Jump to content
leoxle

Are vwifibus.sys and vwififlt.sys false positives?

Recommended Posts

Tried to look this up, but couldn't really find anything. I am not really experienced in this stuff. Sorry if this is a stupid question. I have MBAM 3 and after scanning my C drive with rootkit option on, it detected 2 threats, called Unknown.Rootkit.Driver and the location is C:\\Windows\System32\drivers\vwifibus.sys and vwififtl.sys. So these are apparently drivers, and I don't know how they affect my computer. I just quarantined the 2 in the meantime before I figured out anything. I want to note that vwifibus.sys came up a second time in a new scan just now. Quarantined it again.  I just want to know if these are just false positives and if I should restore them, or do something else. Not sure if this is related at all to my recent problems of slow and inconsistent internet connections. Thanks for any info

Share this post


Link to post
Share on other sites

Hi,

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.

Note, scanning the file at Virustotal, even in case it was forged by a rootkit, will always show/give you the legitimate one, as that's the one visible from Windows API.

However, since this variant that forges files has been dead for a while already, another reason why Malwarebytes detects "Unknown Rootkit Drivers" in case you have software similar like Rollback Rx PC (or any software that has a rollback feature), as this "forges" files as well when there's a new driver update etc..

I believe this is most likely the case here - so it's not a rootkit, but just a 3rd party program interfering here. 

What helps in most of the cases here is, uninstall Rollback Rx (in case you have this program), reboot and reinstall again. That should normally solve the problem of it forging newly installed or updated drivers.

And/or add both files it detected to your exclusions/ignore the detections.

Share this post


Link to post
Share on other sites
22 minutes ago, miekiemoes said:

Hi,

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.

Note, scanning the file at Virustotal, even in case it was forged by a rootkit, will always show/give you the legitimate one, as that's the one visible from Windows API.

However, since this variant that forges files has been dead for a while already, another reason why Malwarebytes detects "Unknown Rootkit Drivers" in case you have software similar like Rollback Rx PC (or any software that has a rollback feature), as this "forges" files as well when there's a new driver update etc..

I believe this is most likely the case here - so it's not a rootkit, but just a 3rd party program interfering here. 

What helps in most of the cases here is, uninstall Rollback Rx (in case you have this program), reboot and reinstall again. That should normally solve the problem of it forging newly installed or updated drivers.

And/or add both files it detected to your exclusions/ignore the detections.

What if I don't have any type of rollback program? At least I'm pretty sure I don't. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.