False Positive?

[andyh]

After seeing the good reputation your program has generally for malware clearup I decided recently to buy a licence for the full version.

Not long after this the daily scan came up with 2 files marked as trojans. So I mailed support as I suspected that both were false positives. The first one was confirmed as such and the next update fixed it, fine. What concerns me is the second file.

C:\Windows6.0-KB948465-X64.exe

This is a beta of sp2 for W2008 freshly downloaded.

Rather than being told this was a false positive I was informed that it was labelled as a trojan (note the absence of any doubt) was because it was an executable in the root of the C drive. I accept that this position is not a normal place to download such files, but through my experience of using malware clearup tools I expected that Malwarebytes was more intelligent than to just label a file as dodgy because of its location.

Your support guy confirmed it was the location that flagged up the notice.

On three occasions I asked him to find out whether there were any other locations considered sacred where any executables would be similarly labelled, but the last response was on the 25th April when I was informed that he would check again.

This makes me nervous about your product.

Part of my work involves malware removal and this is the first time I've come across such a situation where I'm really not sure exactly what intelligence lies behind the software I'm using.

My support ticket was #8009.

I'll appreciate some thoughts on this.

Andy

[miekiemoes]

Hi Andy,

Can you upload the file in this forum: http://www.malwarebytes.org/forums/index.php?showforum=55 and also post the developers log so we can see why this file was detected?

Thank you.

[andyh]

Hi Mieke

Here's the logfile. I normally run a quick scan. This was a full scan and I see it's flagged up a file in the Parallels program directoryas well.

Can you confirm that you need me to upload that file please, because it's 569MB! Regtool.exe is only 40KB though.

Andy

Malwarebytes' Anti-Malware 1.36

Database version: 2106

Windows 5.1.2600 Service Pack 3

11/05/2009 19:08:22

mbam-log-2009-05-11 (19-08-03).txt

Scan type: Full Scan (C:\|)

Objects scanned: 180021

Time elapsed: 23 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Parallels\Parallels Workstation\RegTool.exe (Rogue.RegTool) -> No action taken. [553851524248473051707253808077]

C:\Windows6.0-KB948465-X64.exe (Trojan.Agent) -> No action taken. [3857535134303627618874791115708970]

[miekiemoes]

Can you confirm that you need me to upload that file please, because it's 569MB!

In that case no need to upload as it is indeed the legitimate one then

This false positive will be fixed in next update.

[andyh]

Thanks Mieke

To be honest I didn't really have much doubt as I downloaded it directly from MS. I was therefore rather surprised by the responses I got from your support dept.

Could you please say one way or the other whether the claim made by support is true. i.e. is a third party executable placed in the root of C going to be flagged up as a trojan?

Also, the regtool.exe flagged up is a signed file from Parallels, is this going to be flagged as a false positive?

thanks

Andy

[nosirrah]

MBAM is more aggressive against file in root as this is a common malware launching point as well as a location where user files should never be stored .

Both FPs should be corrected in the next update (within 15 minutes) .

[andyh]

Confirmed, thanks.

Andy