Share via

Windows Defender false positive on file downloaded from ams1.dl.dbolical.com

Anonymous
2016-05-07T22:19:53+00:00

That's very strange. I've uploaded this file myself and now when I try to download it through Chrome it fails saying it has a virus Trojan: Win32/Spursint.A!cl.

http://www.moddb.com/games/alien-swarm/addons/invisible-threat

Moddb redirects registered users to this website. Files from which are considered viruses for some reason. Unregistered users get the file from mediafire with no problems.

Same file on other website downloads fine

http://gamebanana.com/maps/190143

I've made some research and found that any file from ams1.dl.dbolical.com is considered a virus by Windows Defender(and SmartScreen).

Example 1

Example 2

Here is what Windows Defender says

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:

file:C:\Users\Dmitriy\Pictures\invisible_threat_3.7z

webfile:C:\ProgramData\Microsoft\Windows Defender\LocalCopy{21AE2215-7DF9-4AC9-9309-87C230BA8E26}-invisible_threat_3.7z|http://sjc3.dl.dbolical.com/dl/2016/05/05/invisible_threat_3.7z?st=4wAHpAye8AbR5ef_LLxoCw==&e=1463048245

webfile:C:\Users\Dmitriy\Pictures\invisible_threat_3.7z|http://sjc3.dl.dbolical.com/dl/2016/05/05/invisible_threat_3.7z?st=4wAHpAye8AbR5ef_LLxoCw==&e=1463048245

Get more information about this item online.

Windows for home | Previous Windows versions | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2016-05-18T09:50:03+00:00

    Yes, IE blocks the file using SmartScreen pop up. Chrome blocks the file because Windows Defender marked it as a virus.

    I've made some research and found that any file from ams1.dl.dbolical.com is considered a virus by Windows Defender(and SmartScreen). For registered moddb users it downloads file from dbolical.com, unregistered users download it from some mirror website like mediafire.

    Example 1

    Example 2

    Here is what Windows Defender says

    Category: Trojan

    Description: This program is dangerous and executes commands from an attacker.

    Recommended action: Remove this software immediately.

    Items:

    file:C:\Users\Dmitriy\Pictures\invisible_threat_3.7z

    webfile:C:\ProgramData\Microsoft\Windows Defender\LocalCopy{21AE2215-7DF9-4AC9-9309-87C230BA8E26}-invisible_threat_3.7z|http://sjc3.dl.dbolical.com/dl/2016/05/05/invisible_threat_3.7z?st=4wAHpAye8AbR5ef_LLxoCw==&e=1463048245

    webfile:C:\Users\Dmitriy\Pictures\invisible_threat_3.7z|http://sjc3.dl.dbolical.com/dl/2016/05/05/invisible_threat_3.7z?st=4wAHpAye8AbR5ef_LLxoCw==&e=1463048245

    Get more information about this item online.

    Was this answer helpful?

    0 comments
  2. Rob Koch 25,885 Reputation points Volunteer Moderator
    2016-05-17T21:41:45+00:00

    The file itself is being blocked by SmartScreen Filter in Internet Explorer with Windows 7, so it's still a Microsoft product that's involved, but an entirely different group than those responsible for Windows Defender.

    Since SmartScreen Filter typically operates more based on the URL than the file contents, you may be correct that it's being detected based on the path, but I was able to download a different file from the same site and remote server the other day, so I still suspect it's related to the individual file path.

    Are you sure it was a Windows Defender path with your Windows 8.1?  I ask because it's still possible that Windows Defender is receiving this information from SmartScreen Filter's database via some tight integration these have in newer versions of the Microsoft Security applications.  So rather than Defender actually containing a definition itself, it may be either it or IE checking with SmartScreen and simply reporting the URL detection instead.

    Look closely at the detection information both on screen and in Defender's History logs to be certain which path this detection is taking.

    Rob

    Was this answer helpful?

    0 comments
  3. Anonymous
    2016-05-17T18:53:56+00:00

    Internet Explorer doesn't download the file either. This is where moddb actually downloads from

    I unblocked file in Windows Defender.

    I didn't submit a sample because it's too complicated for me.

    What I think is that the website that hosts the file is marked as dangerous by Microsoft and blocks all files from it. So I reported it to moddb team and let them solve their issue.

    Was this answer helpful?

    0 comments
  4. Anonymous
    2016-05-07T23:32:54+00:00

    The first thing I would do is make sure you are using Internet Exploreras your browser, at ləast for this download.

    ~

    I think you may have to work at excluding it from the scan, as an

    interim measure.

    Tools, Options, general settings, scroll down to Advance Options settings, and hit the add button.

    ~

    Submit a sample

    https://www.microsoft.com/en-us/security/portal/submission/submit.aspx

    ~

    Was this answer helpful?

    0 comments