Jump to content
Timmmmaaahh

Fonts (.ttf/.otf) contain Trojan.Agent?

Recommended Posts

This is odd, I've never had a report like this before. Fonts are being considered as Trojan.Agent. As far as I know TTF or OTF files simply can't contain any malware. No?

 

Here's the screenshot:

 

SNAP_00016.png

 

I've been using these fonts for a while now. I'm sure those are false positives but why?

Share this post


Link to post
Share on other sites

I really need the scan log exported and a couple of the font files zipped and attached here to look at this. A screenshot doesnt give enough information.

Share this post


Link to post
Share on other sites

Timmmmaaahh:
 
Please review; Please read before reporting a false positive then you can provide the information Rich needs to see what is going on.
 
NOTE:  Windows v10 is not a production Windows OS version so one can expect "anomalies" and the use of MBAM on Windows v10 is more of a "Beta test" then reality.

Share this post


Link to post
Share on other sites

You guys are fast! Anyhow, here's the needed files: https://drive.google.com/file/d/0B6PuW3xnBhwyUHpIMFFMWDJ5NXc/view?usp=sharing

 

There are 2 logs in there:

  1. MalwarebytesLog1.xml - first scan (as posted above)
  2. MalwarebytesLog2.xml - second scan after canceled results and reboot (which showed same results)

Furthermore included are all font files linked to the report. All except "GlobalUserInterface.CompositeFont", that one seems to be non existent (but still shows up in results, spooky).

 

Windows 10 might indeed be the cause, that's why I mentioned it. Even though it's more of a Windows 8.1 build with a fancy start menu for now. Here's the fancy version of the report:

 

SNAP_00019.png

Share this post


Link to post
Share on other sites

Google Drive does not really equate to uploading files to the forum.  Please remove them from Google Drive ( in case they are malicious ) and upload them "Here".

 

  • Take the files and put them in a ZIP or RAR archive file.
  • Create a new post.
  • Choose "More Reply Options" on the bottom Right of the Web Form
  • Now choose "Attach Files" on the bottom Left of the Web Form.
  • Browse and find your ZIP or RAR file.
  • Choose "Add Reply" and there's your post with your attachment(s)

Share this post


Link to post
Share on other sites

As you wish :)

 

I added a third scanlog, just for the heck of it. Nothing different except for the hash thingies. I'm pretty sure they can't be malicious, they are genuine font files which can't contain any malware of any kind. I say: innocent until proven guilty! Those poor fonts... ^_^

Share this post


Link to post
Share on other sites

Thank you.

 

Hopefully Rich will have the data needed to negate the False Positive.

Share this post


Link to post
Share on other sites

do u have your fonts directory redirected or is it stock 10 install with the fonts added? Its definately an issue with 10 and Mbam as we havent tested yet with it. I can not duplicate it on windows 7

Share this post


Link to post
Share on other sites

We should have this worked around on the next update. Any questions you can please answer would help us as to why this happens.

Share this post


Link to post
Share on other sites

The fonts were downloaded from a trusted source (not sure if I'm of liberty to state that source here), installed on Windows 8.0. I upgraded to the Windows 10 Tech Preview later on. There have been several MBAM scans on this system in the meanwhile, while the files resided on either Windows versions so they were not marked as malicious previously. I hope this report includes valuable information in the progression of MBAM development on future OS releases, I really dig what you guys are doing :)

Share this post


Link to post
Share on other sites

Yep but next database update shouldnt detect them anymore.

Somehow Mbam on 10 is reading the files incorrectly  and we are trying to figure out why. Its a heuristic and not the content of files that is tripping up only on 10 for some reason. QA is trying to duplicate now and they may have questions if they are having trouble.

 

Thanks for bringing to our attention!

Share this post


Link to post
Share on other sites

As a follow-up, I didn't mark the files as trusted and performed a new scan just now. It shows up all clean! Log attached. Hurray for lightning fast MBAM support thumbs_up_by_weapons_expert_cool-d6sx4o7

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.