Who is right... SEP or MalwareBytes

[yarl]

I have a file that SEP flags as infected but MB does not. SEP flags it with a heuristic scan which I understand is prone to false positives but is there someway to settle the matter definitively?

The file is from the Windows Restore directory, flagged as bloodhound.mapi, no odd behavior on any of the machines that SEP says are infected with this trojan. The file is a .exe

I thought about uploading it to virustotal but they seem to be offline.

Thanks for any suggestions. Should I post it here?

E

[Haleo]

Yes. But first go ahead and submit your file to this website since you are having trouble with VirusTotal.

If it comes back as a positive you can go ahead and zip up the questionable file and create a post in the Newest Malware Threats forums here. Make sure to include the results from Jotti in your post.

A member of our research team will take a look at it and determine if it is malware or not.

[yarl]

Great, file is attached.

Thanks!

E

Edit Shadowwar: Removed file from this subboard in case malware so others cant download.

[shadowwar]

I am looking at this file now. Please do not upload suspect files to the general subforum. Please follow the instructions that were given to you.

[shadowwar]

Ok it looks like this file was detected by mbam at one time. Did you have a detection on fsquirt.exe? did you maybe empty mbam's quarintine bin lately?

Mbam disables the file by making them non executable. This file was originally fsquirt.exe which was a false positive on mbams part a few days back. somehow the disabled copy mbam made from quaritine got into your system restore.

[yarl]

Yes, I see that now. You guys are good.

fsquirt.exe was quarantined yesterday but I'm not sure what time. The MB was badly outdated yesterday but then I updated it in the evening.

So mbam quarantined fsquirt (false positive) and now that the disabled fsquirt file is in the restore file SEP sees it as a false positive? Is that what's going on? So it's false positives all around?

E

[shadowwar]

Yup. Its hueristics hit but the file isnt even executable. it will not run period in the state mbam leaves it. Symantec may be looking at what we do to make it non executable.

I reversed what mbam does to disable it and this is the result on vt:

http://www.virustotal.com/file-scan/report.html?id=8f7e68ae96c36c434e8c6290e55c79c51d7032bcbebab742cf1013be8db54ba2-1323818328

not 1 hit. the only difference is 4 bytes in the file.

[yarl]

OK, thanks a ton. I really appreciate it!

E

[shadowwar]

No problem.

In the future please use the proper forum to submit suspect files. In general anyone can download them and that could be very bad.

Thanks!