Jump to content

Trojan.Agent?

Utopian

By Utopian
in File Detections

 Share

Recommended Posts

Utopian

Utopian

Posted
Posted

Good day,

file install.exe flagged most probably a FP.

Also, I have a few observations I'd like to ask about:

1)Why is it the quarantined files in Admin account don't show up when I open MBAM in the limited account? Does this mean the quarantine for the limited account is different from the quarantine of the admin account?

2)Can MBAM be updated when in a limited account? will their be anything wrong if I update from a limited account?

3)Why MBAM show obviously different results when scanning in admin and limited acct? Does this mean I have to run different scans for each account? (it scanned lesser number of files at a longer amount of time when used in the limited account and I'm not sure if it scanned same files from the limited and admin account)

P.S. This is the 'thing' in the quarantine of the admin acct. which does'nt show in the quarantine of the limited acct. After catching this in Quick scan I again ran a Full scan in admin then another Quick scan in limited, it did not catch anything. What exactly is Trojan.Agent(install.exe) and since most probably its a legitimate file, was it damaged during quarantine?

Here is the log file.

mbam_log_2009_05_31__21_32_48_.txt

mbam_log_2009_05_31__21_32_48_.txt

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

I do not develop the application , only the definitions so I wont be able to answer all of you questions .

My guess on the quarantine is that they are user specific so that if user A quarantines a file user B will not be able to undo this .

As for the FP it is being caused by aggressive heuristics against executables in root . This is an extraordinarily common launching point for malware and since no executables should ever be stored/launched from there by the user we are strict as to what can run from there .

Link to post
Share on other sites
Guest victimized

Guest victimized

Posted
Posted

I have also gotten trojan.agent, when I right click on it and clic"jump to location" it just takes me here: C:\Documents and Settings\a\Local Settings\Temporary Internet Files

When it takes me here, it doesn't highlight any file. Any suggestions?

Link to post
Share on other sites
Utopian

Utopian

Posted
  • Author
Posted
I do not develop the application , only the definitions so I wont be able to answer all of you questions .

My guess on the quarantine is that they are user specific so that if user A quarantines a file user B will not be able to undo this .

As for the FP it is being caused by aggressive heuristics against executables in root . This is an extraordinarily common launching point for malware and since no executables should ever be stored/launched from there by the user we are strict as to what can run from there .

If its not difficult, is their a way for us to know what exactly the file install.exe, which was flagged as Trojan.Agent by MBAM, was and its purpose? I still have it in quarantine and I'd like to know if its better to restore it since it might be a necessary file. Please reply.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted
I have also gotten trojan.agent, when I right click on it and clic"jump to location" it just takes me here: C:\Documents and Settings\a\Local Settings\Temporary Internet Files

When it takes me here, it doesn't highlight any file. Any suggestions?

2 things here . Please start your own threads for support , multiple users in a thread confuses things . A file detected in temporary internet files is almost certainly malware .

Link to post
Share on other sites
Utopian

Utopian

Posted
  • Author
Posted
@Utopian

It is unlikely that this file is required , if anything it is more likely an installer that has already been used .

If you restore it you can zip and attach it here so I can look at it .

Since I'm not sure whether its safe or not, is it possible to zip the file without taking it out of quarantine? Could I find the malwarebytes quarantine and zip it from there?

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted
Since I'm not sure whether its safe or not, is it possible to zip the file without taking it out of quarantine? Could I find the malwarebytes quarantine and zip it from there?

That is not the way malware works . Your log shows that this file was not in memory and did not have a load point . Unless you double click this file it will not execute .

Link to post
Share on other sites
Utopian

Utopian

Posted
  • Author
Posted

Please tell me what this file really is and if its safe to restore. So let's say you confirm this file is a FP, do you update your database so that when scanning after updating MBAM won't show this file anymore as Trojan.Agent?

Link to post
Share on other sites
Utopian

Utopian

Posted
  • Author
Posted
This file is not malicious . The file is being detected through aggressive heuristics and will not be detected if moved to a more typical location like your docs or other dedicated storage folder .

I will now restore this file, I also checked with VirusTotal and turned up negative indeed a file of Visual Studio. I think I'll just return it where it came from since, I think, there are some files related to it in the same location and also coz I was not the one who placed it their, it was placed their I guess automatically during updating.

Could maybe also place them in items to ignore -could there be drawbacks with this?

Something like this must be fixed, since Trojan.Agent is serious and somebody could delete something important they thought was malware. It's like blaming an innocent person for crime not committed. Sir nosirrah thanks for clearing it up.

Link to post
Share on other sites
Insomniac

Insomniac

Posted
Posted

A FP of this nature probably won't be 'fixed' as heuristics like this are what makes MBAM so effective. Executable files simply should no be placed in locations such as this. Programs won't put stuff there unless they are very very badly designed/somthing goes wrong when installing. The only common reasons for .exe files to be there are if a user deliberately or accidently moved it/told somthing to install there, or the file is indeed malware. So it makes sence to automatically assume any exe files are bad, since any new malware which uses that location will automatically be detected.

Link to post
Share on other sites
  • 2 weeks later...
Utopian

Utopian

Posted
  • Author
Posted
A FP of this nature probably won't be 'fixed' as heuristics like this are what makes MBAM so effective. Executable files simply should no be placed in locations such as this. Programs won't put stuff there unless they are very very badly designed/somthing goes wrong when installing. The only common reasons for .exe files to be there are if a user deliberately or accidently moved it/told somthing to install there, or the file is indeed malware. So it makes sence to automatically assume any exe files are bad, since any new malware which uses that location will automatically be detected.

Thanks for the responses and you are correct. The fault is with the Automatic update of MS XP where temp files from the Visual Studio 2008 install to root but has already been fixed.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.