Jump to content

Rootkit detection in bluetooth drivers - false positive?


Recommended Posts

I have rootkit detection enabled on Windows 10 (all updates applied) and MWB3 (Premium).  All well for several months, but in last two days the following files associated with Bluetooth drivers, have been "detected" and have been quarantined.

c:\windows\system32\drivers\bthenum.sys

and

c:\windows\system32\drivers\bthusb.sys

After quarantine, one (bthenum.sys) re-appeared the next day and has been quarantined again in a subsequent scan.

I have turned off rootkit scanning temporarily, but wonder if anyone else has experienced the same "problem".

Is this a real or false-positive issue?

Thanks for suggestions.

EXAMPLE FILE REPORT:


   "applicationVersion" : "3.0.6.1469",
   "clientID" : "ScanScheduler",
   "clientType" : "scheduledScan",
   "componentsUpdatePackageVersion" : "1.0.103",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.1862",
   "detectionDateTime" : "2017-05-03T17:10:22Z",
   "fileSystem" : "NTFS",
   "id" : "642b6326-3023-11e7-9d83-40167e223f1d",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10",
   "schemaVersion" : 2,
   "sourceDetails" : {
      "objectsScanned" : 502892,
      "scanEndTime" : "2017-05-03T17:14:21Z",
      "scanOptions" : {
         "scanArchives" : true,
         "scanFileSystem" : true,
         "scanMemoryObjects" : true,
         "scanPUMs" : true,
         "scanPUPs" : true,
         "scanRookits" : true,
         "scanStartupAndRegistry" : true,
         "scanType" : "threat",
         "useHeuristics" : true
      },
      "scanResult" : "completed",
      "scanStartTime" : "2017-05-03T17:10:22Z",
      "scanState" : "completed",
      "type" : "scan"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanContext" : {
               "fileReplaceData" : {
                  "replacementDataFileName" : "C:\\PROGRAMDATA\\MALWAREBYTES\\MBAMSERVICE\\ScanResults\\bthenum.sys6d0bcc6a-3023-11e7-94cd-40167e223f1d-r.mbam"
               }
            },
            "cleanResult" : "dorQueued",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2017-05-03T17:14:26Z",
            "generatedByPostCleanupAction" : false,
            "id" : "6d14cd60-3023-11e7-a8a0-40167e223f1d",
            "linkType" : "none",
            "objectMD5" : "8474F34BDF3CBA9648544964461667F4",
            "objectPath" : "C:\\WINDOWS\\System32\\drivers\\bthenum.sys",
            "objectSha256" : "7E3C6634DC72AAF14FD5171E14F520E81E2BF7E77FD28AA7B59AB99BFF4FA706",
            "objectType" : "file",
            "suggestedAction" : {
               "fileDelete" : false,
               "fileReplace" : true,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : true,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : true,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "treatAsRootkit" : true,
               "useDDA" : true
            }
         },
         "ruleID" : 0,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Unknown.Rootkit.Driver"
      }
   ],
   "threatsDetected" : 1

Edited by steveb_online
Link to post
Share on other sites

Thanks for the suggestion.  This issue has been complicated because the Windows media update occurred at about the same time and the blue tooth drivers changed.  I had a working system, even though two of the BTH drivers were in quarantine. Anyway, I installed the beta you have suggested and I cannot be 100% sure if Bluetooth was working immediately after the installation at that stage (I am using a USB dongle).  However, I took the two drivers out of quarantine to see if they were detected. That was probably a mistake.  After moving the driver out of quarantine the USB Bluetooth dongle did not work.  I had a look in the System-DeviceManager and it was shown as having a fault (Device USB\VID_0A12&PID_0001\5&2594ce40&0&4 requires further installation.)  I have uninstalled and reinstalled the device without success.  There was no option to roll-back the driver and trying to update the driver fails as no other are detected..  So now I am grappling with restoring Bluethooth functionality. The BTH  troubleshooter came up with an "error 52" cannot be fixed with the troubleshooter.

The "good news" for MB3 is that a scan with the beta version has not resulted in the same drivers being detected as a rootkit. Not much use to me though with a system that has crashed.

Link to post
Share on other sites

  • Staff

Hmm, if you get an error 52, then this probably means that the driver isn't signed. 

Seems like some have problems with this (which is totally unrelated with Malwarebytes): 

https://www.reddit.com/r/Vive/comments/68i7ps/help_code_52_unsigned_bluetooth_driver/

This must also have been the reason why Mbam flagged it as unknown rootkit driver.

Any way you can install an older driver again for it?

Edited by miekiemoes
Link to post
Share on other sites

Thanks for the follow-up and suggestions.  Much appreciated.

I'll have a look at some of the proposed fixes, but I have also ordered a new BlueT dongle with a CD with drivers so that I can get a totally new installation (I hope). For £6 it sounded like a worthwhile insurance (if it works). More soon.

 

Link to post
Share on other sites

Just for anyone else that gets in to this problem, I downloaded new drivers for CSR8510-A10 from https://www.sevenforums.com/drivers/338736-csr8510a10-driver-here-available.html.  I was hesitant to use these drivers but, due to the many thanks from other users on that forum that had downloaded them, I took the plunge and (after creating a System Restore Point) gave it a try.  They have restored Bluetooth to my Windows 10 Home ("Creator") OS. 

As far as MB3 (Beta) is concerned, all is well.  None of the new drivers has been detected as a rootkit.

Thanks to miekiemoes for the support and suggestions for the fix which was outside of MB product.  It is appreciated.

Link to post
Share on other sites

Hi

I'm new to Malwarebytes and this forum.

I am experiencing the same problem as steveb_online reported. Yesterday my scheduled scan at 4.00 p.m. reported zero threats, today my scheduled scan reported 02 “Unknown.Rootkit.Drivers”

c:\windows\system32\drivers\bthenum.sys

c:\windows\system32\drivers\bthusb/sys

I checked bthenum.sys and bthusb/sys online and discovered that both are Microsoft Windows 10 operating system critical files, pose no threat and should not be deleted. I therefore followed the Malwarebytes User Guide and placed both files in “Exclusions” so that they will be excluded from future detection.

I note that Moderators have stated that Malwarebytes are aware of the problem but are Malwarebytes also aware that when performing a re-scan these files are detected again despite both being in the “Exclusions” tab. I restarted my PC to see if that would make a difference but the re-scan was the same, both files being flagged up.

When will this problem be resolved?

Link to post
Share on other sites

  • Staff

Hi @Fastflys  - we believe this issue is resolved in our upcoming product release. This is why miekemoes pointed steveb_online to our latest Beta release, which he said resolved the detection issue. Please do not attempt to restore these quarantined drivers.

Would you be willing to install the Beta and let us know your results?

 

 

Link to post
Share on other sites

Thanks tetonbob for your response.

These drivers were not quarantined as I had turned off the “Automatically Quarantine” button. When given the option, I hit “Always Ignore” and both files were placed in the “Exclusions” window. My PC appears to be working correctly and my Device Manager does not highlight any errors.

I do not wish to download and install your Beta version at this time but look forward to the fully tested version upgrade in due course.

steveb_online, you posted that you tried to “System Restore” but it failed. Microsoft issued an update back in February/March which has caused System Restore to malfunction on many computers including mine. Microsoft are aware but have yet to issue a patch. It has been reported that after installing Windows 10 Creator [which you would hope will have corrected this problem] System Restore is still malfunctioning. In the meantime MS have issued a workaround. For more information on this, check out the following link.

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-restore-error-0x80070091/cedb6d6a-a3cf-4917-a6c0-a1544631adb6

Edited by Fastflys
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.