mwidunn Posted April 25, 2016 ID:1036381 Share Posted April 25, 2016 I'm using MBAM 2.2.1.1043 (Free). It is my "2nd-opinion" scanner. I'm running Win10. I recently finished a scan with MBAM which identified 70+ items, almost all of them listed as: "Riskware.ExtensionMismatch." To take just one example: MBAM is classifying the file, igdail64.jpg (NOT the .dll) in WINDOWS\SYSTEM32 as malware. I have since scanned my computer with: Norton Power Eraser, Emsisoft Emergency Kit, and HitmanPro. My installed AV program is Panda (Free). None of these AV's identifies that file as malware. It is digitally signed. HitmanPro did, however, categorize some files as "unrecognized," because they had been installed and/or changed in the past 12 days. Should I consider these (supposed) "riskware" files as false positives? MBAM wants me to delete them, which I am loath to do. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 25, 2016 Staff ID:1036397 Share Posted April 25, 2016 Hi, This is a generic detection - as it says: " Riskware.ExtensionMismatch" because this is a PE file, masked as a jpg file. This is unfortunately a method a lot of malware uses. Is there any reason why these are named .jpg instead? In either way, you can add these files to your whitelist/exclusions if you named them like that with a purpose. Link to post Share on other sites More sharing options...
mwidunn Posted April 26, 2016 Author ID:1036623 Share Posted April 26, 2016 Thanks for the reply. Two things: (1) What does "Riskware.ExtensionMismatch" mean exactly? To a novice like me, it does not sound "generic" or non-specific. (2) What is a "PE file"? It seems likely to me that they are false positives, since several other reputable scanners do not detect them as malware. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2016 Staff ID:1036662 Share Posted April 26, 2016 Hi, A PE file are executable files, see here: https://en.wikipedia.org/wiki/Portable_Executable As I explained, in your case, they have the extension .jpg, which is what the extension is for an image file, and not an executable file. This is a tactic a lot of malware uses. That's why our scanner raises an alert here, to make the user aware. We don't mark this as malware, we just mark this as Riskware, as these files might be a risk - not because they are malware, but because the are "masked" as a jpg file, while they are actually an executable file. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now