Jump to content

Who is right... SEP or MalwareBytes


Recommended Posts

I have a file that SEP flags as infected but MB does not. SEP flags it with a heuristic scan which I understand is prone to false positives but is there someway to settle the matter definitively?

The file is from the Windows Restore directory, flagged as bloodhound.mapi, no odd behavior on any of the machines that SEP says are infected with this trojan. The file is a .exe

I thought about uploading it to virustotal but they seem to be offline.

Thanks for any suggestions. Should I post it here?

E

Link to post
Share on other sites

Yes. But first go ahead and submit your file to this website since you are having trouble with VirusTotal.

If it comes back as a positive you can go ahead and zip up the questionable file and create a post in the Newest Malware Threats forums here. Make sure to include the results from Jotti in your post.

A member of our research team will take a look at it and determine if it is malware or not.

Link to post
Share on other sites

  • Staff

Ok it looks like this file was detected by mbam at one time. Did you have a detection on fsquirt.exe? did you maybe empty mbam's quarintine bin lately?

Mbam disables the file by making them non executable. This file was originally fsquirt.exe which was a false positive on mbams part a few days back. somehow the disabled copy mbam made from quaritine got into your system restore.

Link to post
Share on other sites

Yes, I see that now. You guys are good.

fsquirt.exe was quarantined yesterday but I'm not sure what time. The MB was badly outdated yesterday but then I updated it in the evening.

So mbam quarantined fsquirt (false positive) and now that the disabled fsquirt file is in the restore file SEP sees it as a false positive? Is that what's going on? So it's false positives all around?

E

Link to post
Share on other sites

  • Staff

Yup. Its hueristics hit but the file isnt even executable. it will not run period in the state mbam leaves it. Symantec may be looking at what we do to make it non executable.

I reversed what mbam does to disable it and this is the result on vt:

http://www.virustotal.com/file-scan/report.html?id=8f7e68ae96c36c434e8c6290e55c79c51d7032bcbebab742cf1013be8db54ba2-1323818328

not 1 hit. :) the only difference is 4 bytes in the file.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.