Jump to content

False Positive?


Recommended Posts

After seeing the good reputation your program has generally for malware clearup I decided recently to buy a licence for the full version.

Not long after this the daily scan came up with 2 files marked as trojans. So I mailed support as I suspected that both were false positives. The first one was confirmed as such and the next update fixed it, fine. What concerns me is the second file.


This is a beta of sp2 for W2008 freshly downloaded.

Rather than being told this was a false positive I was informed that it was labelled as a trojan (note the absence of any doubt) was because it was an executable in the root of the C drive. I accept that this position is not a normal place to download such files, but through my experience of using malware clearup tools I expected that Malwarebytes was more intelligent than to just label a file as dodgy because of its location.

Your support guy confirmed it was the location that flagged up the notice.

On three occasions I asked him to find out whether there were any other locations considered sacred where any executables would be similarly labelled, but the last response was on the 25th April when I was informed that he would check again.

This makes me nervous about your product.

Part of my work involves malware removal and this is the first time I've come across such a situation where I'm really not sure exactly what intelligence lies behind the software I'm using.

My support ticket was #8009.

I'll appreciate some thoughts on this.


Link to post
Share on other sites

Hi Mieke

Here's the logfile. I normally run a quick scan. This was a full scan and I see it's flagged up a file in the Parallels program directoryas well.

Can you confirm that you need me to upload that file please, because it's 569MB! Regtool.exe is only 40KB though.


Malwarebytes' Anti-Malware 1.36

Database version: 2106

Windows 5.1.2600 Service Pack 3

11/05/2009 19:08:22

mbam-log-2009-05-11 (19-08-03).txt

Scan type: Full Scan (C:\|)

Objects scanned: 180021

Time elapsed: 23 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Parallels\Parallels Workstation\RegTool.exe (Rogue.RegTool) -> No action taken. [553851524248473051707253808077]

C:\Windows6.0-KB948465-X64.exe (Trojan.Agent) -> No action taken. [3857535134303627618874791115708970]

Link to post
Share on other sites

Thanks Mieke

To be honest I didn't really have much doubt as I downloaded it directly from MS. I was therefore rather surprised by the responses I got from your support dept.

Could you please say one way or the other whether the claim made by support is true. i.e. is a third party executable placed in the root of C going to be flagged up as a trojan?

Also, the regtool.exe flagged up is a signed file from Parallels, is this going to be flagged as a false positive?



Link to post
Share on other sites

  • Staff

MBAM is more aggressive against file in root as this is a common malware launching point as well as a location where user files should never be stored .

Both FPs should be corrected in the next update (within 15 minutes) .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.