Jump to content

False Trojan.Agent.Gen simply because of location?


gchamby

Recommended Posts

   Greetings all. I ran into an issue yesterday in which a 3rd party monitoring service reported a possible keylogger on a user's system. MS Forefront found nothing. We also scanned today with MBAM and the current database which reported the above (Trojan.agent.gen) on an executable file in users\..\appdata\roaming.

The file name was odd so I did some checking and this particular file - System-Utilities_Application_M99N8_WN_2.2_A00.EXE - is a Dell system utility.

 

I then downloaded this same file directly from the Dell web site and scanned it with MBAM in the downloads folder. Nothing detected.

 

I then manually copied it to my local ..\appdata\roaming directory and rescanned it and it reported it as the Trojan.Agent.Gen.

 

I'm confused - surely MBAM doesn't flag executables as Trojans merely because of the directory they are in?

 

Please advise.

 

Thanks.

Link to post
Share on other sites

  • Root Admin

Actually yes it very well can trigger a detection based upon location.  USERS\<username>\AppData\Roaming should only have FOLDERS no files or executable files and is a tactic taken by some malware to bury itself deeper into a folder structure and run from there.

 

So without a specific /developer scan log its difficult to say which rule was triggered but again location is important.  We also trigger if there is an executable in the root of volume as one does not belong there, or in ProgramData or Program Files - all of these folders should only have other folders and not files with the exception of the root volume but it only has a few basic OS files there and no executable files.

Link to post
Share on other sites

Actually yes it very well can trigger a detection based upon location.  USERS\<username>\AppData\Roaming should only have FOLDERS no files or executable files and is a tactic taken by some malware to bury itself deeper into a folder structure and run from there.

 

So without a specific /developer scan log its difficult to say which rule was triggered but again location is important.  We also trigger if there is an executable in the root of volume as one does not belong there, or in ProgramData or Program Files - all of these folders should only have other folders and not files with the exception of the root volume but it only has a few basic OS files there and no executable files.

Thanks for the reply. Regrettably this was a remote system and so I can't do a developer scan. I guess I just assumed there would be more to the heuristic than "this executable shouldn't be here". Perhaps flagging as a warning or "suspicious" without the Trojan designation?

Thanks for clarifying.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.