mswinsck.ocx shows as trojan.

[Ron Hirsch]

During my scan today, with the latest update at the time (1918), it showed the file mswinsck.ocx as a trojan problem. There were also a 5 Registry entries that showed as Trojans, which might have been related to this OCX file.

Is this an error by the program. I see that since my last update (30 minutes ago), the latest is now 1921.

Should I restore the OCX and the Regitry files in question???

Doing a Google search seems to indicate that the mswinsck.ocx file in a needed one by Windows.

Erroneous situations have occurred in the past. What is the best approach . Should I restore them, and recheck for the latest update? Updates seem to occur several times daily. The last errors by the program were ID'd as OK by the following update.

I am running a registered copy. Since this gives me real time protection, would not that have stopped this from happening in the first place, if it were a valid Trojan.

Ron Hirsch

[nosirrah]

http://www.malwarebytes.org/forums/index.php?showtopic=13369

It was fixed already.

[Ron Hirsch]

When I first discovered this software, it seemed like something that every computer user should have, and I started writing a review for our computer society. While I may be an advanced user, many of our members are very simplistic users.

Since I started using the program, there have been a total of about 20 items "discovered" as malware. The program did automatically quarantine them. But all these discoveries were shortly confirmed as "false" in a follow on update of the programs database of malware. Then I restored all of them accordingly.

But the inexperienced user will not necessarily be competent in this area. And many of the false finds have been needed system files which could cause serious operational problems if not restored.

In all my cases, I always download the latest update before running any scan. And that was the case with this current situation. After posting my first message in this thread, I went back and updated again, and the number of the datbase had increaed by 3, indicating 3 updates in an hour or so. I updated, restored the group of quarantined files, and then rescanned, and the files were no longer identified as trojans.

You did of course confirm this in your reply.

I am therefore reluctant to continue writing my "positive" review, as inexperienced users could run into serious system problems, working blindly with the software.

Also, having to do the complete scan of my C drive to confirm things, is a nuisance, since that can take up to an hour of time.

I had asked about the ability to select folder(s) with the tree of drive letters, and that was not acceptable as a change.

I also thought about copying the files in the quarantine location to a flash drive, and then selecting that "drive" to scan, to speed up the process when these situations arise, But I see no way to copy these files.

I did register my copy, as I wanted to support what seems like an important security utility. Unfortunatly, my experience so far has been less than perfect, and bordering on "dangerous".

The bottom line is that I cannot trust the findings, and have to resort to extraordinary steps to insure that I do not end up doing harm to my system. Having to scan, restore any files which have been quarantined, waiting for the next database update, and then do a lengthy rescan seems to be more than users should have to do.

Ron Hirsch

[miekiemoes]

Hi,

MSWINSCK.OCX is not a critical system file. As a matter of fact, it's not even present by default. It's getting installed with other software and in a lot of cases with malware as well. For example as the W32.Amca Internet Worm family does: http://www.symantec.com/security_response/...-99&tabid=2

Nowadays, it's also dropped by Brazilian Banker Trojans.

In anyway, no harm was done when the MSWINSCK.OCX gets deleted.

If you google the related GUID {248dd896-bb45-11cf-9abc-0080c7e7b78d} , you'll also see that A LOT of scanners may detect and delete this.

In anyway, I understand your concerns and it's indeed a fact that there may be false positives. Every Antivirus/Antispyware scanner has this problem. We try to resolve these issues asap (in this case within 2 hours).

[Ron Hirsch]

Thanks for your prompt reply.

Irrespective of what possible problems may be caused by removing some files that could be needed, I feel that it's important that the suggestion I have made be considered.

Giving the user the opportunity to rescan only the file area where the files in question were located is a big timesaver. This could be done 2 ways.

1. Provide the option to expand the file tree for all drives so that the actual folder(s) involved could be scanned. This could take only seconds, as opposed to doing the full drive which can take as much as hours.

2. Provide a convenient way for the user to copy the quarantined folder files to another location, such as a flash drive. Once copied, if that drive letter contained only the quarantined files, rescanning it with a new update for the program would be accomplished very quickly.

I have not searched for the quarantine folder, but I assume that I could locate it if I did. In any event, what is its location? Once located, I assume that ordinary "copy" commands would copy the files. But, assuminmg you do not want to provide the ability to expand the drive letter trees, having an icon to do the copy task to a user selected path, would make life easier for all concerned.

Ron Hirsch

P.S. I thought I recalled an option somewhere to receive an automated e-mail when a reply was received in the forum. If I was not mistaken, what is the path to set that?

[miekiemoes]

Hi,

Giving the user the opportunity to rescan only the file area where the files in question were located is a big timesaver. This could be done 2 ways.

MalwareBytes installs a context menu handler, so this means, when you rightclick a certain folder / file, you can select to scan with malwareBytes. This is even more faster than opening the program, expand some scan areas (as you would like to see it)

2. Provide a convenient way for the user to copy the quarantined folder files to another location, such as a flash drive. Once copied, if that drive letter contained only the quarantined files, rescanning it with a new update for the program would be accomplished very quickly.

I don't really understand why you want to do that. Quarantined files should stay in the related quarantine folder, because if anywhere else, how is mbam supposed to restore it?

The quarantine folder is located under %Appdata%\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

P.S. I thought I recalled an option somewhere to receive an automated e-mail when a reply was received in the forum. If I was not mistaken, what is the path to set that?

Yes, that's in your "My Control" settings here under Email settings. There you can adjust whether you want to receive a notification or not.

[Ron Hirsch]

Hi Mieke,

Thanks for all the good information.

I had totally forgotten that Malwarebytes was in the context menu. That's perfect for rescanning the quarantine folder when new updates are available, after items have been identified as "malware" by prior updates.

I did see the listing in the context dropdown sometime ago. But I guess I was asleep, and didn't bother to register that in my cranial storage area. :-)

This removes any need to copy the quarantine folder to a flash drive for a speedy drive scan.

And, the path you gave me for the quarantine folder was right where I would have looked first.

With all this info, checking out the files which were put there using a new update, now becomes a simple matter.

I appreciate all your help in this. And, I will go back to preparing the good review of the software. And I will suggest that our computer society members also register the program - we want to keep companies around who are doing this sort of work.

And, using thsi forum, with you as a moderator, is probably the best and fastest "tech suppuort" available in the entire software industry - mind boggling support!!!!!!!!!!!!

Thanks again.

Ron Hirsch

[miekiemoes]

Hi Ron,

Glad to hear this and thank you for the feedback. We always appreciate it

[galileo]

@Malwarebytes Devs:

I too have encountered frustration with FPs - not only from MBAM (I am a paid user) but, from other security software as well. The users that I support are indeed confused and really have no way of dealing with what may or may not be FPs. Their focus is on their daily activities and not on IT issues nor security analysis. I have what would seem to have been an obvious approach to help address this issue for the average users.

Add the capability within MBAM to "auto-restore" quarantined files that your database later identifies as "safe" files due to being FPs. Upon subsquent manual or scheduled scans or updates, MBAM would auto-check its quarantined files folder against its updated database and optionally either notify the user and offer to restore such files or auto-restore such files and notify the user that such action has taken place.

This approach would address a large part of the FP issue for the average user and give users - and IT support staff - a high comfort level that Malwarebytes had evaluated the issue itself rather than an average user essentially "taking a chance".

Just some thoughts.

galileo

[miekiemoes]

Add the capability within MBAM to "auto-restore" quarantined files that your database later identifies as "safe" files due to being FPs. Upon subsquent manual or scheduled scans or updates, MBAM would auto-check its quarantined files folder against its updated database and optionally either notify the user and offer to restore such files or auto-restore such files and notify the user that such action has taken place.

That's indeed a good idea, however, I don't see how this could be possible. This because if there's a false positive, then detection will be removed. So it's not obvious to check quarantine against removed detections.

[galileo]

That's indeed a good idea, however, I don't see how this could be possible. This because if there's a false positive, then detection will be removed. So it's not obvious to check quarantine against removed detections.

Can this not be accomplished by simply running an MBAM scan of the files in the quarantine folder whenever the MBAM database is updated or whenever a scan is conducted? If any of the files in the quarantine folder are found to be clean as a result of a newer MBAM database....then, obviously the files "were" most likely FPs and can then either be offered for restoration or can be auto-restored.....

This should not require any modification to the MBAM database nor any new file nor FP tracking. It is a simple back check against previously scanned files that were flagged and moved to the quarantine folder. A scheduled "FP Check" could be added to MBAM explicitly for the purpose of checking files in the quarantine folder against updated databases and then auto-restoring the files found to be "clean".

Think of this not as a new tracking or new database flag issue but, rather as a "re-check" against files that "were" previously flagged as malware and can now be re-scanned and potentially verified as clean. This is in fact what is effectively happening right now with MBAM when User "A" conducts a scan and has files that are flagged as malware and are then quarantined whereas when User "B" using a slightly newer database conducts a scan and has the same files declared as clean by MBAM due soley to having a newer database in which those particular FPs have been removed. Essentially, User "A"'s quarantined files could have been re-scanned using the newer database and he would then have the same results as User "B". Thus, why not auto-restore the quarantined FP files...?...since that is what User "A" would be doing manually now on his own.

This appears really quite simple on the surface, unless I am missing something....therefore I must be missing something...

Please don't mistake my commentary for criticism, rather I thank you and Malwarebytes for producing and maintaining a wonderful tool. The comments herein are intended to address FP issues that are real world frustrations for the average user.

galileo

[galileo]

@Malwarebytes Devs:

Not to be pushy....but, I do hope you reconsider as to how an auto-restore of quarantined FPs can be achieved. The approach outlined above appears to accommodate both existing database structures and a relatively simple coding addition.

galileo

[miekiemoes]

If it was that simple, then I think most AV and AS Companies would have already implemented that feature imho

I like the idea, but it's more advanced than you think. Also, how can you check against a FP if the FP reference was already removed from the database? This means that we probably need an extra database anyway with only the FPs in it that we removed previously.. this in order to check if there's a file in quarantine already that matches the FP. Wouldn't that a bit silly to have a seperate FP database? We're not supposed to have FPs in the first place (but unfortunately, this can't be avoided).

[galileo]

If it was that simple, then I think most AV and AS Companies would have already implemented that feature imho

I like the idea, but it's more advanced than you think.

I am sure that the issue is more complex than I am privy to...life always is...

Also, how can you check against a FP if the FP reference was already removed from the database?

It seems that we are speaking about this from two only slightly different viewpoints. I understand that the FP reference would be removed in a "updated" database - in fact that is the whole point of how to attack this issue. If the FPs were removed, then wouldn't a re-scan of quarantined files no longer flag them as malware (i.e. they were FPs)? One checks the quarantined files/folder from a "negative" perspective....i.e. files should never exist in the quarantine folder unless they are either malware or FPs - thus, checking that folder with a newer database should either confirm that its files should be there or should confirm that the FPs are no longer being flagged as malware....and could be restored...

I appreciate your interest in following up on this. And, I can understand that the issue may well be more complex than I am grasping at the moment. I am viewing this from the perspective of what would I do if I had what I believed to be FP files that had been quarantined. I would most likely restore the files and then re-scan using an updated database to see if they were still flagged as malware - if not, then they are clean and were in fact FPs. Hence the question, can the security tool be made to do that same thing....?

Thanks! (and I'll sit back down in my chair after this.... )

galileo