Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: How to ignore only the false positive and not the program itself?!

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
newpost How to ignore only the false positive and not the program itself?!
Member 8th Jan, 2011 16:40
Ranking: 2
Posts: 34
User Since: 7th Aug, 2010
System Score: N/A
Location: DE
Last edited on 8th Jan, 2011 16:41

Hi,

I need help very much. I cannot get false positives (the patches are installed!). I don't see any possibility to ignore only the false positive but don't exclude the software for being scaned for furter / new vulnerabilities.

Any idea or is this function stil not there?

Thank you in advance!

hirectuvaw RE: How to ignore only the false positive and not the program itself?!
Member 8th Jan, 2011 16:52
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
Any chance of an example (or three) of such a false positive?

Is the version you have installed listed as the "secure" version? Does PSI report that version number?

I have noticed that the "scan" function seems to take a rather long while to complete, even when it is a single file that I have asked it to scan -- and sometimes it does not report the correct file version even after a scan.
Was this reply relevant?
+1
-1
newpost RE: How to ignore only the false positive and not the program itself?!
Member 8th Jan, 2011 17:05
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Last edited on 8th Jan, 2011 17:07
Hi,

example1:
iexplore.exe
http://secunia.com/advisories/42091/ (MS10-090 (KB2416400)
Version number 6.00.2900.5512

example2:
KB981852
version number Service Pack 3

and so on ...


All versions marked as unsecure.

This ignoring function should be in the professional settings if secunia wants a statistic that is right. 96% instead 100% is quite a diference!


PS: It not so nice that I don't see the post I am anwsering to.
Was this reply relevant?
+5
-1
newpost RE: How to ignore only the false positive and not the program itself?!
Member 8th Jan, 2011 17:35
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
But I don't search for help for this false positives but for the described function.

@secunia team: Is there any hope that this function will be added someday?

Thank you in advance.
Was this reply relevant?
+0
-1
hirectuvaw RE: How to ignore only the false positive and not the program itself?!
Member 8th Jan, 2011 22:12
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
One thing you could do is switch off the "Secure Browsing" page, if that is where you are seeing the "false positive".

If you are seeing on the "Scan results" page that IE has not been updated to the latest version, that is not a false positive. You should update IE to the latest version.

If you are seeing that IE has been updated to the latest version but is still unsafe for browsing, that is the "Secure Browsing" tab, which you might as well turn off (in Settings). I posted another thread with another situation where the Secure Browsing page is not doing what it should -- a plug-in is being detected as making IE unsafe, but the plug-in is only for Firefox. I wouldn't consider that a false positive but a program flaw. A security program scanning and analyzing software on our machines should get it right, even if it is on a page designed only for Advanced Users.
Was this reply relevant?
+1
-1
newpost RE: How to ignore only the false positive and not the program itself?!
Member 9th Jan, 2011 00:00
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Hi,
in the newest PSI version 2.0 is no secure browsing area so you are stil using the old 1.5.

Sorry, but there is a patch number added to my post which I have. As it seems you don't understand what I have written.

It is a false positive, every of it! But we can only ignore the programs and not only the specific vulnerabilities. The professional mode psi seems not to have this possibility also. Or am I overseeing something?

I was mentioning it allready in my other post to false positives but there doesn't seem to be a chance to get this so very important feature. Instead you get only some hints which take much time by many false positives. I just don't understand it. It is very sad that secunia doesn't see that this feature have to be there. I have 4% less than it should be. I want that feature and have not time to doing extra some time expensive things to maybe get rid of this false positives.

It is just very sad but we cannot do anything. I paid software it would be solved in couple of days but I have no hope that we get this feature.
Was this reply relevant?
+0
-1
Maurice Joyce RE: How to ignore only the false positive and not the program itself?!
Handling Contributor 9th Jan, 2011 00:22
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Why would Secunia want to create an ignore rule for false positives for users? That would destroy the whole idea of the programme.

If there is a false entry they require evidence so that they can correct their scanner to remove it.

I can see no evidence that U have produced to suggest there are false positives on your PC.

Because a programme is showing in Control Panel>add/remove does NOT mean it is installed correctly nor does the fact that U have checked MS Update.

What other tests have U completed to check whether the patches are correctly installed? Have U used MBSA? Have U completed a Custom MS Update?


What are the paths to these alleged false positives?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-1
newpost RE: How to ignore only the false positive and not the program itself?!
Member 9th Jan, 2011 17:29
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
I have installed all patches and they are shown in windows in "software" by marked show updates. As I see you want me to take hours after hours to solve this problems instead a simple feature for professional users. Sorry, that I don't have time for. There are more important things that I have to get done and I need also some free time. I see I have to give up as this doesn't make any sense.

Thanks a lot!
Was this reply relevant?
+0
-0
hirectuvaw RE: How to ignore only the false positive and not the program itself?!
Member 9th Jan, 2011 18:54
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
Even advanced users can learn something. For example, the version 2.0 does have a Secure Browsing page, but it is turned off by default. I thought maybe you had turned yours on, and that was where you were seeing the problem. Your description of the problem you were seeing seemed to apply more to that page than to the "Scan results" page.

I'd reiterate what has been said before: either the latest file version (what Secunia wrongly calls "patch") has been installed and PSI is broken by saying that it hasn't been installed, or the latest version has not been installed. I don't see that false positive is an option.

So either we try to figure out why PSI is saying you don't have the latest version, or we try to come up with a way to reproduce the problem so Secunia can fix it.

I've had similar experience in two situations. In one, the scanner took a long time to run, so the "old" scan results stayed around longer than they should have. In the other situation, the program was seeing the "old" version (sometimes in the Recycle Bin) and reporting that it had not been updated, which of course it hadn't.

In the latter case, I was not able to figure out what was going on until I expanded the line for the offending program to see its location(s).

There would seem to be two possibilities: either PSI is reporting one version, but you can see in a tooltip in Windows Explorer that it is a newer version and the scanner hasn't caught up yet; or PSI is correctly reporting the file's version, but is saying that it still needs to be updated (what PSI wrongly calls "patched"). It doesn't matter if you know you have installed the latest version; if the version seen in Windows Explorer matches what PSI sees, that is the version that needs to be brought up to date.

None of those is a true "false positive". A security risk with no mitigation, sure; an update process that hasn't worked as expected, possibly; but not a false positive.

If the scanner is not identifying the version correctly, that is a PSI defect that needs to be fixed.

(I suppose there is another status, "up-to-date but still insecure", though I've only seen that under "Secure Browsing". The "Scan results" page seems to only be concerned with reporting missing updates, not with warning about security risks fixed by a newer version you can install. You report seeing the words "still unsecure", but it was not clear whether that is an exact quote, or if you are really seeing "not the latest version" or some other message.)

At any rate, it shouldn't take hours. See what version PSI says you have, check the tooltip for that file in Explorer, see if they match. Report back, along with the version PSI reports as the one you ought to have. You may have found a defect (or perhaps a frustration) that the PSI folks need to fix. You'd do all of us a favor by helping them identify it.
Was this reply relevant?
+1
-0
newpost RE: How to ignore only the false positive and not the program itself?!
Member 9th Jan, 2011 23:08
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
The program version of internet explorer is the same in psi and in the file information of windows explorer. But that is not the point. The point is that the patch KB2416400 is not missing allthough psi says so. It is installed and also to see under "software" in windows when you turn "show updates" on. Very strange.
Was this reply relevant?
+0
-1
ddmarshall RE: How to ignore only the false positive and not the program itself?!
Dedicated Contributor 9th Jan, 2011 23:43
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I see there can be problems with KB2416400 unless KB2467659 is also installed.

Some XP users seem to have this problem with PSI not recognising that Windows is fully patched. There doesn't seem to be a solution apart from sometimes using an older version of PSI.



--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
newpost RE: How to ignore only the false positive and not the program itself?!
Member 10th Jan, 2011 00:11
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
As I don't have any problem I don't install this additional patch. So I have to live with this one but there are stil 4 more of it and I really don't have the time and desire to struggle with it. A reasonable ignore button would be the best / very nice. It should be possible to get one in the advanced settings.
Was this reply relevant?
+0
-0
ddmarshall RE: How to ignore only the false positive and not the program itself?!
Dedicated Contributor 10th Jan, 2011 12:49
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
The Microsoft Support article states that KB2416400 may be reoffered by Windows Update if KB2467659 is installed. http://support.microsoft.com/kb/2416400

I was merely hypothesising that it may be the cause of the Secunia problem.

I don't think that changing the PSI to ignore some vulnerabilities in a product but not others would be as simple as you think.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
hirectuvaw RE: How to ignore only the false positive and not the program itself?!
Member 10th Jan, 2011 18:02
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
At the risk of adding something redundant: It would be nice if PSI would say how it knows that KB2416400 has not been installed. Microsoft files are mostly signed and otherwise identified, so it should be clear whether a file (including one of the dependent files) is at the wrong version. The same applies to settings or registry entries.

If Add/Remove Programs thinks that a security update has been installed, PSI should be particularly helpful about saying why it asserts that it has not, by citing the offending file or setting. It may very well be that the things we mere mortals can see (such as the Add/Remove Programs listings) say one thing but the reality of the files or settings is something else; so to avoid frustration, PSI would need to supplement the information available to mere mortals. If Windows Update did its job properly, we wouldn't need PSI to check up on it (sigh), which means PSI needs to provide extra help beyond saying "run windows update" to make things right for the occasions when Windows Update has failed.

If Windows Update has by some chance done the job right, but PSI doesn't recognize it, that is a flaw that needs to be corrected (in PSI).
Was this reply relevant?
+0
-0
newpost RE: How to ignore only the false positive and not the program itself?!
Member 12th Jan, 2011 00:36
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Last edited on 12th Jan, 2011 00:45
@ddmarshall: the update KB2467659 is not installed so the reofering would not take place because of it.

@hirectuvaw: I also use the update scanner (http://www.syssel.net/hoefs/software_scanner.php) and it works much better as psi for the microsoft updates but there is no new version after the patch day 12/2010. You are right psi should give more details why the patch seem to be missing as it is not the truth in my opinion. I install all patches by hand so there shouldn't be any microsoft update install problems. ;)
Was this reply relevant?
+0
-0
Anthony Wells RE: How to ignore only the false positive and not the program itself?!
Expert Contributor 12th Jan, 2011 19:23
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

Belarc does a free crosscheck of which M$ hotfixes you may or may not be missing :-

http://belarc.com/free_download.html

take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
ddmarshall RE: How to ignore only the false positive and not the program itself?!
Dedicated Contributor 12th Jan, 2011 22:41
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
on 10th Jan, 2011 12:49, ddmarshall wrote:
The Microsoft Support article states that KB2416400 may be reoffered by Windows Update if KB2467659 is installed. http://support.microsoft.com/kb/2416400

I was merely hypothesising that it may be the cause of the Secunia problem.

I don't think that changing the PSI to ignore some vulnerabilities in a product but not others would be as simple as you think.



Sorry. I mistyped there. It should read:
KB2416400 may be reoffered by Windows Update if KB2467659 is not installed.
Network problems have prevented me getting back before.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
newpost RE: How to ignore only the false positive and not the program itself?!
Member 12th Jan, 2011 22:47
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Last edited on 12th Jan, 2011 23:07
Ok, I will install KB2467659 and see if it helps. So I can maybe get one false positive away. I call it false positive as it is simpliest way.

Bingo! One less. 4 Stay. I wish I had so much time to take care of the other 4.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer