Jump to content
Steve1982

MBSetup.exe detection on VirusTotal

Recommended Posts

Hello folks!

I was just prompted to update to MBAM 4 (from MBAM 3.8.3) and MBAM automatically downloaded the installer to this location:

C:\ProgramData\Malwarebytes\MBAMService\instlrupdate\MBSetup.exe

When I check that file with VirusTotal there's one detection from Jiangmin (Trojan.Agent.bvko). The MD5 hash of  MBSetup.exe is e0e358ef46605899aabe5730466fe015 and SHA-1 is 401978c7b1e946ca3c7cf87e0d8ad82ce62d91b1. Here is the link to the VirusTotal scan:

https://www.virustotal.com/gui/file/9eedefc07c8db89657cc8bb0cac14f7708c4dd4ec530d84a4c119b83a2c09e7b/detection

Can someone please confirm/reassure me that the downloaded MBSetup.exe file is legit and that this is just a false positive?

Much appreciated! :)

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Share this post


Link to post
Share on other sites
1 hour ago, Steve1982 said:

Can someone please confirm/reassure me that the downloaded MBSetup.exe file is legit and that this is just a false positive?

It is legit.

Share this post


Link to post
Share on other sites
13 hours ago, Porthos said:

It is legit.

Thanks @Porthos! So were you able to confirm based on the file hashes? I just want to make sure that this exact file is a known Malwarebytes update file. Sorry for the crazy, off-the-charts paranoia but this is such an important component in my online security that seeing even just that one detection sent my anxiety into the red. Ugh! :)

Thanks again!

Share this post


Link to post
Share on other sites
1 hour ago, Steve1982 said:

So were you able to confirm based on the file hashes? I just want to make sure that this exact file is a known Malwarebytes update file.

Share this post


Link to post
Share on other sites

Hi @Steve1982,

The hash of the file does indeed belong to the legitimate Malwarebytes version 4 installer. Upgrades from Malwarebytes version 3 are currently downloading the newest version of the installer. Other download methods will be updated to this new version shortly.

The detection in the VirusTotal report is a false-positive.

Share this post


Link to post
Share on other sites
10 minutes ago, LiquidTension said:

Hi @Steve1982,

The hash of the file does indeed belong to the legitimate Malwarebytes version 4 installer. Upgrades from Malwarebytes version 3 are currently downloading the newest version of the installer. Other download methods will be updated to this new version shortly.

The detection in the VirusTotal report is a false-positive.

Awesome, thank you so much for that confirmation @LiquidTension ... my anxiety levels are back in the green! 😀

Share this post


Link to post
Share on other sites

Hey sorry to be a pest @LiquidTension but I wanted to install MBAM on a new PC but I noticed that the download page HERE still downloads the older version of the MBSetup.exe file (4.0.0.108). When are you guys planning on updating the download page to the latest version (4.0.0.114) of the installer? Is there a another direct link to the latest version maybe?

Thanks!!

Share this post


Link to post
Share on other sites
25 minutes ago, nikhils said:

Hello @Steve1982

That link is correctly downloading 4.0.0.114

Can you please try downloading it again.

Thanks for the quick reply @nikhils! I tried again ... still getting 4.0.0.108.😟 Both the file that starts downloading automatically and the file that is downloaded when you click on the alternate link should the auto download, leads to 4.0.0.108. This is the file that is currently being downloaded for (LINK). 

Share this post


Link to post
Share on other sites
26 minutes ago, Steve1982 said:

This is the file that is currently being downloaded for (LINK). 

That installer is an online installer that installs the current version. It is dynamic and is just a down loader and not the full installer.

The full offline install is 150mb. Which is too big for Virus total. 

 

offline details.png

Edited by Porthos

Share this post


Link to post
Share on other sites
2 minutes ago, Porthos said:

That installer is an online installer that installs the current version. It is dynamic and is just a down loader and not the full installer.

I'm aware. I had a completely pain-free update experience using 4.0.0.114 though (nothing broke) so I would prefer sticking with that version since I know it did the job flawlessly last time. I'm extremely risk-averse.

Share this post


Link to post
Share on other sites
39 minutes ago, Porthos said:

That installer is an online installer that installs the current version. It is dynamic and is just a down loader and not the full installer.

The full offline install is 150mb. Which is too big for Virus total. 

 

offline details.png

VirusTotal maximum file size is 550 mb, so not too big.

Share this post


Link to post
Share on other sites

Hello @Porthos:

31 minutes ago, Porthos said:

The full offline install is 150mb. Which is too big for Virus total.

I believe this was true earlier this year.  To my pleasant surprise the MB4 Offline Installer may now be successfully submitted to VirusTotal.

https://www.virustotal.com/gui/file/dfe2e0934bfd30789c4421f728e507afc6a8a07f97b02651aef5f596eb5077a5/detection

Earlier this year, VT upgraded: "Files up to 550 MB can be uploaded to the website..."

HTH

Share this post


Link to post
Share on other sites
Just now, 1PW said:

iles up to 550 MB can be uploaded to the website..."

I have the extension..."right click and send to Virus total" I usually go directly to the site. But you both are correct I just tested it.

Share this post


Link to post
Share on other sites

It's great to hear about the increased size limit on VirusTotal, it's getting to the point where we can scan some pretty decent disk images on there! 👍

Just to circle back to downloading the latest version of the online installer, and to also explain a bit why I'm being so such a PIA about this.

So the file I'm looking for is this one:

  • Version: 4.0.0.114, MD5: e0e358ef46605899aabe5730466fe015; SHA-1: 401978c7b1e946ca3c7cf87e0d8ad82ce62d91b1

The above file is the latest version (4.0.0.114) of the online installer, and is also the one currently being download by MBAM 3 to update itself to MBAM 4. As a result, it is also the file I used to upgrade my install of MBAM 3 to MBAM 4, but only after spending a decent amount of time doing my due diligence. I checked the file using several online scanners, checked forums for known issues, asked for verification on the file fingerprint, even installed it on a temporary VM, etc. Once I was convinced that the file was legit, and that it probably won't break things, I allowed the upgrade (which went very smoothly!). I then spent quite a bit of time verifying that MBAM is still working as intended, which it did. So I trust this file, I know this file, I used this file. Sadly, the one I did not do, is copy the file to another folder before the installer finished, and it was deleted. I know. I'm currently wearing that sign. 😀

But I digress ... so the file currently being downloaded from the download page on the MBAM website is this one:

  • Version: 4.0.0.108, MD5: 83caf0b992dd5d57da15fedb067f53ab, SHA-1: 21f8efe01fc98b1cc0edc2d46c0c1dce97853875

That is an older version (4.0.0.108) of the online installer. I realize that, should I use this version, I will probably end up in the same place. But probably is a word that keeps me up at night. 😜 So I would much rather just use the version that already passed my (non-trivial) vetting process and that I know worked flawlessly for me before.

With all that said @nikhilsmentioned that the MBAM download page is downloading 4.0.0.114 of the online installer but I'm still getting the old version of the online installer. What could be the issue? The only thing I can think of is DNS but I use Google DNS so seems unlikely. Is there a direct link to version 4.0.0.114 of the online installer I can use?

PS: Thanks for putting up with all this! 😂

 

 

 

Share this post


Link to post
Share on other sites
19 minutes ago, Porthos said:

Interesting, so you're getting version 4.0.0.114 of the full installer, I'm getting version 4.0.0.108 of the online installer, nut neither of us is getting version 4.0.0.114 of the online installer.

I wonder if this is a IP geo-location thing. I'm in Canada, looks like you're in the US. 

Thanks for checking!

Share this post


Link to post
Share on other sites
30 minutes ago, Steve1982 said:

the online installer

The online installer download might have been removed from general  download availability due to issues. So all published links link to the offline installer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.