Jump to content
TonyInSC

Suspected False Positive Detection

Recommended Posts

Running MalwareBytes Anti-Malware 1.80.2.1012 with Database Version v2018.10.03.08 on Windows 7 Professional in a Windows 2008 R2 domain. When running a scan, I am getting results that include files and directories that do not exist. I am not sure how to go about proving or disproving the results. For the files, I created some identically named files and copied them successfully into the reported location, and was not presented with a warning / overwrite message.  The directories reported do not exist. I am attaching the log file so that you can see the detected files and directories. Thanks in advance for your help...Tony 

 MBAM-log-2018-10-03 (14-29-51).txt

Share this post


Link to post
Share on other sites

im moving this to the business support forum but i believe it is because you are scanning a network drive.

 

Share this post


Link to post
Share on other sites

Tony,

Welcome to our business forums, if this is an urgent situation please open a case on our Business support site or PM me for our Premium Business support phone number.

Do you have any special setups for the User profiles on this machine?

Any Mapped shared drives?

As well as any possible redirects for user profiles?

If you can please collect the following we should be able to gain some additional insight into the situation:


 

 FRST Log

I would like to have you run a tool known as FRST. FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST. 

1: Please download FRST from one of the links below and save it to your desktop:

32 bit: https://downloads.malwarebytes.com/file/FRST

64 bit: https://downloads.malwarebytes.com/file/FRST64

Please upload to the file upload link below please use Kevin or KDawg for the Case #

https://www.malwarebytes.com/support/business/businessfileupload/

Many Thanks,

Share this post


Link to post
Share on other sites

Hey Kevin,

I do have mapped shared drives, and the H:\ drive referred to in the log is one of these.

All of the users "My Documents" directory is redirected there.

I have uploaded the files to you using Kevin as the case #.

Thanks,

Tony

Share this post


Link to post
Share on other sites

Tony,

Thank you I did see that in our logs as well.

We should not be hitting network drives, but the redirect may cause this behaviour.

Please go ahead and add an exclusion for 

H:\

In your exclusions list on the endpoint or in your policy for this endpoint in your Management Console.

 

With this in place, we should not see these blocks occurring further, let us know if any issues persist with that exclusion in place?

 

Many Thanks,

 

 

Share this post


Link to post
Share on other sites

Hey Kevin, I added exclusions for our network drives in the Kaseya management console, but it did not stop MB from scanning the network drives. I edited it this morning, adding asterisks after the drive to see if that will work.  I have attached a screenshot.

 

Dyllon, We have used Ghost in the past, but it has been about 10 years.

exclusions.jpg

Share this post


Link to post
Share on other sites

Hi @TonyInSC, I don't mean Ghost as in the imaging software, I mean there was a thing when people had Symantec and some other AV's with roaming profiles, Remote Desktop Services, Terminal Service type of setup. MB would have detections of things that weren't really there, ghost detections. MB 1.75 and 1.80 do not scan your network drives in any scheduled scans, that can only be done locally with an on-demand scan ran through the context menu option of right clicking on the mapped drive letter. The issue with the ghost detections is with the local caching of the roaming profiles and other AV, this version of MB Anti-Malware does not support machines with roaming profiles or RDS/TS type roles. Anti-Malware's realtime web block can also interfere with applications running from mapped drives, though this is another issue completely.

Share this post


Link to post
Share on other sites

Kevin, thanks for the suggestion. I have excluded our network drives and do not have the false detection anymore.  Dyllon, thanks for the confirmation about the false positive results. I appreciate both of you guys' help on this issue!  Hope you have a great weekend!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.