Meaning of registry keys on Scanning report alerts

JachymM

Hi,

I would like to ask about the exact meaning the registry keys in Scanning report list. I see for example:

*******

Infections found: 4

Cleaned: 4

Trojan:W32/Generic.d383de9946!Online:

C:\Program Files\QGIS 3.6\apps\grass\grass-7.6.0\bin\r.out.png.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoActiveDesktopChanges

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv|Start

HKEY_USERS\S-1-5-21-21656339-4055342465-2016908541-291280\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|ShowSuperHidden

*******

The registry keys names look like standardly used. Does it mean the values were changed by the malware? The listed detection is False positive. Could be even the registry alert FP?

Related to this, does the information "Cleaned: 4" mean: Suspicious malware was removed from the executable? How was cleaned the standardly use registry key? Were they removed or set to default?

Can anybody clarify the meaning, please?

Thanks

Jáchym

JamesC

Hi Jachym,

The registry key changes is done by the USS engine in the product when a cleanup is invoked. In this case, the product is trying to clean (instead of delete as action in product setting) the exe file and at the same time reverts back the 3 registry keys to its default value (similar to how host file is being reverted to default when product is cleaning up infection).

If you think the file is a false positive, do get them to submit the file to us through Submit A Sample (SAS) to get it fixed. 

https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

JamesC

Hi Jachym,

I am checking this and will get back to you.