Jump to content
throkr

False positive: 2 registry values

Recommended Posts

Hi,

These 2 entries seem to be false positives; see attached scan log.

Thank you !

MB Scan log.txt

Share this post


Link to post
Share on other sites

Hi,

This isn't a False Positive.

We detect as PUM.Optional.DisableMRT

This means, potentially unwanted modification (PUM) where Microsoft Malicious Software Removal Tool is disabled.

We detect this because a lot of malware sets this policy, hence why we want to warn the user about this (for obvious reasons)

If you have set this policy yourself, then you can add an exclusion for this detection.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

Thanks for your fast reply. As I have set this policy myself, I'll add it to my exclusions.

I just was surprised by this detection because I have this setting since quite a few years and it was never detected before.

Edited by throkr
typo

Share this post


Link to post
Share on other sites
On 5/4/2019 at 6:40 PM, miekiemoes said:

This isn't a False Positive.

We detect as PUM.Optional.DisableMRT

This means, potentially unwanted modification (PUM) where Microsoft Malicious Software Removal Tool is disabled. [...]

I'm pretty sure this refers to two registry keys, both in "hklm\software\[wow6432node\]policies\microsoft\mrt", named dontreportinfectioninformation".  (The log file is no-longer available.)

In fact, this is a perfectly-safe and -cromulent privacy setting, that does not inhibit the client-side activities of Microsoft's MRT.

As the community becomes increasingly aware of the depth of the phone-home behavior of MRT, you'll be hearing more about this one.

On 5/4/2019 at 6:40 PM, miekiemoes said:

[...]   If you have set this policy yourself, then you can add an exclusion for this detection.

Problem is, we cannot do so!  Short of a blanket exclusion of the threat, there's no affordance -- no means within MBAM -- to exclude a registry key.  I'd like to hear from my MBAM scans about other instances of this threat, while excluding these two keys.

At least: there's none that I can find.  I'd love to be wrong about this detail.

There's more discussion of this false positive in this recent forum thread.

Thanks for your consideration, and for any help you can give with this one.

Dan S

Share this post


Link to post
Share on other sites

Hi,

The reason why we detect this as a PUM (Potentially Unwanted Modifcation) is because some malware set these policies as well in order to disable the monthly download (offer through Windows Update) + the disabling the Reporting of the infections being found.

These aren't default settings for MRT and is either set by Malware or an Administrator. Since we cannot know whether it's set by Malware or not, we need to alert the user about this anyway. People/Admins who have set this policy, can create an exclusion for these.

People who don't recognize these policies, then it means it was most probably set by malware or a PUP. In that case, it's recommended to have MBAM fix it.

In order to exclude, 

When the results are displayed for the detection:

* Unselect the ones you want to exclude

* Click the "Next" button below

* On the additional prompt, select to "Ignore Always"

939969362_2019-05-1307_53_41-Window.thumb.png.602f2cc6ebc72bad7c05a0b7b79b31fb.png

1123062653_2019-05-1307_55_52-Window.png.3b805683b4addee0bba140c41c9f0474.png

Share this post


Link to post
Share on other sites

Thank you, Mieke, I see that you are of course correct (re how to exclude a registry key).

And I appreciate that there may be malware that you cannot otherwise flag, unless you also flag what is, in my case at least, a false positive.  Of course better to be more cautious, not less.

In light of this, I'll suggest only that the process for excluding registry values is entirely too subtle.  I suggest these two enhancements:

1) Bug: The "Add Exclusion Wizard" does not include an option for registry keys/values.  This is what led me to believe that it wasn't possible

Expected:   For all possible exclusions to be available from "Settings :  Exclusions : Add Exclusions", rather than having certain "Exclusion Types" accessible only after the item is detected.

2) Bug:  Although "Ignore Once" is redundant with the prior screen's "Cancel" button (which is fine), the "Ignore Always" option is very valuable.  (Essential, in light of #1, above.)  But that option is insufficiently-obvious.  Worse, the user is discouraged from finding it: the "Threat Scan Results" screen speaks *only* of quarantine, with no hint that "do not quarantine" is synonymous with "show me the otherwise-invisible and -undisclosed exclusion options".   To the contrary, that the screen says explicitly "If you don't want to quarantine ..., click Cancel"!

I would be surprised if they were discovered by a first-time user in a proper usability test.  (I.e. with undirected prompts, such as:  "Yes, that screen includes possible threats, both of which you want to exclude from future MBAM detections.  Why don't you exclude them both, now?")

Expected:  Those buttons to be visible in the "Threat Scan Results" screen.  I expect to select items, and then select the action.

Almost as good:  Have another line of text in that screen: "To exclude any of these options from future scans, unselect them, then click Next." 
This would be an easier fix to implement, although it remains clunky and non-intuitive.

For your consideration...

- Dan S, another usability curmudgeon in Boston

Share this post


Link to post
Share on other sites

Thanks. I'll forward this to the team.

Just as an additional note, the way how it is now, is per design, based on feedback from hundreds of users who have been doing alpha and beta-testing and the logic behind this.

Eg, if you don't want to have malwarebytes delete certain entries, people want to unselect it. Then when the next button is clicked, the additional prompts are presented what to do with these entries. But I can certainly see that for some users this is less obvious.

Share this post


Link to post
Share on other sites

Having same issue on my system.  Win10pro x64.  Current version of Malwarebytes Premium.  The daily scan finds one potentially unwanted program that is a registry key, and 2 potentially unwanted modifications.  I can exclude files, but when I check the boxes to the left of the threat scan results, the next button at the bottom right changes to "Quarantine Selected".

 

image.thumb.png.4c0558be2a6e58347fa9e3cdf55e9d15.png

 

On the settings tab, under Exclusions. when I click Add Exclusion, there is no option listed to add a registry key or otherwise tell Malwarebytes Premium to not bring these 3 items up again.  I have had this computer setup for over a year.  No changes in this regard.  All of a sudden a few weeks ago I get these threat scan issues.

 

image.png.662cc95668a284a4dda23be3c1972b4b.png

Share this post


Link to post
Share on other sites

Hi,

Please look at my screenshot in above where it shows to unselect/uncheck the boxes. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.