I found this executable A0000623.sys with 6 detections on VirusTotal. Are these false positives or true positives?
The file was found in the _restore system folder. It looks like it is a Windows system file (tcp.sys), but maybe it is infected. It has no digital signature.
With the help of Google, I was able to trace it back to MS05-019: WindowsXP-KB893066-x86-ENU.exe. But unfortunately, WindowsXP-KB893066-x86-ENU.exe can no longer be downloaded from Microsoft’s site, as they published a new release for this patch: WindowsXP-KB893066-v2-x86-ENU.exe.
Fortunately, I found another file in this _restore folder: A0000615.cat. This is a catalog file that Microsoft uses to sign Windows executables. With Sysinternals’ sigcheck tool and this catalog file, I was able to confirm that this is a signed Windows executable and conclude that the detections are false positives.
I will release a new version of my AnalyzePESig tool that accepts an optional catalog file.
[…] 5. I liked this post by Didier Stevens showing how to use .cat file to validate packages to determine if you are dealing with a false positive or not https://blog.didierstevens.com/2014/03/03/forensic-use-of-cat-files/ […]
Pingback by Daly Blog #258: Saturday Reading 3/8/14 : Learn DFIR — Saturday 8 March 2014 @ 22:21