[False Positive on Heidleberg Engineering Software For Diagnostic software]

Thank you

 

[False Positive on Heidleberg Engineering Software For Diagnostic software]

This is one of the previous times the heidelberg software got flagged.  Yes its an old file but its a diagnostic machine that doesnt have many software updates - ( there are a total of two previous posts on this ( each fixed each time : ) )

 

 

[False Positive on Heidleberg Engineering Software For Diagnostic software]

Also note I ran the file against EMSISOFT and portable ROGUEKILLER and it comes up clean and I do know for a fact it is the actual install file for the Heidelberg software -- Had a false ID a bit back on the same files that you guys corrected.

 

[False Positive on Heidleberg Engineering Software For Diagnostic software]

It wasnt quarantiened yet due to live clinic and they have postponed the reboot several times cause of patients being seen and having images taken -- I attached the file its actually the setup file for the heidelberg software 

Setup.zip

[False Positive on Heidleberg Engineering Software For Diagnostic software]

I'll try the clinic is seeing patients at the moment and its hard to get on the machine remotely -- give me a few minutes

 

[False Positive on Heidleberg Engineering Software For Diagnostic software]

Hello :

 

 I just got the following false postives on our Heidelberg FA machines ( Diagnostic Equipment for taking images of the Retina ) 

These are not new and have been on system for sometime actually the main software for the machine to function

They are being detected as Malware.Sandbox.1

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: C:\PROGRAMDATA\{2A0FDD43-0EB4-490F-85DC-61A60EA69080}\SETUP.EXE
• Policy name:
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: file

 

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Heidelberg Eye Explorer
• Policy name: 
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: reg_key

 

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CA920751-9922-42DB-AD51-F199D40F2F0A}
• Policy name: 
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: reg_key

 

Attached Diags as well

 

1552734866_MalwarebytesDiagnostics(5).zip

[[ RESOLVED ] Malwarebytes blocking everythings from google]

Same here with nebula endpoints just to add to list

 

[Possible False postive on Prodad-codec.dll]

It scanned clean after restore -- thanks

[Possible False postive on Prodad-codec.dll]

Ok -- I restore and re scan and let you know

 

[Possible False postive on Prodad-codec.dll]

I had three machines this morning flag the same file the file is a video file codec that has been on the system and previous scans hours before didnt detect 

 

• Category: Malware
• Group name: 
• Public endpoint IP: 
• Endpoint name: wmsarchive
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\WINDOWS\SYSWOW64\PRODAD-CODEC.DLL
• Policy name: Retina Consultants
• Report time: July 15th 2022, 10:18:26 UTC
• Scan time: July 15th 2022, 10:01:01 UTC
• Action taken: Quarantined
• Threat name: Malware.AI.3514656721
• Type: file

All three machines same set up configuration detected this -- I noticed a few posts listing video programs being detect but they didnt list the specific file that I was getting

 

204808640_MalwarebytesDiagnostics(4).zip

[False Detection in Goto Assist installer]

I deleted the file anyways since it gets downloaded everytime you run goto assist I rescanned and it was fine . Was the bosses PC and he needed it so :)

 

 

[Another False Detection - Malware.AI.1417261220 (cyberlink install file)]

ok here are the diags from that machine -- all the files appear to be the setup files from the default preinstalled system files pre shipped with dell -- they have been on the machine for awhile and previous scanns throughout the week found them fine till the latest updated definitions tonight from the endpoint console

640011938_MalwarebytesDiagnostics(2).zip

[Another False Detection - Malware.AI.1417261220 (cyberlink install file)]

3 other files detected in same directory as same AI dectection with same details

C:\PROGRAMDATA\TEMP\{2A87D48D-3FDF-41FD-97CD-A1E370EFFFE2}\SETUP.EXE

C:\PROGRAMDATA\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\SETUP.EXE

C:\PROGRAMDATA\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\SETUP.EXE

 

[Another False Detection - Malware.AI.1417261220 (cyberlink install file)]

• Category: Malware
• Group name: 
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\PROGRAMDATA\TEMP\{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}\SETUP.EXE
• Policy name: Retina Consultants
• Report time: July 15th 2022, 02:20:46 UTC
• Scan time: July 15th 2022, 02:01:01 UTC
• Action taken: Quarantined
• Threat name: Malware.AI.1417261220
• Type: file

The file is the default system setup files from cyberlink dvd software from a dell install -- its an old file that is just there from setup once machine restarts and finsihes updates ill add the diags .. this machine like my other one runs about 4 to 6 scans a day previous scans 2 hours before last scan where clean with this file present

 

[False Detection in Goto Assist installer]

Just incase you need these ....

1905743683_MalwarebytesDiagnostics(1).zip

[False Detection in Goto Assist installer]

Note added : Emsisoft Ran a scan on system last night and didnt find this file as an issue -- as did it on several other installers for goto assist

[False Detection in Goto Assist installer]

• Category: Malware
• Group name: 
• Public endpoint IP:
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: D:\JERRY\DOWNLOADS\G2A_RS_INSTALLER_CITRIX_ACCOUNT.EXE
• Policy name: 
• Report time: July 15th 2022, 01:09:49 UTC
• Scan time: July 15th 2022, 01:01:02 UTC
• Action taken: Quarantined
• Threat name: Malware.AI.2271288328
• Type: file

The file is the goto assist installer -- old one it appears been there for awhile the system scanned twice today didnt find it till its last scheduled scan. Noting that it was an AI detection assuming its the latest update definitions thats triggered it

 

[Possible False Positive - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\CMD.E]

Thanks !  I figured most of what was exported in the diags wasnt all needed. I saved the link for future reference

 

[Possible False Positive - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\CMD.E]

Thank you - I figured --  since after the restore of the file it never actually restored - updating the endpoint databases and running again --  for future reference how do I get the diag export to be smaller it exported at 90mb so its to large for uploads to forum

 

[Possible False Positive - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\CMD.E]

I found this detection strange since it appears to be Malwarebytes detecting something in its own directories

I  tried to attach the Diagnostics log  but the file is to large ?- trying to get the file to restore so I can send that as well seems to be stuck in pending on the nebula console at the moment.

 

What do I need to trim on the diag logs to get this file smaller?

 

Endpoint name: wmsdroffice2 OS platform: Windows OS release name: Microsoft Windows 10 Pro Location: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\CMD.EXE-K.MBAM Policy name: Retina Consultants Report time: June 16th 2022, 10:23:21 UTC Scan time: June 16th 2022, 10:01:03 UTC Action taken: Quarantined Threat name: Trojan.ShellCode Type: file

[Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)]

No problem. Thanks for the further definition link on machine learning .. figured as much since it was not detected in the scan the day before. Then after update of Malwarebytes it was found i figured false positive :)

Was easier to just delete and move forward since it wasnt a system critical file etc and wasnt running in memory or services etc or replicating, you know the drill :)

 

[Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)]

I deleted the file since windows  rebuild it after quarantine and prevented restore... I had to get this machine working and cleaned so I just treated it as if it was a valid detection as far as cleaning the system etc.. Emsisoft didnt detect it before I deleted it I scanned it in the quarantine folder directly ( emsisoft ignores those folders unless you specify them) I was just reporting as a possible false since when researching I have seen it detected falsley by Malwarebytes earlier this year and know sometimes this can creep back into new defintions from time to time. I put machine on to an endpoint for better control and monitoring over the next few days, it has since scanned clean.

[Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)]

Hope that last post helps shed some more light on if its false or not. Was going to run file against emsisoft but malwarebytes wont restore file to do so and I know running files sitting in quarantine folder never reallys gives a full fledge reliable result ( thlough I do it just for the hell of it sometimes :) ) and it was fine with it.

 

 

 

[Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)]

The file in question is the windows timeline feature which if you delete remove will be recreated by windows - A know its possible for this file to get corrupt and wonder if this is the reason for the detection? If you try to restore for quarantine it will not because new one is in use by windows  the connected platforms service is using the file.

Microsoft lists its sister file as causing hi system resources and suggests the following:

 

 

I understand that svchost.exe is utilizing disk space and CPU usage on your PC.

 

Based on the information you have provided, ActivitiesCache.db-wal is used by Windows Timeline feature. I would suggest you to follow the steps mentioned below and see if that helps.

 

Method 1: Delete ActivitiesCache.db-wal

 

Try deleting ActivitiesCache.db-wal and see if the usage is reduced. Kindly follow the steps mentioned below:

 

1. Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’
2. In Run dialog box, type services.msc and hit Enter.

3.    Now look for Connected Devices Platform service

4.    Right click on the service and click on Stop

 

After stopping the service follow the steps mentioned below:

 

1.    Press Windows + E to open File Explorer

2.    Now click on View and check the box next to Hidden items

3.    Now navigate to C:\Users\UserName\Appdata\Local\ConnectedDevicesPlatform\4a3b4560b8cf8a2b

4.    Right click on ActivitiesCache.db-wal and click on Delete

 

Method 2: Turn off Timeline

 

Try turning off Timeline feature and check if the usage is reduced.

 

1.    Press Windows + I keys together to open Settings

2.    Now click on Privacy and select Activity history

3.    Uncheck the boxes next to Let Windows collect my activities from this PC and Let Windows synchronize my activities from this PC to the cloud

4.    Now under Show activities from accounts toggle the switch to Off

 

 

Also noticed this was falsely detected in January of this year

 

 

[Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)]

Update malwarebytes premium previous days scans clean ran new manual scan and this was the result. Seen as false positive before

Machinelearning/Anomalous.96%

Quarantined out of caution

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/3/22
Scan Time: 11:42 AM
Log File: bb026292-e353-11ec-9c8c-a4badbe3cd80.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1689
Update Package Version: 1.0.55751
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1706)
CPU: x86
File System: NTFS
User: oppc1-PC\oppc1

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 314279
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 1 hr, 10 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
MachineLearning/Anomalous.96%, C:\USERS\OPPC1\APPDATA\LOCAL\CONNECTEDDEVICESPLATFORM\L.OPPC1\ACTIVITIESCACHE.DB-SHM, Quarantined, 0, 392687, 1.0.55751, , shuriken, , FB94F750BE002159FEEE8A238A1D2C03, 11CCE18471849819AD01A8CF8767C509A489E713E43E94AA418AF0D6B5828219

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)