Jump to content

False Positive - win32app_1


matthewcox
 Share

Recommended Posts

Seeing a reoccurring alert from MWB. Wondering if this is a false positive as I can't seem to locate the problem file.

MWB Support suggested I post on the forums.

 

Alert Time: 10/18/2016 9:38:36 AM
Server Hostname: (server)
Server Domain/Workgroup: (mydomain.local)
Server IP: (server ip)
Notification Catalog: Client
Description:
Malware threat detected, see details below:

10/18/2016 9:37:15 AM (PC name) (PC IP) Rootkit.ADS < No action taken > c:\Windows\system32:win32app_1

 

Thanks

Link to post
Share on other sites

  • Staff

Hi,

This ( win32app_1) is actually an Alternate Data stream that is attached to the system32 folder here, hence why we detect.

See here for more information what ADS are: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

We have come across this win32app_1 once in a while and we aren't sure what program generates this one. We are still investigating, but this one doesn't look like a malicious alternate data stream, although it's very uncommon nowadays for adding alternate data streams to folders, especially the system32 folder, hence why we alert here.

You can safely ignore this detection - and in case you select to remove this anyway, malwarebytes will just remove the alternate datastream only, so it won't break anything.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.