False-Positive detection of trojan.FakePDF on ARPPRODUCTICON.exe

[chedbe_EMA]

Is this a false-positive? After clients updated with signature db v2017.10.31.11 we are seeing a high rate of detection of Trojan.FakePDF on ARPPRODUCTICON.exe across many computers. The detection path is C:\Windows\Installer\[[sub folder varies but is usually an ID]]\ARPPRODUCTICON.exe

Below are some sample alerts. I am working on collecting a log with mbam.exe /developer mode but I am not confident the log will show the detection since I wasn't able to restore the quarantined files. No errors try to restore the files, just nothing happens. I'll post the log when the scan finishes.

10/31/2017 1:23:38 PM  [computernameremoved]                [IPaddressremoved]     Trojan.FakePDF                Quarantined                C:\Windows\Installer\23ff09e3.msi

10/31/2017 1:23:38 PM  [computernameremoved]                [IPaddressremoved]     Trojan.FakePDF                Quarantined                C:\Windows\Installer\{7ECCF990-6516-4563-85AC-1CAD4DB88781}\ARPPRODUCTICON.exe

 

Thank you for your insights.

[miekiemoes]

Hi,

Thanks for reporting. This looks like a false positive indeed and will get fixed in next database update.

 

Edited to add - can you unquarantine the files and zip and attach the C:\Windows\Installer\{7ECCF990-6516-4563-85AC-1CAD4DB88781}\ARPPRODUCTICON.exe file?

Thanks!

Edited October 31, 2017 by miekiemoes

[MaksAgamir]

We are having a similar problem, but with a different installer and EXE that have been deployed for sometime now. Please advise how soon will this be resolved.

Also, as a result of this detection MB forces a reboot of the EUD, which is a bit of an issue as well.

Maks

[Spit]

Same problem here w dragon dictate..

[miekiemoes]

Hi,

This has been fixed already, so updating your database won't detect this anymore.

 

[lucienbellemare]

My MBAM Enterprise says it has the latest database v2017 10.31.13 but this isn't fixed. It's causing operational issues so please advise 

[KDawg]

Thanks for the update Miekie 

If with the latest definitions update on the endpoint (check that here https://data-cdn.mbamupdates.com/v1/database/rules/version.chk ) your block is still persisting

Please upload us a sample of the exe file in question being blocked to:

Please upload referencing the case#000000 to our file site below:

https://www.malwarebytes.com/support/business/businessfileupload/

PLEASE PM ME with your email once this is done

Again the Trojan.FakePDF has been fixed so please ensure if you are getting that one in particular that you are on the latest database

Many Thanks

 

Edited October 31, 2017 by KDawg

[MaksAgamir]

I don't think this has been fixed unless there is a delay in notifications. Please see below, we are continuing to see this with the latest definition at the EUD.

 

________________________________________

From: Malwarebytes Alert

Sent: Tuesday, October 31, 2017 11:53:26 AM (UTC-08:00) Pacific Time (US & Canada)

To: SystemNotifications

Subject: Malwarebytes Alert: Malware Threat Detected

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 10/31/2017 11:53:26 AM PST

Server Hostname: INF-SVC-2

Server Domain/Workgroup: xxxxx.com

Server IP: xx.xx.xx.xx

Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\ccmcache\y\Files\CDTime534.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\55a0a1.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\ARPPRODUCTICON.exe

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\CDTime.exe_05CB74A400AF4DD1B689A05785EA0657.exe

 

Maks

Edited October 31, 2017 by MaksAgamir

[KDawg]

UPDATE:

Please restart once you have the latest Database to ensure this is being pulled into memory!

 

 

[lucienbellemare]

After correlating the detection and database update times, it looks like 10.31.13 did in fact fix the issue. Fortunately, our updates are 10 mins apart so not that many clients complained.

The ones that did weren't too pleased at having to suddenly disconnect from the network.

Halloween false positives are never good . . . but good work getting this addressed quickly.   

[lucienbellemare]

12 minutes ago, MaksAgamir said:

I don't think this has been fixed unless there is a delay in notifications. Please see below, we are continuing to see this with the latest definition at the EUD.

 

________________________________________

From: Malwarebytes Alert

Sent: Tuesday, October 31, 2017 11:53:26 AM (UTC-08:00) Pacific Time (US & Canada)

To: SystemNotifications

Subject: Malwarebytes Alert: Malware Threat Detected

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 10/31/2017 11:53:26 AM PST

Server Hostname: INF-SVC-2

Server Domain/Workgroup: xxxxx.com

Server IP: xx.xx.xx.xx

Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\ccmcache\y\Files\CDTime534.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\55a0a1.msi

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\ARPPRODUCTICON.exe

10/31/2017 11:52:02 AM  XXXXX  xx.xx.xx.xx    Trojan.FakePDF  Quarantined     C:\Windows\Installer\{BFE86DC2-9E3B-433F-BDFC-AA96EEAEC2AE}\CDTime.exe_05CB74A400AF4DD1B689A05785EA0657.exe

 

Maks

lag time between EUD and client . . . 

 

[chedbe_EMA]

I can confirm that signature db v2017.10.31.13 does not detect ARPPRODUCTICON.exe anymore as malicious (Trojan.FakePDF). I attached ARPPRODUCTICON.exe for Support's reference.

For others, I did have to restart the affected computers before I could restore the files from Quarantine and properly rescan.

Thank you Mieke and others!

ARPPRODUCTICON.zip

[MaksAgamir]

Yep, there was a bit of the lag and reboot did resolve it on some EUDs.

Maks

[miekiemoes]

Thanks guys for verifying and chedbe_EMA for providing the sample - as this helps to prevent this in the future.

I'm going to close this thread as resolved.

[djacobson]

Please be aware everyone, that if a detection has been marked "Delete on Reboot", that reboot must take place before the item will be able to be released from quarantine, if you are restoring the files.

Edited October 31, 2017 by djacobson