Jump to content

Possible false positive rootkits drivers


Recommended Posts

7 unknown rootkit drivers were detected during the hyper scan with rootkit scan checked.

I noticed windows theme function was broken (no aero theme).

These files are:

mbam.sys (malwarebyte system file itself?)

diskdump.sys

trufos.sys

mwac.sys

ntfs.sys

storport.sys

avc3.sys (bitdefender antivirus)

Log file and copy of those files are attatched

I noticed some of those files are known to be clean.

possible fp rootkits.rar

possible fp rootkits.txt

Link to post
Share on other sites

I find the same problem.

 

If Malwarebytes is making mistakes flagging Microsoft system files, then what files are they missing that are really malware?

 

My confidence is fast eroding in Malwarebytes. 

 

They owe users an expanation, but they will almost certainly not respond.  I am sure they only have this Forum to give users the impression that they listen to us, when they really could not give a damn, just as long as the profits keep rolling in.

post-165723-0-07524700-1401933349_thumb.

Link to post
Share on other sites

Also, for those poor Malwarebytes users who are novices or do not have the knowledge and experience in personal computer operating systems, they will certainly think that Malwarebytes correctly flagged these files and will allow Mbytes to quarantine such files, which will seriously cripple or even disable their Windows installations. Just imagine all of the undue grief, aggravation and expense this will cause such users.

 

These idiots at Malwarebytes should be subject to a class action suit.  Their installation disclaimers not withstanding, there would not be a jury in the country who would not rule against them on this issue.

Link to post
Share on other sites

  • Staff

I need to know a few things so we can see what is going on here.

 

What security software, imaging software or any other low level software are you guys running? To me this looks like some kind of conflict and it will be easier for us to reproduce the error if we know what you have installed.

 

Also, for those poor Malwarebytes users who are novices or do not have the knowledge and experience in personal computer operating systems, they will certainly think that Malwarebytes correctly flagged these files and will allow Mbytes to quarantine such files, which will seriously cripple or even disable their Windows installations. Just imagine all of the undue grief, aggravation and expense this will cause such users.

 

The log says these will be replaced with clean versions on reboot so this should not kill the system. In fact if this is the bug I suspect it is all that will happen is that the user would get the same scan results again on future scans.

 

There is also the possibility that a rootkit is actually in the system. It would be a good idea to give your system with a scan with GMER:

 

http://www.gmer.net/ <- use the link "Download exe" , this will randomly generate a file name, this is normal and designed to make it harder for malware to block.

 

Run the app, click the scan button and save the log.

Link to post
Share on other sites

So I got the impression that they are simply false positives and confirmed now. (although you did not say directly).

So can I put them into the exclusion list safely?

I am using malwarebyte antimalware not mbar.

Will it be fixed in mbam's upcoming updates?

I am now getting new rootkits detected by mbam agian!

namely: avckf.sys, gzflt.sys all from the same drivers folder.

What am I supposed to do? 

When will you fix this?

My bitdefender antivirus plus services became unresponsive frequently.

It might be mbam which is causing the problem?

There are several files in my qurantine list. And keep on growing whenever I do a new scan.

Should I restore them? 

I tried to restore them once but some of files could not be restored.

This is very annoying since I started using mbam. Now unable to solve.

You need to provide an appropriate suggestions or support or solution.

Response is slow, very short and not informative.

 

possible fp rootkits new log.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

This i believe is fixed in the upcoming 2.1 release though no eta at this time.

 

I would suggest u download and run MBAR and see if the same detections still occur.

 

That has the newest engine in it and it should fix this.

 

This as i said should be do to rollbackrx incompatibility. You are running rollbackrx correct?

 

 

You do not need to restore them. You can also either disable rootkit scanning or add them to the ignore list.

 

If you need further support with this then u need to contact support. I just take care of false positives.

 

Support can be contacted here:

 

https://www.malwarebytes.org/support/consumer/

Link to post
Share on other sites

I used malwarebyte antirootkit beta before.

It has proved to cause a disaster to my system.

So I am not going to take the risk again by using mbar beta again.

I only scanned my system for rootkits because I trusted mbam which claimed to be stable premium software.

 

According to what I experienced, Malwarebyte Antirootkit Engine is not ready to go premium.

Since it is still in beta stage, why was it incorporated into premium software mbam?

Now see what problems it is giving?

If you are not a responsible person, please pass this message to whoever responsible.

 

 

 

Link to post
Share on other sites

  • Staff

We need a little more to go on then just for you to say it didnt work or what it did exactly to your system. Just saying it was a disaster to your system doesnt help us address the issues it caused. We need a little more specific information and i will be happy to pass the info to the devs.

 

Can u please answer wether you were using the other software rollback rx? If you were the way it works it it basically creates hidden copies of the file to protect it from modification. User vs kernal appears different to mbar because of this. It basically uses rookit techniques to hide files from being modified.  Something we could of never anticapated till someone with the software mentioned it and we investigated it. This never popped up in beta testing as it seems rollback rx isnt popular enough and we werent aware of it.

 

 

 

 

Thanks

Link to post
Share on other sites

I have been using Rollback Rx for more than one year now.

You might notice I have already mentioned about it in my previous post.

I would be grateful if the developers could fix it.

Because Rollback Rx has proved to be an excellent software and has been serving me very well since day 1 of installation.

I have no intention to remove it.

 

Thanks

(PS: I scanned my computer for rootkits with other major security softwares like bitdefender, kaspersky and avast and no suspicious rootkits were ever found.)

Link to post
Share on other sites

  • Staff

OK well being u are unable to test with the mbar beta i cant confirm your issue is fixed but it should be in the next release of Mbam. We have addressed issues with the rollback rx conflict.  Testing with Mbar would confirm your issue is resolved. The next Mbam release is currently being work on and shouldnt be too far way. I cant confirm an exact release date though.

 

Every security software has different technology to detect rootkits. These are not the same which is why some software has conflicts and others dont. It happens to every company.

 

Like i said this should be already addressed but i guess we will have to revisit this when the next release of mbam comes out.

Link to post
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.