Jump to content

Install.exe possible false positive?


thebigeast
 Share

Recommended Posts

I ran a scan back on 07/21 and the following log was saved:

Malwarebytes' Anti-Malware 1.39

Database version: 2468

Windows 5.1.2600 Service Pack 3

7/21/2009 2:31:46 AM

mbam-log-2009-07-21 (02-31-46).txt

Scan type: Full Scan (C:\|)

Objects scanned: 237471

Time elapsed: 37 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I did not know about the developer's log at that time and do not remember what I may have done that day. The previous day I had installed some Astronomy software from Carina software. I suppose I could restore the 2 items from quarantine and rerun the scan.

Thanks in advance for any suggestions.

Link to post
Share on other sites

  • Staff

Hi and welcome to the forums.

Due to heavy heuristic detections by Malwarebytes, almost any executable file located at the root will be detected. We suggest you either move the file to a different location on the drive or add it to your ignore list.

You're also one version behind in software and several hundred behind in database updates, please update

Link to post
Share on other sites

Hi TeMerc,

Thanks for the reply. Actually, I am up to date - I had posted another message a few posts down about a current false positive I received. The question in this post is about an infection I had back on 07/21 - I simply posted the log saved in MBAM from that date. I was wondering what to do about it. Should I restore the items from quarantine and rerun the scan? How do I find out exactly where the items are in my system? I searched for install.exe and found 29 instances. Do you think this was a false positive or an infection? Thanks!

Link to post
Share on other sites

  • Staff

Its a FP caused by storing executables in root . If you wish to store executables there use the ignore function .

MBAM does not let you get away with much in root as this is both a very common location for malware to launch from and no files should be stored/executed there .

Link to post
Share on other sites

Hi Bruce,

What is meant by storing executables in root? Will any exe file stored in root show as an FP? How would I know if something is a FP vs.an infection? Why did the file in this case go to root instead of a more normal location (not sure how a "normal" location would be defined). As I mentioned, I found multiple examples of install.exe on my system and I'm not sure which one to move or where to move it to in my system.

Should I restore the FP from quarantine and then rerun my scan and finally choose ignore? I'd rather not ignore such things if I do not know if it is a FP and/or it could simply be moved to another location. I'm not sure what this FP refers to in this instance (which program it is a part of)

Thanks!

Link to post
Share on other sites

  • Staff
What is meant by storing executables in root?

At some point you had a file C:\install.exe . How the file got there I am not sure but if it was intentional there are better places to store files .

Will any exe file stored in root show as an FP?

No , we just let files get away with a lot less at this location .

Why did the file in this case go to root instead of a more normal location

Impossible to tell from here .

not sure how a "normal" location would be defined

The 2 most common (and correct) ways to store files is in a labeled folder in documents or on your desktop .

Should I restore the FP from quarantine and then rerun my scan and finally choose ignore?

Restore it and then zip and attach it here . Malware or not it wont do anything if you don't intentionally execute it .

I'd rather not ignore such things if I do not know if it is a FP and/or it could simply be moved to another location

This is what i would suggest .

I'm not sure what this FP refers to in this instance (which program it is a part of)

Its hard to say from here without the file . All I can say for sure is that for a number of reasons it is better for our users to be harder on files in this location .

Link to post
Share on other sites

  • 2 weeks later...
I have this one too. The file is signed by Microsoft, so I would think it's a false positive.

I also recently started receiving the FP on install.exe

http://www.virustotal.com/analisis/08966ce...1da2-1253182365

Malwarebytes' Anti-Malware 1.41

Database version: 2815

Windows 5.1.2600 Service Pack 3

9/17/2009 9:34:04 AM

mbam-log-2009-09-17 (09-34-00).txt

Scan type: Quick Scan

Objects scanned: 115109

Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\install.exe (Trojan.Agent) -> No action taken.

post-2690-1253198408_thumb.jpg

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.