Jump to content

Ransom.Petya : False Positive??


Recommended Posts

Hello, got a bunch of alerts this morning showing the following path is infected with Ransom.Petya. Is this a false positive and is anyone else seeing this today?

Ransom.Petya    Quarantined    C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe

 

Link to post
Share on other sites

Exact same thing here, I have received 16 messages from the console:

C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe    Quarantined    Ransom.Petya

The false positives over the last couple of week are going to give me a heart attack. I sure hope an engineer will chime in. The latest version of the DB I show is v2016.09.13.07.   

Link to post
Share on other sites

My DB version is also showing v2016.09.13.07; my system updated at 6:46 AM EST and I got my first alert at 7:01 AM EST. As the clients update, I am getting more and more alerts. I too hope an engineer chimes in to tell us if this is real or a false positive and how to resolve this. The mdm.exe file at C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\ is getting quarantined on my endpoints.

Link to post
Share on other sites

Yeah, I still have the notifications coming in, over and over. I investigated the mdm.exe (Machine Debug Manager) file and the file date on it is 10/26/2006 so this must certainly be a false positive. The Console is reporting that the .exe file and associated registry keys are being quarantined and deleted upon reboot which is not good. So my major concern after hearing that this is confirmed to be a false positive by a MB engineer is that even if they produce an update how am I going to reverse the deleting of these files without having to touch what is up to 50 endpoints right now?

Link to post
Share on other sites

  • Staff
4 minutes ago, djhatchell said:

My organization is experiencing this today. We have had over 50 notifications. The computers are on database version 2016.09.15.09. Has the problem been reintroduced?

 

3 minutes ago, millertek2001 said:

I am getting them again as well v2016.09.15.09

Please update to 2016.09.15.10 which is available now. We disabled a rule that we suspected caused this.

Link to post
Share on other sites

FYI: I'm not waiting... I have excluded this file from scanning on all clients (and un-quarantined it to all).

Gee...  this is the third false positive this month!  Whatthehell?!?  Does Malwarebytes not have QA on their signatures? ... losing faith here.

  • 2016-09-15 Ransom.Petya - C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
  • 2016-09-15 Ransom.Petya - C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
  • 2016-09-02 Ransom.Crysis - C:\Program Files\Microsoft Office\Office12\ORGCHART.EXE
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.