Jump to content
Mark_Albrosco

Is Spyware.Formbook a False-Positive - VSTAPROJECT.DLL

Recommended Posts

Received an inordinate number of detections, which have been quarantined, for the following file:

C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 8\VSTA\BIN\VSTAPROJECT.DLL

This occured rather suddenly on 30-Nov-2018, on a number of endpoints.

Is this a false-positive? If yes, is it okay to restore from quarantine?

Share this post


Link to post
Share on other sites

Hi,

This was a false positive indeed and has been fixed a couple of days ago already, so yes, please, restore from quarantine :)

 

Share this post


Link to post
Share on other sites

Well, first of all, make sure you have latest database update. 

It was fixed in databases: 

MBAM1x/2x
v2018.12.01.03 was published at 12/1/2018 8:23:08 AM (UTC)
MB3
1.0.8113 was published at 12/1/2018 8:36:29 AM (UTC)

So any database after that should be good and the False Positive won't re-appear :)

 

Share this post


Link to post
Share on other sites

We're using Malwarebytes Endpoint Cloud Protection.

I ran the Asset Summary report for the managed Endpoints - the spreadsheet has Software Version (Endpoint Agent and Malwarebytes version 3.6.1.xxxx), as well as a Protection Update Version column.

Would I be correct in assuming the database information is under the Protection Update Version column?

If so then a number of my endpoints still need updating to the last published database. I may have to force an update?

Share this post


Link to post
Share on other sites

image.png.f259de34acc990c8e8407b916b24cc1d.png

Hello we have this version availbale for us from Kaseya. It also detect this file C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 8\VSTA\BIN\VSTAPROJECT.DLL als false positieve.

I'm  wondering what version it is as it 1.80..2.1012 and latest is 1.0.8113. Doe not look the same.

MBAM1x/2x
v2018.12.01.03 was published at 12/1/2018 8:23:08 AM (UTC)
MB3
1.0.8113 was published at 12/1/2018 8:36:29 AM (UTC)

Share this post


Link to post
Share on other sites
3 minutes ago, MaximK said:

image.png.f259de34acc990c8e8407b916b24cc1d.png

Hello we have this version availbale for us from Kaseya. It also detect this file C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 8\VSTA\BIN\VSTAPROJECT.DLL als false positieve.

I'm  wondering what version it is as it 1.80..2.1012 and latest is 1.0.8113. Doe not look the same.

MBAM1x/2x
v2018.12.01.03 was published at 12/1/2018 8:23:08 AM (UTC)
MB3
1.0.8113 was published at 12/1/2018 8:36:29 AM (UTC)

image.png.bd2e20579afbb5b4150bfe46ba49b63f.png

This is teh databse version

Share this post


Link to post
Share on other sites

Hi,

If you are using the database version v2018.12.04.01 (above screenshot), then it should no longer be detected anymore.

Can you verify this please? Is it still detected? Because it shouldn't.

If still detected, please zip and attach the malwarebytes log, where this detection is displayed, so we can doublecheck.

Share this post


Link to post
Share on other sites

Hi Miekie - below is the status of our endpoints re: Malwarebytes Version and Protection Update Version.

Is it safe to assume that the Protection Update Version is more important than the Malwarebytes engine version?

There were 15 "false-positive" detections regarding VSTAPROJECT.DLL.

9 of these were in Quarantine and restored.

5 were under "Remediation Required" - I opted to remediate: will it place the file in Quarantine and allow us to restore? What can I expect to happen here?

1 was under "Detections" - submitted a fresh scan+quarantine...or is no action required here, i.e. the file just won't be detected as malware by the newer "protection versions"

Malwarebytes version 3.4.5.2470
1.0.8267
Malwarebytes version 3.5.1.2600
1.0.8217
1.0.8261
1.0.8265
Malwarebytes version 3.6.1.2716
1.0.8145
1.0.8195
1.0.8201
1.0.8215
1.0.8229
1.0.8251
1.0.8253
1.0.8261
1.0.8263
1.0.8265
1.0.8267
1.0.8269
1.0.8271
1.0.8277

Share this post


Link to post
Share on other sites

Hi,

The protection version is the database versions that hold new signatures, so that's indeed the more important one.

So this shouldn't be detected anymore in 1.0.8113 and above, so the remediation message might still come from when an older database was still loaded into memory.

In case you selected to remediate already, you should be able to restore the file again from quarantine. A reboot might be required though.

The one that was under detections was probably still from when an older database version was in use. So no action is required there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.