Jump to content

False positive winlogon.exe


gen-hackman

Recommended Posts

hello

i find a funny thing about Malwarebytes

take the installer of any program ( for example VLC installer ) copy it in your desktop , rename it winlogon.exe.

make a scan with malwarebytes and he finds that's a Reserved.world.exploit ^^

isn't it funny ?

i see that everyday with my tool Pre_Scan renamed winlogon to kill the rogues when i make use MBAM at the end of the disinfection :)

http://forums-fec.be/gen-hackman/Pre_Scan.exe

Regards

Link to post
Share on other sites

  • Staff

That is detected like it should be. Reserved word exploit means that nothing should be named winlogon.exe outside of system directory. If you are doing this to get it to run it can be added to the Malwarebytes ignore list.

Malware does this a lot but also power users can do this sometimes to get tools to run outside of a malware blacklist. We have no way of knowing if this is malware or on purpose that is why its detected like this.

How often is your file updated? It may be possible to whitelist it.

Link to post
Share on other sites

How often is your file updated?

it depends... the more often i updated my tool .... 6 times on a day ( seeing that , you can't use the MD5 to whitelist it)

if it can serve to you :

Version = 2.6.1.9 (changes very often , 6 = month , 19 = day)

LegalCopyright = g3n-h@ckm@n

FileDescription = g3n-h@ckm@n

DefaultLangCodepage = 040C04B0

i don't which repair you can take ....

it's generaly in downloads folder or desktop at the begginning , and after it's on the desktop cause the program makes a copy of himself here at the end on the scan/kill to be scripted at the launch back without having to search it...try it and you'll see

in fact it has 3 names :

Pre_Scan.exe

Winlogon.exe (you understand why ^^)

Pre_Scan.pif (i think you understand why too :D )

regards

Link to post
Share on other sites

I've just updated now for an hour

here's the analysys from virus-total

https://www.virustotal.com/file/602c89568bbe8dd0fc355e021cabd23437d4375df175ca8545a02d23fb10c7bd/analysis/1340150491/

permanent links to download :

http://gen-hackman.forum-pro.fr/t65-canned-speech-pre_san

i know the Md5 is the same for them three , only the name changes

Link to post
Share on other sites

ok thank you very much :D

Regards

PS : in fact it's not so important but if i need to make use it again after Malwarebytes scan and deletion, the user will have to download it again and it makes manipulations for nothing :)

scripting my tool , there's a lot of possibility of switches (a little bit like Combofix ) and you can do every what you want in the PC.

thx again

Link to post
Share on other sites

  • 2 weeks later...
  • 11 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.