Jump to content

False-Positive detection of trojan.FakePDF on ARPPRODUCTICON.exe


Recommended Posts

Is this a false-positive? After clients updated with signature db v2017.10.31.11 we are seeing a high rate of detection of Trojan.FakePDF on ARPPRODUCTICON.exe across many computers. The detection path is C:\Windows\Installer\[[sub folder varies but is usually an ID]]\ARPPRODUCTICON.exe

Below are some sample alerts. I am working on collecting a log with mbam.exe /developer mode but I am not confident the log will show the detection since I wasn't able to restore the quarantined files. No errors try to restore the files, just nothing happens. I'll post the log when the scan finishes.

10/31/2017 1:23:38 PM  [computernameremoved]                [IPaddressremoved]     Trojan.FakePDF                Quarantined                C:\Windows\Installer\23ff09e3.msi

10/31/2017 1:23:38 PM  [computernameremoved]                [IPaddressremoved]     Trojan.FakePDF                Quarantined                C:\Windows\Installer\{7ECCF990-6516-4563-85AC-1CAD4DB88781}\ARPPRODUCTICON.exe

 

Thank you for your insights.

Link to post
Share on other sites

  • Staff

Hi,

Thanks for reporting. This looks like a false positive indeed and will get fixed in next database update.

 

Edited to add - can you unquarantine the files and zip and attach the C:\Windows\Installer\{7ECCF990-6516-4563-85AC-1CAD4DB88781}\ARPPRODUCTICON.exe file?

Thanks!

Edited by miekiemoes
Link to post
Share on other sites

Thanks for the update Miekie 

If with the latest definitions update on the endpoint (check that here https://data-cdn.mbamupdates.com/v1/database/rules/version.chk ) your block is still persisting

Please upload us a sample of the exe file in question being blocked to:

Please upload referencing the case#000000 to our file site below:

https://www.malwarebytes.com/support/business/businessfileupload/

PLEASE PM ME with your email once this is done

Again the Trojan.FakePDF has been fixed so please ensure if you are getting that one in particular that you are on the latest database

Many Thanks

 

Edited by KDawg
Link to post
Share on other sites

I don't think this has been fixed unless there is a delay in notifications. Please see below, we are continuing to see this with the latest definition at the EUD.

 

________________________________________

From: Malwarebytes Alert

Sent: Tuesday, October 31, 2017 11:53:26 AM (UTC-08:00) Pacific Time (US & Canada)

To: SystemNotifications

Subject: Malwarebytes Alert: Malware Threat Detected

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 10/31/2017 11:53:26 AM PST

Server Hostname: INF-SVC-2

Server Domain/Workgroup: xxxxx.com

Server IP: xx.xx.xx.xx

Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\ccmcache\y\Files\CDTime534.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\55a0a1.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\ARPPRODUCTICON.exe

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\CDTime.exe_05CB74A400AF4DD1B689A05785EA0657.exe

 

Maks

Edited by MaksAgamir
Link to post
Share on other sites

After correlating the detection and database update times, it looks like 10.31.13 did in fact fix the issue. Fortunately, our updates are 10 mins apart so not that many clients complained.

The ones that did weren't too pleased at having to suddenly disconnect from the network.

Halloween false positives are never good . . . but good work getting this addressed quickly.   

Link to post
Share on other sites

12 minutes ago, MaksAgamir said:

I don't think this has been fixed unless there is a delay in notifications. Please see below, we are continuing to see this with the latest definition at the EUD.

 

________________________________________

From: Malwarebytes Alert

Sent: Tuesday, October 31, 2017 11:53:26 AM (UTC-08:00) Pacific Time (US & Canada)

To: SystemNotifications

Subject: Malwarebytes Alert: Malware Threat Detected

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 10/31/2017 11:53:26 AM PST

Server Hostname: INF-SVC-2

Server Domain/Workgroup: xxxxx.com

Server IP: xx.xx.xx.xx

Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\ccmcache\y\Files\CDTime534.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\55a0a1.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\ARPPRODUCTICON.exe

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\CDTime.exe_05CB74A400AF4DD1B689A05785EA0657.exe

 

Maks

lag time between EUD and client . . . 

 

Link to post
Share on other sites

I can confirm that signature db v2017.10.31.13 does not detect ARPPRODUCTICON.exe anymore as malicious (Trojan.FakePDF). I attached ARPPRODUCTICON.exe for Support's reference.

For others, I did have to restart the affected computers before I could restore the files from Quarantine and properly rescan.

Thank you Mieke and others!

ARPPRODUCTICON.zip

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.