Jump to content

Suspected False Positive Detection

Recommended Posts

Running MalwareBytes Anti-Malware with Database Version v2018.10.03.08 on Windows 7 Professional in a Windows 2008 R2 domain. When running a scan, I am getting results that include files and directories that do not exist. I am not sure how to go about proving or disproving the results. For the files, I created some identically named files and copied them successfully into the reported location, and was not presented with a warning / overwrite message.  The directories reported do not exist. I am attaching the log file so that you can see the detected files and directories. Thanks in advance for your help...Tony 

 MBAM-log-2018-10-03 (14-29-51).txt

Link to post
Share on other sites


Welcome to our business forums, if this is an urgent situation please open a case on our Business support site or PM me for our Premium Business support phone number.

Do you have any special setups for the User profiles on this machine?

Any Mapped shared drives?

As well as any possible redirects for user profiles?

If you can please collect the following we should be able to gain some additional insight into the situation:



I would like to have you run a tool known as FRST. FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST. 

1: Please download FRST from one of the links below and save it to your desktop:

32 bit: https://downloads.malwarebytes.com/file/FRST

64 bit: https://downloads.malwarebytes.com/file/FRST64

Please upload to the file upload link below please use Kevin or KDawg for the Case #


Many Thanks,

Link to post
Share on other sites


Thank you I did see that in our logs as well.

We should not be hitting network drives, but the redirect may cause this behaviour.

Please go ahead and add an exclusion for 


In your exclusions list on the endpoint or in your policy for this endpoint in your Management Console.


With this in place, we should not see these blocks occurring further, let us know if any issues persist with that exclusion in place?


Many Thanks,



Link to post
Share on other sites

Hey Kevin, I added exclusions for our network drives in the Kaseya management console, but it did not stop MB from scanning the network drives. I edited it this morning, adding asterisks after the drive to see if that will work.  I have attached a screenshot.


Dyllon, We have used Ghost in the past, but it has been about 10 years.


Link to post
Share on other sites

  • Staff

Hi @TonyInSC, I don't mean Ghost as in the imaging software, I mean there was a thing when people had Symantec and some other AV's with roaming profiles, Remote Desktop Services, Terminal Service type of setup. MB would have detections of things that weren't really there, ghost detections. MB 1.75 and 1.80 do not scan your network drives in any scheduled scans, that can only be done locally with an on-demand scan ran through the context menu option of right clicking on the mapped drive letter. The issue with the ghost detections is with the local caching of the roaming profiles and other AV, this version of MB Anti-Malware does not support machines with roaming profiles or RDS/TS type roles. Anti-Malware's realtime web block can also interfere with applications running from mapped drives, though this is another issue completely.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.