exe with those in your File Path.

 

The example IObit Security 360 scan log used is:

|Name|Type|Description|ID|

Trojan.Agent, File, C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, 12-912

 

The File Path (Description) is:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

This File Path can be easily followed once you realise that backslash ( \ ) is the seperator, so when separated, this becomes:

C: then Windows then Microsoft.NET then Framework then v2.0.50727 then cvtres.exe

 

NOTE: Do not upload the IObit Security 360 scan log to VirusTotal, this will not give any true results.

You must upload the actual file that the IObit Security 360 scan log has identified as a threat.

In the example above the file would be cvtres.exe

 

Here is the VirusTotal procedure:

• Go to VirusTotal

• Click Browse

• On the left of the window that opens click My Computer

• Open (double click) (C:)

• Open Windows

• Open Microsoft.NET

• Open Framework

• Open v2.0.50727

• Open cvtres.exe (it might just say cvtres in the window if the known extentions are not shown in Folder Options)

 

The window will disappear and C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe will appear in the VirusTotal box.

• Click Send File and wait (you may be in a queue)

If it says File has already been analysed: you should reanalyse the file because your file might be infected

• Click Reanalyse file now and wait

 

When the VirusTotal scan has finished:

• Note the result eg: Result: 0/41

• There is no need to copy the whole scan result, just copy the address from the browser address bar to post here.

The address will look something like this:

 

[noparse]http://www.virustotal.com/analisis/060a33f770835fa60172c4e02f4c1d3d19d643a2e915d478d07a01788ad5fdb2-1267420531[/noparse]

 

Follow this procedure for all the threats listed in the IObit Security 360 scan.

 

Thank you for your assistance

 

**************************************************************************

 

Here is the same procedure laid out in screenshots:

 

http://forums.iobit.com/attachment.php?attachmentid=4420&d=1267437039

 

http://forums.iobit.com/attachment.php?attachmentid=4421&d=1267437057

 

 

Continued in the next post -->>

[wozofoz]

How to upload a file to VirusTotal - 2

 

http://forums.iobit.com/attachment.php?attachmentid=4422&d=1267437431

 

http://forums.iobit.com/attachment.php?attachmentid=4423&d=1267437461

 

http://forums.iobit.com/attachment.php?attachmentid=4424&d=1267437476

 

http://forums.iobit.com/attachment.php?attachmentid=4425&d=1267437503

 

 

Continued in the next post -->>

[wozofoz]

How to upload a file to VirusTotal - 3

 

http://forums.iobit.com/attachment.php?attachmentid=4426&d=1267438266

 

[http://forums.iobit.com/attachment.php?attachmentid=4427&d=1267438289

 

http://forums.iobit.com/attachment.php?attachmentid=4428&d=1267438310

 

http://forums.iobit.com/attachment.php?attachmentid=4429&d=1267438326

 

 

Thank you for your assistance

[wozofoz]

How to send the file to IObit, if necessary

 

How to send the file to IObit, if necessary:

 

To ensure the sample was not cleaned/infected in transit, it is necessary to put all samples in password protected ZIP files.

The password should be infected

There may be an infection on your system, but we are unable to make a conclusive analysis without a sample being sent in this fashion.

 

Note: The maximum file size of *.zip files on IObit forums is 488.3 KB.

If the suspicious files you want to upload is more than that, please email the IObit Security 360 scan report to is360submit@iobit.com and send *.zip file as an attachment.

 

If you can't upload the file to the forum or send the file to IObit as an email attachment:

• Upload the Password Protected ZIP file (the password should be infected) to a file sharing website like http://www.wikisend.com/ or http://www.2shared.com or http://www.mediafire.com/

• Copy the link that is provided by the website

• Paste the link in a new post in the forum thread

 

Our IObit Specialist Team will do further investigation and solve it ASAP.

 

How to copy and ZIP a file

Once again using the example Security 360 Scan log from before you would follow the path laid out in the Scan log to get to the file.

 

|Name|Type|Description|ID|

Trojan.Agent, File, C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtr es.exe, 12-912

 

• Launch Windows Explorer (Windows key + E)

• Open My Computer (click on the + on the left)

• Open (C:)

• Open Windows

• Open Microsoft.NET

• Open Framework

• Open v2.0.50727

• Right click on the file cvtres.exe

• Select the ZIP software from the Context Menu

• Choose to add the file to a ZIP folder (probably called cvtres.zip)

• Move the ZIP folder to the Desktop (or anywhere you like)

• Open (double click) the ZIP folder

• Select File (top Menu)

• Select Add a password

• infected is the password

 

**************************************************************************

 

Here is the above procedure screenshots:

 

http://forums.iobit.com/attachment.php?attachmentid=4430&d=1267438697

 

http://forums.iobit.com/attachment.php?attachmentid=4432&d=1267439096

 

Thank you for your assistance :smile: