Jump to content
Welcome to our new Citrix community!
  • 0

Windows 10 Virus Scan Returns Malware Hits for XenServer Firmware Files: Is this a false positive or what is going on?


Xen See

Question

Ran full Windows 10 virus scan, and Windows got lots of malware hits on XenServer firmware ISO files and other files.

Here's the info from the virus scan...

Threat #1:
Trojan:Win64/Longage


Affected files for Threat #1:
\XenServer\XenServer-7.5.0-dlvm.xva
\XenServer-7.6.0-install-cd.iso
\XenServer-7.5.0-dlvm.xva->(GZip)->Ref:3028/00001251
\XenServer-7.6.0-install-cd.iso->install.img->(BZip2)->usr/bin/ping
\XenServer-7.6.0-install-cd.iso->install.img->(BZip2)->usr/bin/ps
\XenServer-7.6.0-install-cd.iso->Packages\iputils-20121221-7.el7.x86_64.rpm->(RPM)->(xz)->./usr/bin/ping
\XenServer-7.6.0-install-cd.iso->Packages\procps-ng-3.3.10-5.el7_2.x86_64.rpm->(RPM)->(xz)->./usr/bin/ps

Threat #2:
TrojanDownloader:O97M/Emotet.SN!MTB

Affected File for Threat #2
C:\Users\xensee\AppData\Local\Google\Chrome\User Data\Default\Cache\f_015528


What do you guys make of this? Am I at risk?

Backstory: I may have accidentally clicked phishing links / downloaded infected .doc file from Microsoft Outlook in Chrome browser in Windows 10, which could explain the Chrome cache file getting a positive malware match. My work email got hit by phishing emails, and I was too slow to realize it. The .doc from the phishing email definitely had malware in it according to Google docs scan.

However, the two different threats and two different types of files that were affected lead me to believe these threats and positive malware matches may not be related. The Chrome cache "Trojan Downloader" may not necessarily be associated with the XenServer ISO file "Trojan" but I did discover them at the same time while running the full system scan. I do not recall whether or not I ran a full virus scan in W10 after saving XenServer install ISO, which makes me think "what if the ISO files were not originally malicious when I downloaded them?"

Is it possible that non-malicious ISOs were modified by some program to be malicious? Or are the XenServer malware matches probably just false positives?

PLEASE HALP N00B

Link to comment

3 answers to this question

Recommended Posts

  • 0
2 minutes ago, Alan Lantz said:

I would say no. Its common for AV software package to use signatures in files for detections 

and the same signature string to randomly show up in other safe files which results in false

positives.  The same thing can happen with browser cache files as well.  

 

--Alan--

 

 

 

How can one be sure?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...