locked
Malware/Threat TrojanSpy:MSIL/AgentTesla.AQ!MTB: False positive? RRS feed

  • Question

  • Hello!

    Windows Defender (Windows 10 Pro x64 v1909 build 18363.1016) has blocked 3 times AgentTesla malware on a dual-boot machine (with Linux Mint 19.2 x64). As you may see in the picture below, it does not say from where it was removed.

    In my own research I could find that AgentTesla is one of those malware which steal and transmit/disclose user info and as well as acts as gateway for ransomware. It is a .NET-based malware.

    Microsoft says that "Windows Defender Antivirus detects and removes this threat.". Nonetheless,  I have done my best to find and remove it but I was not successful. I have employed:

    - Windows Defender, which has been run in quick, full, custom (c:\ only) & offline modes;
    - Microsoft Safety Scanner;
    - Linux: clamav (from Cisco), running twice with and without the extra unofficial malware signatures;
    - Bootable Rescue Disks (.iso) from Norton, Trend Micro and Avira.
    - Windows-based tools Norton Power Eraser and Trend Micro tool.

    As I have aforementioned, none of them have found it (okay, it may have been indeed removed).

    I would like to know if those notifications could be some sort of false positive. I have never received what seems to be a false positive notification from Microsoft Defender. It have to admit it has startled me. 

    Moreover, may I render this machine as clean?

    As usual, all signatures / virus intelligence were updated before scanning.

    Thank you,

    Sandro

    References:

    https://krebsonsecurity.com/2018/10/who-is-agent-tesla/

    https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant

    https://sandbox.peppermalware.com/publicreport/?filter=5a230e681c011c6379d43758202424a3&action=showpdf


    • Edited by SandroSILVESTRE Monday, September 21, 2020 3:09 PM Image was reformatted.
    Monday, September 21, 2020 3:05 PM