Jump to content

4 false positive files?


squire

Recommended Posts

These are the same 4 files detected in the last 2 monthly scans by mbam, and this afternoon. I quarantine them and after reboot they are back.  3 of them are mbam files.

In normal operations, Avast says nothing about them, Rubotted says nothing.

2 of the files have been scanned again by avast, and superantispyware:  nothing found.

the whole \driver folder has been scanned by Housecall: nothing found.

 

the log and copies of the 4 files are attached.

 

the scan log is from earlier today, at which time the four files were detected.

when I ran the scan again, from run, per web site instructions, no log file was produced and only 2 of the files were detected: mrxdav.sys, and tdx.sys.  I had rebooted and all four files were copied from the \driver folder while the scan was running, so I know that they were there during the scan.

 

I am interested to hear the results of your investigation.

 

Jeffrey

mbam.zip

mrxdav.zip

mwac.zip

tdx.zip

mbam scan log.txt

Link to post
Share on other sites

  • Staff

Hi,

 

The Malwarebytes rootkit scanning sees a mismatch between reads from the kernel and windows API here, so malwarebytes detects them correctly because of this behavior, however, in this case, the files aren't infected. So basically, you can ignore these detections.

Some 3rd party programs are causing this, (causing a misread). Any chance you have Rollback installed? Because this one causes these misreads as well.

Also see here: https://forums.malwarebytes.org/index.php?/topic/158749-malwarebytes-quarantining-its-own-files/?hl=mbam.sys where a reinstall of Rollback fixes it.

Link to post
Share on other sites

wow, that is a quick response.

 

good guess, yes I have Rollback installed.  Thing is, Rollback has been installed for several years. this problem just started a couple of months ago. In dec if I remember correctly.

 

How would one know if a detection is false positive or something that needs action?  I guess "unknown" in the label is a clue.

Link to post
Share on other sites

  • Staff

For the "Unknown RootKit Drivers", there's always a possibility of being a false positive - hence the "unknown" indeed.

Note that Malwarebytes restores/replaces these files with a "clean copy", so no harm is done anyway. If it always comes back (unknown rootkit driver), then it might be a misread in most cases caused by a 3rd party program.

Link to post
Share on other sites

  • Staff

There is nothing we can fix files or defintion wise with this. This is do to the way rollbackrx handles the caching of the files. Its a behaviour based  def and doesnt matter on the content of the files themselves.

 

If doing what i said doesnt fix your issue please let us know. I have seen this a lot and that usually fixes it.

Link to post
Share on other sites

  • Staff

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.