Jump to content

Recommended Posts

Hello

Malwarbytes found   in my latest scan a malware named  "Legitimate.Microsoft"  C:\WINDOWS\SYSTEM32\SPOOLSV.EXE 

I think it's something of windows why it is marked for malware? or am I fooled 

But I did not take action before I am absolutly sure about this?

Please informe me about this file if it is safe or not.

thanks 

 

Link to post
Share on other sites

I have a premium version of MB 

I wait for it to be fixed than. 

Link to post
Share on other sites
Asset Manager: 1.2.0.330
Endpoint Protection: 1.2.0.831
Endpoint Protection Protection Update: 1.0.17134
Component Package Version: 1.0.651

 

I scanned again and have not seen the detection show yet, 

Link to post
Share on other sites

Had the same detection on 3 of our systems about three hours ago. Ran the spoolsv.exe through virustotal which came up with detection on Avira and F-Secure. We are running endpoint protection.

All endpoints had the following MWB Installation information:

Engine Version:    1.2.0.793
Asset Manager:    1.2.0.330
Endpoint Protection:    1.2.0.831
Endpoint Protection Protection Update:    1.0.17136
Component Package Version:    1.0.651

Link to post
Share on other sites

Ok i recommend rootkit be turned on only where there is an issue for removing something with the normal scan. Rootkit is slightly more dangerous as it has to disable some whitelisting to remediate some rootkits. Also the file wasnt actually deleted but replaced on reboot with a valid copy by the rootkit engine. It basically puts a fresh copy in place on reboot. So besides the scare no damage was actually done to the machine. 

 

Edited by shadowwar
Link to post
Share on other sites

@shadowwar To confirm your recommendation you are saying to disable scan for rootkit in all of our policies and only enable it when we have a malware detection that keeps coming back?

We have a scheduled daily scan on all of our endpoints in the evenings after business hours, would you recommend turning on Scan for rootkits for that or leaving it totally disabled until we run into a persistent detection?

Link to post
Share on other sites

Maybe once a week if really want to use rootkit. But honestly we rarely see rootkit files anymore and the newer engine can remove most of them anyways even without rootkit on. But yes your first statement is the way i recommend. 

 

Daily threat scans without rootkits is fine.

Edited by shadowwar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.