BobSoul
-
Posts
145 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by BobSoul
-
-
-
Hello ,
I'm assuming the detect file is a false positive. Since the first scan in the morning didnt detect it and then the following scan after definition update did
- Location: C:\USERS\STAFF\OLD DESKTOP\OPENOFFICE.ORG 3.2 (EN-US) INSTALLATION FILES\SETUP.EXE
- Report time: May 19th 2022, 19:22:37 UTC
- Scan time: May 19th 2022, 19:01:01 UTC
- Action taken: Quarantined
- Threat name: Malware.AI.3527870746
- Type: file
The File is Openoffice install file ( has been on the system for awhile) ... I know the AI detections usually are finding a similarity to a threat or thinks it maybe a new one
I wasnt able to get the file itself since the office is busy at the moment but if its needed let me know
I have attached the diag files however
-
I believe I have another false positive... I had delayed notification issues with Nebula so if this was already fixed I apologize.
Malware.AI.3772723047
C:\PROGRAMDATA\INTEL.SAV\PACKAGE CACHE\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}\SERIALIO_X64.MSI
C:\PROGRAMDATA\INTEL\PACKAGE CACHE\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}\SETUP.EXE
C:\PROGRAMDATA\INTEL\PACKAGE CACHE\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}\SERIALIO_X64.MSI
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}
C:\PROGRAMDATA\INTEL.SAV\PACKAGE CACHE\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}\SETUP.EXE
I dont have direct access at the moment to the PC with the detections - to get these files ( by restoring then and copying them) but have included Diagnostic logs
But based on file names and locations they appear to be Intel driver updates.
I know the Malware.AI detections are the zero day protection of unknown threats as of yet ... so possible they are legit as well as false detections
-
Ran Emsisoft Emergency scanner against the file --- on an isolated machine -- and it came up clean -- then ran fresh install of nebula endpoint against it and it also came clean -- I'm almost sure this is a false positive
-
After second scan after restoring file to get sample - and updating the client once again it wasnt detected this time ( though not sure if restore made the client flag it as an exception -- my understanding from past restores etc this wasnt case )
-
-
Scheduled scan ran at 9 then at 1pm ( new def files ) and got this
Spyware.AgentTesla File C:\PROGRAM FILES\COMODO\DRAGON\SNAPSHOT_BLOB.BIN
Detection - This program was removed and this appears to be what was left behind -
this is the program
https://www.comodo.com/home/browsers-toolbars/browser.phpat one point a user installed this an there free virus scanning software - I believe this file is one of there bin files for virus scanning software.
This was removed awhile back so this left behind remnant would have been present on machine for awhile ( I thought I had got all of it uninstalled)
I'm assuming a false ID on an old file ( which is not needed anyway) so I can tell user they can stop worrying :)
I attached the diagnostic logs
I restored file to get copy -- then updated MWB nebula client and am running a scan to see if it triggers again... I did get a copy to a thumbdrive
-
Thank you -- I was just about to to try and get the file off one the machines etc -- then saw this saved me the complaining and so forth from my user about how they have no time etc for me to interrupt them lol --
-
I have been getting detections on the webbrowser plugins for our banks scanning and check reading software as well as deposit box software ( M and T Bank ) of course we need to use these daily and having the system remove them is a pain as well as trying to flag them all as exceptions
The following logs are from the the two machines:
C:\Windows\Downloaded Program files\MandT.ocx
I attached just logs for the two of the machines - same detections and files
174464052_MalwarebytesDiagnostics(2).zip 667455226_MalwarebytesDiagnostics(3).zip
-
Ok thanks -- the file is for the actual camera's firmware aquisition module that works with the laser so depending on the make year model of the physical camera the files can be old or new based on that.. Medical equipment tends to run longer lifespans then other software :) the last detection was for version 35 this is version 36 so I think that may be the trigger that changed. Different model serial number of the camera in question
-
I have ran a forced update on the machine to verifiy latest updates etc .... Stand alone malwarebytes says its clean nebula detects it as not .. Also ran scan with emsisoft as well came back clean. Scan in morning said file was clean then 3 hours later said it wasnt -- so assuming false detect like before ( after it updated)
-
This has appeared once again with the next updated driver - This File is from Heidleberg Engineering Software for FA and OCT machines.
This is the last post from before
Todays detection :
- OS platform: Windows
- Category: Malware
- Type: file
- Location: C:\PROGRAMDATA\{9F5B1D86-96A8-483E-948D-07A8B60BA16A}\ACQUISITIONMODULE\43A61262\C567ED7E\HEDRIVERUPDATEFORCED_T1.36_I2.21.EXE
- Action taken: Quarantined
- Scan time: 2021-11-12T18:01:02Z
- Report time: 2021-11-12T18:24:56.943701428Z
- Threat name: Malware.Sandbox.23
-
I had same file detected in photoshop - The update hasnt hit yet -- that I can tell since restore detects them. Ran through emsisoft as well and they come back clean - so hopefully soon the updated defs will be uploaded
-
I havent checked this on the nebula endpoint or the premium 4.4.6 as of yet - but I will tomorrow - give the updates time to filter through
-
OK - assuming the new update hasnt rolled out to premium 4.4.6 yet -- restored files and they got detected again... Ill try again later see what happens
-
Thank You - IM assuming my other false positive with photoshop files is a false ID as well :)
-
adobedetection.zipHere are the files and the log its adobephotoshop C3 older version and it happens on a few machines (4 that have it installed)
-
the following files come up as Malware.Ai.1222784086 C:\programfiles (x86)\ photoshop\adobeowl.dll
Malware.Ai.1235203418 c:\programfiles (x86)\photoshop\axe8sharedexpat.dll
Previous days scan didnt flag this till todays update ( Premium 4.4.6) system scans nightly
-
Actually happens as well on a personal home version that happens to have same software installed on for watchguard router at home.
-
This is on the endpoint nebula version for business so may have posted in wrong forum -- but endpoint doesn't have a specific false positive forum it seems
-
The following false positives occurred today -- ( Nebula end point) on the router software for Watchguard routers.... which as of previous scans it never detected till the latest update today.
- Path: C:\PROGRAM FILES (X86)\WATCHGUARD\WSM11\UNINSHS.EXE
- Action Taken: Quarantined
- Scan time: 2021-09-16T18:01:00Z
- Report time: 2021-09-16T18:26:47.970415185Z
- Threat name: Malware.AI.1239893535
- Path: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WatchGuard System Manager 11.12_is1
- Action Taken: Quarantined
- Scan time: 2021-09-16T18:01:00Z
- Report time: 2021-09-16T18:26:47.970415185Z
- Threat name: Malware.AI.1239893535
-
The following false positives occurred today -- ( Nebula end point) on the router software for Watchguard routers.... which as of previous scans it never detected till the latest update today.
- Path: C:\PROGRAM FILES (X86)\WATCHGUARD\WSM11\UNINSHS.EXE
- Action Taken: Quarantined
- Scan time: 2021-09-16T18:01:00Z
- Report time: 2021-09-16T18:26:47.970415185Z
- Threat name: Malware.AI.1239893535
- Path: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WatchGuard System Manager 11.12_is1
- Action Taken: Quarantined
- Scan time: 2021-09-16T18:01:00Z
- Report time: 2021-09-16T18:26:47.970415185Z
- Threat name: Malware.AI.1239893535
-
-
Ok so I can restore them should I make a exception on them ?
False Postive - Openoffice 3.2 installation file Malware.AI.3527870746
in File Detections
Posted
Just to note as well I ran it against Emsisoft to just get a "Second" look at the file and it comes back clean - I know that means nothing :) but it's just more info if needed. I know the Malware.AI designation is for "unknown" O day protection ... just not want to give others headaches if its preventable :)