Jump to content

How do I distinguish between false positive and an actual thread?


Recommended Posts

Hi folks,

under this topic How to report a False Positive  you describe, what to do, once you know it is a false positive. But how do I know, it is not an actual thread?

What tells me the files don´t start encrypting my hard drive as soon as I restore them?

In my case it is explorer.exe and some registry entries (HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell), by the way.

Thanks for your help and the Anti-Ransomware Beta!

Link to post
Share on other sites

Hi, @Hepacco, and :welcome:

To answer your question I'll delve a little into some definitions as well as methodology. 

False Positives (FPs) are, by definitions, files that you know to be safe but are still flagged by your security software as being (possibly) maliciousThe reason you know the difference is that files that you use every day on your own, such as an Office program, or an image viewer, or a music player, you can report as a false positive.

With respect to your query, though, I can see the flip side - what if it is a malicious program masquerading as a benign program?  What do you then?

The link you posted is a good resource for reporting FPs.  But, it is also a great way to check whether the file being reported is, in fact, a FP.  If you follow ht reporting procedure, then a staff member will analyze the actual file and report back to you if it is indeed a FP or not through independent analysis of the file(s) itself (themselves).  Based upon that analysis, they will advise you if it is OK to restore the file(s) or not.

Please go ahead and follow procedure outlined in the link you posted to have your specific case analyzed by a staff member so they can advise you as to what your next step will be.

Link to post
Share on other sites

Hi John,

Thanks a lot for your answer. I will do so. One more question, before I do that, though:

The post How to report a False Positive suggests to restore files and then zip them. That would give such a masquerading thread a window to do what ever those nasty little things do, because I restored them. Should I do it anyway or can I zip the quarantined files somehow for analysis?


Link to post
Share on other sites

In your case I would not restore them.  Is your desktop normally working right now after the quarantine and action report  If so, then most likely what was found *is* malicious, and restoring it may, in fact, cause the infection to proceed.

Please wait while a staff member responds.

Link to post
Share on other sites

Hi John,

thanks again. Well, the desktop is not working correctly, as explorer.exe is in quarantine. I am using Task-Manager and cmd.exe to open software ;-)

But anyways, waiting for a staff member is a good idea. I will start a backup in the meantime. You never know.

And it could very well be that I got infected, since I just recently was connected to a hotel network.

Link to post
Share on other sites

Hello Hepacco:

Please follow the procedure for reporting a False Positive (FP).  The need to handicap a system over a FP is not necessary. Archive analysis can only begin once they are posted.

Thank you.

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0/analysis/1459554874/

Hello Hepacco:

Non-authoritatively. the MBARW Beta alerts on a C:\Windows\Explorer.EXE based process in that W7SP1x64 system is a false positive and entry in MBARW's exclusion list should proceed only under a Malwarebytes staffer's direction.

Despite an "over-the-top" upgrade on a cleanly installed Beta5 to Beta6 that outwardly appears to have completed with success, and since all the usually request data has been captured, I recommend a clean re-install of MBARW Beta6 followed by a reasonable period of watchful waiting:

1. Close all open Windows applications followed by a conventional Windows based uninstall of Malwarebytes Anti-Ransomware.
2. If MBARW Beta was uninstalled successfully, the following directories will have been deleted from a typical Windows 64-bit system:

          C:\Program Files\Malwarebytes\
          C:\ProgramData\Malwarebytes Anti-Ransomware\

3. If any of the above directories remain, please delete them manually. If necessary, any remaining/uninstalled directory may be deleted in the Windows Safe mode.
4. Execute a conventional Windows restart to the Normal Windows boot mode and log-in through an Administrator's account. <===IMPORTANT!
5. Using an Administrator's account only, download a fresh MBARW_Setup.exe file and save to the Administrator's Desktop from the MBARW Introduction topic.
6. Right-click the MBARW_Setup.exe file and left-click RunAsAdmin.jpgRun as administrator from the context menu.
7. Upon a successful installation, please restart the computer in a conventional manner to the Windows Normal boot mode.

Please reply to your topic with the status of your reported issue.

Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.