False positive Hijack.StartPage .../Citrix/AccessPlatform/site/default.aspx

[Ines]

Hello, I'm partly working for a company where the contractors from all over the world are connected to a central database via a Citrix access platform.

If, in my Internet Explorer 8, I define this Citrix access platform as my Start page, MBAM automatically considers that my startpage has been hijacked:

Elément(s) de données du Registre détecté(s): 1

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Mauvais: (https://iscis.multis...te/default.aspx) Bon: (http://www.google.com) -> Aucune action effectuée. [93b31fcd0d5e88aeb9d96a87000341bf]

As soon as I switch back to my www.google.ch startpage, there are no more treats detected.

I could verify exactly the same problem with another colleague situated in another country (also using IE8).

I hope this info will contribute to your excelent product, and would of course be grateful to have some feedback from you.

Unfortunately there is a problem attaching my log file (size: 2 kb) to this post:

MBAM-log-2013-04-27 (18-40-21).zip

Upload Skipped (Error302)

Can you please tell me how I can send it to you ? shall I paste it here?

Thank you for this useful tool !

Inés,

Switzerland.

[miekiemoes]

Hi,

Thanks for reporting, this will be fixed in next database update.

[Bob_Moody]

I have to ask since I have seen similar issues on my servers.

I have 2 PUM' originating from the same location as the original poster and it appears on every one of my servers.

PUM.Hijack.Desktop and PUM.Hijack.HomePageControl

The common thread is that all of these servers are controlled via Group Policy.

Being that they are modified by GPO, is MBAM possibly picking these up as false threats or, is this really an issue?

Thank you,

Bob Moody

[miekiemoes]

Hi Bob,

In your case it's a total different detection - a PUM detection, which means, potentially unwanted Modification.

These aren't False Positives perse, it's potentially unwanted since we cannot determine here if it's either set by the user or by malware.

The PUM.Hijack.Desktop is a policy set to force active desktop on (which is often set by malware as well to load an active desktop advertisement or anything else).

The PUM.Hijack.HomePageControl means that there's a policy set to block changing the Homepage in Internet Explorer. This is also often set by malware when there's a startpage Hijacker present. Setting that policy by malware prevents the user to change the startpage back.

In both cases, if you are aware these policies are set (you set them), then you can safely ignore these detections in Malwarebytes (add to the ignore list)- Hence why the PUM prefix (Potentially Unwanted Modification)

Or you can disable PUM detections. In Malwarebytes > Settings tab > Scanner settings > Actions for PUM > do not show in results (if you choose to disable scanning for these)