matthewcox Posted October 18, 2016 ID:1067080 Share Posted October 18, 2016 Seeing a reoccurring alert from MWB. Wondering if this is a false positive as I can't seem to locate the problem file. MWB Support suggested I post on the forums. Alert Time: 10/18/2016 9:38:36 AMServer Hostname: (server)Server Domain/Workgroup: (mydomain.local)Server IP: (server ip)Notification Catalog: ClientDescription:Malware threat detected, see details below:10/18/2016 9:37:15 AM (PC name) (PC IP) Rootkit.ADS < No action taken > c:\Windows\system32:win32app_1 Thanks Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 18, 2016 Staff ID:1067092 Share Posted October 18, 2016 Hi, This ( win32app_1) is actually an Alternate Data stream that is attached to the system32 folder here, hence why we detect. See here for more information what ADS are: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ We have come across this win32app_1 once in a while and we aren't sure what program generates this one. We are still investigating, but this one doesn't look like a malicious alternate data stream, although it's very uncommon nowadays for adding alternate data streams to folders, especially the system32 folder, hence why we alert here. You can safely ignore this detection - and in case you select to remove this anyway, malwarebytes will just remove the alternate datastream only, so it won't break anything. Link to post Share on other sites More sharing options...
matthewcox Posted October 18, 2016 Author ID:1067094 Share Posted October 18, 2016 Hi miekiemoes Thanks for the prompt reply. Is there anyway to make an exception? The "system32:win32app_1" format isn't accepted because it's not a valid UNC path. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 18, 2016 Staff ID:1067096 Share Posted October 18, 2016 Ah yes, I'm sorry. I forgot about this - This can't be excluded unfortunately and you don't want to exclude the entire system32 folder either. We will look into this if we can adjust our detection, so it won't find this one anymore. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 18, 2016 Staff ID:1067097 Share Posted October 18, 2016 Hi Matthew, Additional question, what database version are you running? Because this shouldn't be detected anymore for a while already though. So unsure if you're running the latest database or a much older version. Link to post Share on other sites More sharing options...
matthewcox Posted October 18, 2016 Author ID:1067099 Share Posted October 18, 2016 Signature Database is v2016.10.18.09 Console Version is 1.7.0.3208 Link to post Share on other sites More sharing options...
matthewcox Posted October 18, 2016 Author ID:1067101 Share Posted October 18, 2016 This may shed some light. For whatever reason the machines that show this alert are running database v2013.03.01.01 !! I'll manually force the update and I'm sure this alert will disappear. Thanks for the assistance. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 18, 2016 Staff ID:1067102 Share Posted October 18, 2016 Thanks - figured that machine was running an older database Mystery solved Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now