Jump to content

Detecting files that don't exist


prisoner_24601

Recommended Posts

This is a really interesting "false positive."  MWB is detecting files that don't exist when I right-click my hard drive (root; i.e. drive with the OS) then choose "Scan with Malwarebytes Anti-Malware."

 

1.  Attached is the log and a screenshot.  

2.  The files detected really and truly aren't there. As an example, detection for "c:\csrss.exe."  The file "csrss.exe" is in the c:\windows\system32 and C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.3.9600.16384_none_49a243e2b80cb4c0 directories.  

3.  If I try mbam.exe /developer command requested in https://forums.malwarebytes.org/index.php?/topic/3228-please-read-before-reporting-a-false-positive, no detections.

4.  If I just click the big, friendly button "Scan Now" in the MWB app, no detections.

5.  Windows Defender (I've got Windows 8.1 Pro 64-bit Retail) doesn't report any problems.

6.  I don't have any other AV or antimalware product installed.

7.  It worked fine last time I did a full scan by right-clicking the hard drive and choosing "Scan with Malwarebytes Anti-Malware" on 08/30/2014.

8.  I'm current on all Windows updates, including the ones from yesterday (Tuesday).
9.  I'm able to duplicate the problem on this machine.  

 

I'm running a retail copy of Windows 8.1 Pro.

 

At this moment, I am running a Spybot scan and then I'll run a full Windows Defender scan, just to be sure that there's nothing there, but MWB detecting files that don't exist is a new one for me.

 

Oh.  First post.  Love the product.  Been using it on my home machines for years.

 

 

 

Desktop.zip

Link to post
Share on other sites

Spybot scan finished.  No hits.

Full Windows Defender scan.  No hits.

I VirusTotal'd the seven files in my above Zip from the c:\windows\system32 directory.  No hits.  I did have VT scan again, rather than use their cached results.

I uninstalled Malwarebytes.  Restarted.  Downloaded a fresh copy of the free version from malwarebytes.org.  Updated.  Right-clicked HDD.  Chose "Scan with Malwarebytes Anti-Malware."  Same detections.

 

So, the plot thickens.

Link to post
Share on other sites

  • Staff

Hi,

 

These are "ghost" detections, files that aren't really there. This is often seen/caused when the scanner can't enumerate properly because of restrictive privileges. Which I believe is the case here, because I see you are running Malwarebytes from a resticted account: (Administrator: No). So in some cases, this might give such results.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.