Highlighted
Posted by dabrown
Digon

ITbrain Anti-Malware detects legitimate applications or files - can they be restored?

Dear Teamviewer support and community

I accidently installed the Malware component onto one of my machines and it started going crazy finding malware in Hexchat (IRC) log files and in .pst files along with other non-malware files.

Looking at the web based management console, only a small amount of the files can be restored, most have just been deleted.

I have copied the Quarantine folder, but since I couldn't stop the service locally I ended up uninstalling the software altogether.

The exported .csv file only contains basic information about the type of malware discovered, it doesn 't give the location of the file, I have to use the web based management console for that.

As there are more than 600 files which have been Quarantined, it will take me hours to work out if anything has been deleted which is critical or whether just a partial section of a file has been removed.

It would be more useful if the export included all the details of the file location.

Since I'm a free user of Teamviewer I am not sure what support is available for this, and I understand, it's just this has caught me off guard.  I have more than enough malware protection and antivirus protection on my machine so the IT Brain software needs a lot of tuning to determine what is legit malware or not.

Any advice you may be able to give to me to be able to restore some of these files or work out whether they are now corrupted would be greatly appreciated please.

 

Thanks in advance.  Best regards, Darren Brown.

3 Replies
3 Replies
Posted by Remote Management Staff
Remote Management Staff

Re: ITbrain Anti-Malware detects legitimate applications or files - can they be restored?

Hi @dabrown

 

Thanks for the post. 

If you uninstalled ITbrain Anti-malware before restoring everything from Quarantine then there is nothing we can do,  all items are encrypted by the quarantine module. All quarantine files can be restored only from the Management Console with a restore command which decrypts the files and places them back. 

I can guarantee that ITbrain Anti-malware did not delete any system critical files and if any application files were flagged as malware the app can be installed again. 

You can have a list of all files lost from the log file which should be placed in: C:\Windows\temp\ITbrain\Anti-Malware\

Open the log file with notepad or notepad++ and then scroll down until you can see all infected items being reported. 

For further investigation can you please provide more details on the application which we flagged as malware and the type of the files which you lost?  We will run an internal test to see what is happening with that application. 

What version of: Hexchat (IRC) 

 

Product Owner, Remote Management services.
Posted by dabrown
Digon

Re: ITbrain Anti-Malware detects legitimate applications or files - can they be restored?

Hi Stanislav

I figured that if I uninstalled the application there would be a chance I couldn't get the files back.

Using the web console, I believe there were only about 30 files which could be restored, the rest showed file deleted or similar when looking at them using the web consolte and gave me absolutely no option to restore them from the web console.  I attempted to select all and restore, but that was definitely not an option.

I am using Hexchat for Windows 2.12.4  - it seemed to pick up a bunch of user names in the logs folder which I don't believe is a great loss - it's the sanitising of one of my .pst files I am more concerned about, and deleting files from my computer but they were probably legit malware attachments anyway - just as long as the .pst file remains intact.  Other files which may have been deleted may possibly have been PUP type programs or similar.

Thank you for the link to:  C:\Windows\temp\ITbrain\Anti-Malware\

At least I can see what it removed (hopefully it is still there)

(update - alas, the only two files in that folder are install.log and setup.exe - which are of no help to me)

I admit because I couldn't end the scanning task or stop the process even with Administrator Service rights, I was forced to take quick action, otherwise I would not have uninstalled the application.  It is a shame backing up the Quarantine folder is now of no use to me, but if I know which files have been removed (rather than that very based .csv exported from the web console) at least I will have some idea.

As you may be able to look at these files from the web consolte, or do they interest you in terms of picking up false positives? - the fact that the software was picking up names from log files in Hexchat seems extremely odd - irc is relatively benign since media files cannot be shared - it's purely text based.

I look forward to conversing with you further on this please.

Thanks again for getting back to me.  Best regards, Darren Brown

Posted by dabrown
Digon

Re: ITbrain Anti-Malware detects legitimate applications or files - can they be restored?

Just as an update, I have sampled about 150 of the 600 files which were quarantined and nearly all of them are:

Worm.Win32.Viking.FU  which points to a Hexchat Srollback log and someone's name

or

Trojan.JS.Redirector.AOZ  which points to a Hechat Scrollback log, the name and then (SCRIPT-EXTERNAL 2) or (SCRIPT-EXTERNAL 1)

so the vast majority of the files were definitely false positives.

It picked up less than half a dozen ancient attachments converted from Eudora via Aid2Mail which were most likely malware/viruses/or false positives - either way, they were from a converted .pst from 2001 - and nothing of value.

Any detection it found in the .pst files it was not able to clean and those are the 30 files that it was warning me about.  All of those 30 files are not new, and most likely some sort of malicious code.

I don't believe I have lost anything of importance, but the report is still in the management queue if someone one wants to give me instructions on how to export a detailed report, with not only the Threat type/name, but the location it was found on my drive.  This may not be possible, but it might be useful - however, the vast majority of .txt file names which it decided were "threats" have been quarantined and cannot be restored.

As a side note, I wonder if I were to reinstall the software and restore the quarantine folder, whether the web management tool would still recognise the files and restore them?

Just a thought.

Best regards, Darren Brown