Jump to content

False positive Hijack.StartPage .../Citrix/AccessPlatform/site/default.aspx


Recommended Posts

Hello, I'm partly working for a company where the contractors from all over the world are connected to a central database via a Citrix access platform.

If, in my Internet Explorer 8, I define this Citrix access platform as my Start page, MBAM automatically considers that my startpage has been hijacked:

Elément(s) de données du Registre détecté(s): 1

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Mauvais: (https://iscis.multis...te/default.aspx) Bon: (http://www.google.com) -> Aucune action effectuée. [93b31fcd0d5e88aeb9d96a87000341bf]

As soon as I switch back to my www.google.ch startpage, there are no more treats detected.

I could verify exactly the same problem with another colleague situated in another country (also using IE8).

I hope this info will contribute to your excelent product, and would of course be grateful to have some feedback from you.

Unfortunately there is a problem attaching my log file (size: 2 kb) to this post:

MBAM-log-2013-04-27 (18-40-21).zip

Upload Skipped (Error302)

Can you please tell me how I can send it to you ? shall I paste it here?

Thank you for this useful tool !



Link to post
Share on other sites

I have to ask since I have seen similar issues on my servers.

I have 2 PUM' originating from the same location as the original poster and it appears on every one of my servers.

PUM.Hijack.Desktop and PUM.Hijack.HomePageControl

The common thread is that all of these servers are controlled via Group Policy.

Being that they are modified by GPO, is MBAM possibly picking these up as false threats or, is this really an issue?

Thank you,

Bob Moody

Link to post
Share on other sites

  • Staff

Hi Bob,

In your case it's a total different detection - a PUM detection, which means, potentially unwanted Modification.

These aren't False Positives perse, it's potentially unwanted since we cannot determine here if it's either set by the user or by malware.

The PUM.Hijack.Desktop is a policy set to force active desktop on (which is often set by malware as well to load an active desktop advertisement or anything else).

The PUM.Hijack.HomePageControl means that there's a policy set to block changing the Homepage in Internet Explorer. This is also often set by malware when there's a startpage Hijacker present. Setting that policy by malware prevents the user to change the startpage back.

In both cases, if you are aware these policies are set (you set them), then you can safely ignore these detections in Malwarebytes (add to the ignore list)- Hence why the PUM prefix (Potentially Unwanted Modification)

Or you can disable PUM detections. In Malwarebytes > Settings tab > Scanner settings > Actions for PUM > do not show in results (if you choose to disable scanning for these)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.