BobSoul
-
Posts
145 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by BobSoul
-
-
This is one of the previous times the heidelberg software got flagged. Yes its an old file but its a diagnostic machine that doesnt have many software updates - ( there are a total of two previous posts on this ( each fixed each time : ) )
-
Also note I ran the file against EMSISOFT and portable ROGUEKILLER and it comes up clean and I do know for a fact it is the actual install file for the Heidelberg software -- Had a false ID a bit back on the same files that you guys corrected.
-
It wasnt quarantiened yet due to live clinic and they have postponed the reboot several times cause of patients being seen and having images taken -- I attached the file its actually the setup file for the heidelberg software
-
I'll try the clinic is seeing patients at the moment and its hard to get on the machine remotely -- give me a few minutes
-
Hello :
I just got the following false postives on our Heidelberg FA machines ( Diagnostic Equipment for taking images of the Retina )
These are not new and have been on system for sometime actually the main software for the machine to function
They are being detected as Malware.Sandbox.1
- Endpoint name:
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro for Workstations
- Location: C:\PROGRAMDATA\{2A0FDD43-0EB4-490F-85DC-61A60EA69080}\SETUP.EXE
- Policy name:
- Report time: September 29th 2022, 14:04:26 UTC
- Scan time: September 29th 2022, 14:01:00 UTC
- Action taken: Quarantined
- Threat name: Malware.Sandbox.1
- Type: file
- Endpoint name:
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro for Workstations
- Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Heidelberg Eye Explorer
- Policy name:
- Report time: September 29th 2022, 14:04:26 UTC
- Scan time: September 29th 2022, 14:01:00 UTC
- Action taken: Quarantined
- Threat name: Malware.Sandbox.1
- Type: reg_key
- Endpoint name:
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro for Workstations
- Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CA920751-9922-42DB-AD51-F199D40F2F0A}
- Policy name:
- Report time: September 29th 2022, 14:04:26 UTC
- Scan time: September 29th 2022, 14:01:00 UTC
- Action taken: Quarantined
- Threat name: Malware.Sandbox.1
- Type: reg_key
Attached Diags as well
-
Same here with nebula endpoints just to add to list
- 1
-
It scanned clean after restore -- thanks
-
Ok -- I restore and re scan and let you know
-
I had three machines this morning flag the same file the file is a video file codec that has been on the system and previous scans hours before didnt detect
- Category: Malware
- Group name:
- Public endpoint IP:
- Endpoint name: wmsarchive
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro
- Location: C:\WINDOWS\SYSWOW64\PRODAD-CODEC.DLL
- Policy name: Retina Consultants
- Report time: July 15th 2022, 10:18:26 UTC
- Scan time: July 15th 2022, 10:01:01 UTC
- Action taken: Quarantined
- Threat name: Malware.AI.3514656721
- Type: file
All three machines same set up configuration detected this -- I noticed a few posts listing video programs being detect but they didnt list the specific file that I was getting
-
I deleted the file anyways since it gets downloaded everytime you run goto assist I rescanned and it was fine . Was the bosses PC and he needed it so :)
-
ok here are the diags from that machine -- all the files appear to be the setup files from the default preinstalled system files pre shipped with dell -- they have been on the machine for awhile and previous scanns throughout the week found them fine till the latest updated definitions tonight from the endpoint console
-
3 other files detected in same directory as same AI dectection with same details
C:\PROGRAMDATA\TEMP\{2A87D48D-3FDF-41FD-97CD-A1E370EFFFE2}\SETUP.EXE
C:\PROGRAMDATA\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\SETUP.EXE
C:\PROGRAMDATA\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\SETUP.EXE
-
- Category: Malware
- Group name:
- Public endpoint IP:
- Endpoint name:
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro
- Location: C:\PROGRAMDATA\TEMP\{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}\SETUP.EXE
- Policy name: Retina Consultants
- Report time: July 15th 2022, 02:20:46 UTC
- Scan time: July 15th 2022, 02:01:01 UTC
- Action taken: Quarantined
- Threat name: Malware.AI.1417261220
- Type: file
The file is the default system setup files from cyberlink dvd software from a dell install -- its an old file that is just there from setup once machine restarts and finsihes updates ill add the diags .. this machine like my other one runs about 4 to 6 scans a day previous scans 2 hours before last scan where clean with this file present
-
Just incase you need these ....
-
Note added : Emsisoft Ran a scan on system last night and didnt find this file as an issue -- as did it on several other installers for goto assist
-
- Category: Malware
- Group name:
- Public endpoint IP:
- Endpoint name:
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro
- Location: D:\JERRY\DOWNLOADS\G2A_RS_INSTALLER_CITRIX_ACCOUNT.EXE
- Policy name:
- Report time: July 15th 2022, 01:09:49 UTC
- Scan time: July 15th 2022, 01:01:02 UTC
- Action taken: Quarantined
- Threat name: Malware.AI.2271288328
- Type: file
The file is the goto assist installer -- old one it appears been there for awhile the system scanned twice today didnt find it till its last scheduled scan. Noting that it was an AI detection assuming its the latest update definitions thats triggered it
-
Thanks ! I figured most of what was exported in the diags wasnt all needed. I saved the link for future reference
-
Thank you - I figured -- since after the restore of the file it never actually restored - updating the endpoint databases and running again -- for future reference how do I get the diag export to be smaller it exported at 90mb so its to large for uploads to forum
-
I found this detection strange since it appears to be Malwarebytes detecting something in its own directories
I tried to attach the Diagnostics log but the file is to large ?- trying to get the file to restore so I can send that as well seems to be stuck in pending on the nebula console at the moment.
What do I need to trim on the diag logs to get this file smaller?
- Endpoint name: wmsdroffice2
- OS platform: Windows
- OS release name: Microsoft Windows 10 Pro
- Location: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\CMD.EXE-K.MBAM
- Policy name: Retina Consultants
- Report time: June 16th 2022, 10:23:21 UTC
- Scan time: June 16th 2022, 10:01:03 UTC
- Action taken: Quarantined
- Threat name: Trojan.ShellCode
- Type: file
-
No problem. Thanks for the further definition link on machine learning .. figured as much since it was not detected in the scan the day before. Then after update of Malwarebytes it was found i figured false positive :)
Was easier to just delete and move forward since it wasnt a system critical file etc and wasnt running in memory or services etc or replicating, you know the drill :)
-
I deleted the file since windows rebuild it after quarantine and prevented restore... I had to get this machine working and cleaned so I just treated it as if it was a valid detection as far as cleaning the system etc.. Emsisoft didnt detect it before I deleted it I scanned it in the quarantine folder directly ( emsisoft ignores those folders unless you specify them) I was just reporting as a possible false since when researching I have seen it detected falsley by Malwarebytes earlier this year and know sometimes this can creep back into new defintions from time to time. I put machine on to an endpoint for better control and monitoring over the next few days, it has since scanned clean.
-
Hope that last post helps shed some more light on if its false or not. Was going to run file against emsisoft but malwarebytes wont restore file to do so and I know running files sitting in quarantine folder never reallys gives a full fledge reliable result ( thlough I do it just for the hell of it sometimes :) ) and it was fine with it.
-
The file in question is the windows timeline feature which if you delete remove will be recreated by windows - A know its possible for this file to get corrupt and wonder if this is the reason for the detection? If you try to restore for quarantine it will not because new one is in use by windows the connected platforms service is using the file.
Microsoft lists its sister file as causing hi system resources and suggests the following:
I understand that svchost.exe is utilizing disk space and CPU usage on your PC.
Based on the information you have provided, ActivitiesCache.db-wal is used by Windows Timeline feature. I would suggest you to follow the steps mentioned below and see if that helps.
Method 1: Delete ActivitiesCache.db-wal
Try deleting ActivitiesCache.db-wal and see if the usage is reduced. Kindly follow the steps mentioned below:
- Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’
- In Run dialog box, type services.msc and hit Enter.
3. Now look for Connected Devices Platform service
4. Right click on the service and click on Stop
After stopping the service follow the steps mentioned below:
1. Press Windows + E to open File Explorer
2. Now click on View and check the box next to Hidden items
3. Now navigate to C:\Users\UserName\Appdata\Local\ConnectedDevicesPlatform\4a3b4560b8cf8a2b
4. Right click on ActivitiesCache.db-wal and click on Delete
Method 2: Turn off Timeline
Try turning off Timeline feature and check if the usage is reduced.
1. Press Windows + I keys together to open Settings
2. Now click on Privacy and select Activity history
3. Uncheck the boxes next to Let Windows collect my activities from this PC and Let Windows synchronize my activities from this PC to the cloud
4. Now under Show activities from accounts toggle the switch to Off
Also noticed this was falsely detected in January of this year
-
Update malwarebytes premium previous days scans clean ran new manual scan and this was the result. Seen as false positive before
Machinelearning/Anomalous.96%
Quarantined out of caution
Malwarebytes
www.malwarebytes.com-Log Details-
Scan Date: 6/3/22
Scan Time: 11:42 AM
Log File: bb026292-e353-11ec-9c8c-a4badbe3cd80.json-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1689
Update Package Version: 1.0.55751
License: Premium-System Information-
OS: Windows 10 (Build 19043.1706)
CPU: x86
File System: NTFS
User: oppc1-PC\oppc1-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 314279
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 1 hr, 10 min, 6 sec-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect-Scan Details-
Process: 0
(No malicious items detected)Module: 0
(No malicious items detected)Registry Key: 0
(No malicious items detected)Registry Value: 0
(No malicious items detected)Registry Data: 0
(No malicious items detected)Data Stream: 0
(No malicious items detected)Folder: 0
(No malicious items detected)File: 1
MachineLearning/Anomalous.96%, C:\USERS\OPPC1\APPDATA\LOCAL\CONNECTEDDEVICESPLATFORM\L.OPPC1\ACTIVITIESCACHE.DB-SHM, Quarantined, 0, 392687, 1.0.55751, , shuriken, , FB94F750BE002159FEEE8A238A1D2C03, 11CCE18471849819AD01A8CF8767C509A489E713E43E94AA418AF0D6B5828219Physical Sector: 0
(No malicious items detected)WMI: 0
(No malicious items detected)
(end)
False Positive on Heidleberg Engineering Software For Diagnostic software
in File Detections
Posted
Thank you