• All Community
    • All Community
    • Forums
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Odd security alert after InSpectre download from GRC

Today I downloaded the InSpectre Utility from GRC.com (Gibson Research).  As expected the File Insight popup said it was safe.  But then a few moments later I got the following alert:

NS did *not* delete the program itself (InSpectre.exe).  Any ideas what this might be?  I downloaded it once before with no issues.  Windows 7, Firefox 52.8.1esr, NS 22.14.2.13.

EDIT:  Another screenshot is attached.  (I didn't make a screenshot of the Activity tab, which just gave the location of the file as somewhere in my Firefox Cache.)  Also, per history the flagged file was quarantined briefly before it was removed by File Insight.

Replies

Kudos2 Stats

Re: Odd security alert after InSpectre download from GRC

Hi Ardmore:

If you can't save the InSpectre.exe file on your hard drive and upload it to the VirusTotal.com site for analysis, click the Copy to Clipboard link at the bottom of your File Insight report, paste the contents into a text editor like Notepad and then search the VirusTotal.com site for the SHA-256 hash as instructed <here>.

I can't run InSpectre.exe on my Vista SP2 machine but I was able to download it today and save it to my hard drive (Download Insight gave a low / unproven reputation but did not remove the file - see the image and SHA / MD5 hashes below from my File Insight report).  I searched VirusTotal.com for the SHA-256 hash "3ac3cfe5ccbbc8c30d812cecb8b96357b377535842d9ba67a4d0b1fa3636c9c2" and the VirusTotal report for my InSpectre.exe file at https://www.virustotal.com/#/file/3ac3cfe5ccbbc8c30d812cecb8b96357b377535842d9ba67a4d0b1fa3636c9c2/detection had a very low detection rate of 1/64 (i.e., the Cylance scan engine was the only antivirus to detect the latest InSpectre.exe as unsafe) and it got a Clean rating from Symantec.  I wonder if you'd have better luck if you tried a fresh download from https://www.grc.com/inspectre.htm today?

File Thumbprint - SHA:
3ac3cfe5ccbbc8c30d812cecb8b96357b377535842d9ba67a4d0b1fa3636c9c2
File Thumbprint - MD5:
70bbd36e5b81abcc423bb0acd3de525b

Heur.AdvML.B is a heuristic (behaviour-based) detection so there must be something that Norton's real-time Auto-Protect doesn't like about the way this file behaves when it's executed, but that's no surprise given that InSpectre runs a deep scan of your system files and hardware. According to your images you should have the option to Restore & Exclude the InSpectre.exe file from quarantine (see the Restore and Options links at the bottom of your File Insight reports) per the support article Restore an Item from Quarantine if you are certain the .exe file you downloaded is safe.  If the InSpectre.exe file isn't in quarantine and was permanently removed from your hard drive then you might have to submit a false positive report to Symantec at https://submit.symantec.com/false_positive/ and wait a few days for them to whitelist it - just change the submission type from Upload a File to Provide a Direct Download URL if you can't restore the file from quarantine.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.1 * Norton Security v22.14.2.13

Kudos0

Re: Odd security alert after InSpectre download from GRC

Thanks Imacri.  But something I just discovered may lead to a different analysis path.  First, note that NS had no problem with the actual downloaded program file, InSpectre.exe.  In fact I got a full green OK on that, mature and many users. 

It turns out that, after clicking download on the InSpectre download button, if I wait a few moments before saying save, the flagged and removed file will appear without my even trying to start the InSpectre download:

I also get the same result if I enter the direct url of the download button ( https://www.grc.com/files/InSpectre.exe ) in Firefox (52.8.1 esr 32-bit) on this computer.  And if I enter that url into VirusTotal, I get a result almost identical to what both of us got when using VT on the downloaded InSpectre.exe, including that same SHA-256 hash.

(The rest of my post may be getting a little OT, but *perhaps* it could also be getting at why you are not getting a similar warning from NS.)

Now, the reason I added "on this computer" above is this:  If I try exactly the same download on my other Win 7, Firefox 52.8.1 esr computer, NS doesn't complain a bit.  I thought this was odd, so I went back the the first computer and found the location where the long file starting with 99ce was going before NS flagged and deleted it, namely C:\Users\(username)\AppData\Local\Mozilla\Firefox\Profiles\(profile name).default\cache2\entries.  The entries folder has many thousands of files -- presumably the (or part of the) Firefox cache.  But it turns out the second computer -- where NS *didn't* complain about the GRC download address producing a highly suspicious file -- doesn't even *have* an 'entries' subfolder of cache2...even though Firefox options reports both computers having a similarly sized cache. So maybe NS can't even "see" the 99ce file on the second computer -- or on yours, if it also lacks the 'entries' subfolder. (BTW, based on Googling, the norm -- or at least a common situation -- is to have that 'entries' folder, with many thousands of files.) 

EDITS:

(1) Fyi, when I go directly to the download url, instead of going to GRC's InSpectre page and clicking the download button, I get a different filename (aa654832b7b4035745763af0190a6cf6d685b068).  But the NS threat info and actions are the same.

(2) I forced NS to restore the removed 99ce file, moved it out of the cache, and uploaded it to VirusTotal.  4 out of 64 engines found it malicious, with Symantec being one of them, at high confidence.  (The others were Cylance, CrowdStrike Falcon, and Endgame.)  If they're right, does this suggest an infection of the GRC website?

https://www.virustotal.com/#/file/1e9f2fc37badf1e3a5d820b77274f6e25b71f7...

(3)  OK, this is weird.  Now, a little later, NS is no longer creating an alert and deleting the file, whether I click to GRC download button or put in the direct url.  But I refreshed the Virus Total, and Symantec still reports the file as malicious.  Maybe the offending file is no longer being "pushed out" from GRC.com?  It's not a site with ads.  And I had an ad blocker on, anyway.

Kudos2 Stats

Re: Odd security alert after InSpectre download from GRC

  • try download file three times + change name each dl 
  • try Chrome

File: InSpectre.exe
File size: 125 KB (128,152 bytes)
MD5 checksum: 70BBD36E5B81ABCC423BB0ACD3DE525B
SHA1 checksum: 0706FA5EFC794F0DBD678BAC053BA8BF12272FF0
SHA256 checksum: 3AC3CFE5CCBBC8C30D812CECB8B96357B377535842D9BA67A4D0B1FA3636C9C2

----------------------------
File: 2InSpectre.exe
File size: 125 KB (128,152 bytes)
MD5 checksum: 70BBD36E5B81ABCC423BB0ACD3DE525B
SHA1 checksum: 0706FA5EFC794F0DBD678BAC053BA8BF12272FF0
SHA256 checksum: 3AC3CFE5CCBBC8C30D812CECB8B96357B377535842D9BA67A4D0B1FA3636C9C2

------------------------------------
File: 3InSpectre.exe
File size: 125 KB (128,152 bytes)
MD5 checksum: 70BBD36E5B81ABCC423BB0ACD3DE525B
SHA1 checksum: 0706FA5EFC794F0DBD678BAC053BA8BF12272FF0
SHA256 checksum: 3AC3CFE5CCBBC8C30D812CECB8B96357B377535842D9BA67A4D0B1FA3636C9C2


FWIW ~ I think you're observing Norton n/or Firefox anomaly.   

Accepted Solution
Kudos2 Stats

Re: Odd security alert after InSpectre download from GRC

Ardmore:

... I thought this was odd, so I went back the the first computer and found the location where the long file starting with 99ce was going before NS flagged and deleted it, namely C:\Users\(username)\AppData\Local\Mozilla\Firefox\Profiles\(profile name).default\cache2\entries.  The entries folder has many thousands of files -- presumably the (or part of the) Firefox cache.  But it turns out the second computer -- where NS *didn't* complain about the GRC download address producing a highly suspicious file -- doesn't even *have* an 'entries' subfolder of cache2...

Hi Ardmore:

Just some preliminary comments about the C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profilename>\cache2 folder.

See the Mozilla support article How to Clear the Firefox Cache.  In Firefox you can also see stats about the temporary internet files stored in each cache folder by entering about:cache in the location (address) bar.

Go to Tools | Option | Privacy | History | Clear history when Firefox closes | Settings) to see if Firefox is configured to clear your cache (temporary internet files) on exit on both your machines.  I use CCleaner to manage my cookies but I always allow Firefox ESR to automatically clear my cache every time I close my browser as shown below.  All the subfolders in my hidden folder C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profilename>\cache2 are deleted when my FF ESR browser is closed but the \entries and \doomed subfolders reappear the next time I launch my browser and start caching files from web pages I visit.

Is there a difference in the way you clear your browser cache on the two computers, or is it possible that you couldn't find the C:\Users\<username>\AppData\...\cache2\entries folder on your second computer because your browser was closed?

EDITS:

(1) Fyi, when I go directly to the download url, instead of going to GRC's InSpectre page and clicking the download button, I get a different filename (aa654832b7b4035745763af0190a6cf6d685b068).  But the NS threat info and actions are the same.

(2) I forced NS to restore the removed 99ce file, moved it out of the cache, and uploaded it to VirusTotal.  4 out of 64 engines found it malicious, with Symantec being one of them, at high confidence.  (The others were Cylance, CrowdStrike Falcon, and Endgame.)  If they're right, does this suggest an infection of the GRC website?

https://www.virustotal.com/#/file/1e9f2fc37badf1e3a5d820b77274f6e25b71f7...

The SHA-256 hash of a file is like a digital fingerprint and doesn't change, even if you rename the file (which is why Norton can detect malware given the name svchost.exe or some other Windows system file since the hash of the "fake" system file is wrong).  The VirusTotal.com report <here> for the "99ce74f..." file that was located in your C:\Users\<username>\AppData\...\cache2\entries folder has a hash of 1e9f2fc37badf1e3a5d820b77274f6e25b71f7dbbe63b08a81ef0d7398bdba67, which is different from the "safe" (whitelisted) hash 3ac3cfe5ccbbc8c30d812cecb8b96357b377535842d9ba67a4d0b1fa3636c9c2 I got for the InSpectre.exe file I downloaded from the same site.  There must be some minor difference between the two files that Norton is picking up on. Norton could even be unhappy that the "99ce74f..." file is being detected in the ...\cache2\entries folder if you don't save it to a "normal" location quickly enough and might be throwing a heuristic (behaviour-based) Heur.AdvML.B detection because it's mimicking the behaviour of some types of malware that try to hide in hidden folders of the browser cache.  Also note that the that the "99ce74f..." file name doesn't end with a .exe extension and has a slightly larger file size (128.96 KB) than the "safe" 125.15 KB InSpectre.exe file I downloaded.

Your detected file was named "99ce74f..." and was located in your browser cache so my best guess it that FF ESR is starting a background download of the file from the grc.com site and holding it in your ...\cache2\entries folder while your browser waits for you to click the Save button and finish saving the file to a permanent location. It's not uncommon for downloaded executables to be given a random name like "99ce74f.." while they're being downloaded and held in a temporary folder - if you cancel before the download is completed, the name of the partial file will often have a long string of random characters followed by a .part extension.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.1 * Norton Security v22.14.2.13

Kudos0

Re: Odd security alert after InSpectre download from GRC

First, I should point out that -- with regard to my last edit saying the issue seemed to have resolved (i.e., no more NS alerts):  Today, about a minute after I first started up the computer that had been getting the alerts, NS said it was resolving security issues.  When done, I checked history and saw that it had removed one more of the 99ce files, and two more of the aa65 files.  So maybe the detection was delayed, but this is odd because like Imacri, I use CCleaner to clear the Firefox cache (I do *not* also do it via Firefox options, as you do.)  (On the computer that was getting the alerts, I manually run CCleaner before shutting down; on the other computer it runs automatically on startup.)  Now, regarding that other computer -- today I tried downloading InSpectre, and am *now* getting the alert there as well -- and also DO see the entries subfolder of cache2 there, with many files.  And I'm sure Firefox had been open when I couldn't find the entries folder before, because I had just downloaded InSpectre from GRC in Firefox.  So go figure.

Regardless, Imacri I think your last paragraph sounds like it may very well describe what is going on, even if it *is* a Norton or Firefox anomaly, as _bjm suggested.  I'll mark it as the solution, but any further input or questions are welcome.

BTW, I don't think waiting too long before clicking Save had anything to do with it, because the issue would also occur when I would start the download immediately.  In that situation, I would get NS's *OK* of InSpectre.exe before it's alert on 99ce.

Kudos2 Stats

Re: Odd security alert after InSpectre download from GRC

Ardmore:

....So maybe the detection was delayed, but this is odd because like Imacri, I use CCleaner to clear the Firefox cache (I do *not* also do it via Firefox options, as you do.)  (On the computer that was getting the alerts, I manually run CCleaner before shutting down; on the other computer it runs automatically on startup.)...

Hi Ardmore:

Just to clarify, I don't use CCleaner to clear my Firefox cache.  I only use CCleaner to manage my cookies (I have a few cookies I don't want Firefox to clear) but Firefox is set to clear the cache every time I exit Firefox per my screenshot <here>.  I would actually suggest that you configure Firefox to automatically purge the data stored in your cache when you exit your browser to ensure you're always viewing the most up-to-date information each time you visit a web site and see if this decreases (or even eliminates) the Heur.AdvML.B detections by Norton.

I've never used Chrome, but there's one feature about the Firefox downloader that might also be a factor. When I download InSpectre.exe with my old IE9 browser I have the option to Run/Save/Cancel...

.. but as a security precaution Firefox only has Save/Cancel options so that users can't automatically Run an executable after it's downloaded.

I don't know if the InSpectre.exe executable is compiled code or if it has uncompiled script packaged inside a .exe wrapper but bjm_'s suggestion that it's probably just some odd glitch with Norton and/or Firefox seems reasonable.  Symantec's description of Heur.AdvML.B is "a heuristic detection designed to generically detect malicious files using advanced machine learning technology. A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer" so it might be interesting to submit a few of the cached "99ce74f..."  and "aa65483..." files you restored from quarantine to Symantec at https://submit.symantec.com/false_positive/ and see if these are files associated with the InSpectre.exe download (e.g. a temporary or partially downloaded file with a SHA-256 hash that Symantec hasn't whitelisted) or some completely unrelated element on the https://www.grc.com/inspectre.htm web page that's being stored in your browser cache.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.1 * Norton Security v22.14.2.13

Kudos2 Stats

Re: Odd security alert after InSpectre download from GRC

Kudos0

Re: Odd security alert after InSpectre download from GRC

lmacri:
Symantec's description of Heur.AdvML.B is "a heuristic detection designed to generically detect malicious files using advanced machine learning technology. A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer" so it might be interesting to submit a few of the cached "99ce74f..."  and "aa65483..." files you restored from quarantine to Symantec at https://submit.symantec.com/false_positive/ and see if these are files associated with the InSpectre.exe download (e.g. a temporary or partially downloaded file with a SHA-256 hash that Symantec hasn't whitelisted) or some completely unrelated element on the https://www.grc.com/inspectre.htm web page that's being stored in your browser cache.

Submitted.

Fyi, CCleaner does delete the cache2 folder when I use it to clean Firefox's cache.  (Sorry about misreading your earlier post and thinking you were using CCleaner to clean the cache instead of for cookie management.  I use it for both, but seldom for anything else.)

This thread is closed from further comment. Please visit the forum to start a new thread.