Jump to content

False rootkit driver detection


Recommended Posts

I wanted to report to you that these files (txt entry) are safe and except them in future updates. The program considers these files as rootkits, but these are the original files from Microsoft. Even if I add an entry to the program ignore it, it would still detects and shows me a false alarm at the end of the scan. :angry2::excl:

false rotkit detection.txt

Link to post
Share on other sites
  • Staff

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.
It doesn't always mean that you were indeed dealing with a rootkit. We've seen some other cases as well causing files to be forged (by some legitimate software) or by a DDA driver failure.

Being this was detected with the rootkit engine you might want to discuss this in the mbar forum.
https://forums.malwarebytes.org/index.php?/forum/116-malwarebytes-anti-rootkit-beta-help/

Link to post
Share on other sites

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.

It doesn't always mean that you were indeed dealing with a rootkit. We've seen some other cases as well causing files to be forged (by some legitimate software) or by a DDA driver failure.

Being this was detected with the rootkit engine you might want to discuss this in the mbar forum.

https://forums.malwarebytes.org/index.php?/forum/116-malwarebytes-anti-rootkit-beta-help/

 

 And what could be the fault of any additional software, for example. Rollback Rx PC, because I have any, is installed?

Link to post
Share on other sites
  • Staff

Hi,

 

Yes, Rollback Rx PC causes this often as well. For example, when new software or Windows updates are installed when there are drivers involved, Rollback might forge these.

What helps in most of the cases here is, uninstall Rollback Rx, reboot and reinstall again. That should normally solve the problem of it forging newly installed or updated drivers.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.