Jump to content

False Positive SuspectAutorun.Rootdrive.H


centralkong
 Share

Recommended Posts

  • Staff

Hi and welcome to the forums

Malwarebytes has a heavy heuristic scan at the root drive, .exes, .dlls and .ini files as well as other files ought not be stored there as it's a very common place for malware to hide. If you know the file to be good, then either add it to ignore or, move it to another folder.

We don't make adjustments for these, especially for custom files. The database would be bloated beyond usablility.

Link to post
Share on other sites

As of now, I've put my autorun.inf on the Ignore list, so there's only one question left: my autorun is composed of:

  1. Two comments.
  2. An icon directive.
  3. A label directive.

I don't have anything against the detection of autoruns, but my question is: is a right approach to flag all autorun.infs as "suspected"? Maybe you could check the contents, and if there are only comments, icons and/or label directives, mark the file as safe!

Or if the file contains a shellexecute, shell\open\command or whatever, you could:

  • Resolve the name of the referenced executable. If it's detected, flag it as a Worm/AutoRun, or a corresponding name.
  • If the referenced executable is not a known malware, leave it as "Suspect".
  • (I'm beginning to be a bit more complicated :) ) If the referenced executable is signed, or is whitelisted, mark the file as safe.
Link to post
Share on other sites

LoneWolf,

I'm guessing you have'nt knowingly created this file so the next question would be have you ran a flash/autorun disinfector tool or maybe have a custom icon for your drive ?

I did install a custom Application Filtering GUI replacement for Look n stop firewall a while back from here

http://www.mntolympus.org/phpBB3/viewtopic...f=38&t=6028

but have sense uninstalled LnS.

Could this possiably be it?

Link to post
Share on other sites

I did install a custom Application Filtering GUI replacement for Look n stop firewall a while back from here

http://www.mntolympus.org/phpBB3/viewtopic...f=38&t=6028

but have sense uninstalled LnS.

Could this possiably be it?

Not sure,

One way to find out is to change the file extension to .txt

Open it and see if you can see the filename that it is pointing too,then google search that filename to see if it is associated with malware or legitimate object/application.

centralkong,

Excellent thinking however the current MBAM engine will not let me break into non PE files and filter data/strings...This is on the agenda for future engine enchancement but for now i can only break file header's of PE files and check strings.

Please add to your ignore list for now as you are probaly aware an extremely high percentage of autorun.inf files dropped on Rootdrive are malware related so is better for us to be agressive towards this then to give it a miss.

Sorry for any inconvenience caused.

Link to post
Share on other sites

No worry, Ade! I always find myself with tons of autorun.infs in my memory cards, pendrives, shared resources and whatever. Better losing 15 seconds with UAC, Malwarebytes and Ignore list than losing a day (or more) just trying to remove a virus executed by autorun.inf, isn't it?

Maybe for a MBAM 2.0 release... :(

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.