ktechno1 Posted October 28, 2020 ID:1416968 Share Posted October 28, 2020 Using the Endpoint Cloud Product here. I have an Endpoint which sends a report on the daily scan that it detects and removes something called "Adware.Ghokswa" Reg Key. I have attached the email. This same detection occurs daily, and it cannot seem to completely eradicate it. Any ideas why this is found every day? Is a legitimate software installing this key and this is actually a false positive? Thanks for any input. Link to post Share on other sites More sharing options...
exile360 Posted October 28, 2020 ID:1416994 Share Posted October 28, 2020 Greetings, Please post the scan report, accessible by clicking the Scan Report link listed in the above dialog so that we may take a look. Thanks Link to post Share on other sites More sharing options...
ktechno1 Posted November 3, 2020 Author ID:1418207 Share Posted November 3, 2020 (edited) On 10/28/2020 at 1:36 PM, exile360 said: Greetings, Please post the scan report, accessible by clicking the Scan Report link listed in the above dialog so that we may take a look. Thanks Scan Report: 11/03/2020 4:00:02 AMBack to Scan History Scan Log Details Endpoint name: xxxxx.xxxxx.com Scan date and time: 11/03/2020 4:00:02 AM Version: 3.8.5.2971 Component package version: 1.0.652 Protection update version: 1.0.18820 OS: Windows Server 2012 CPU: x64 File system type: NTFS Logged-in user: xxxxx\xxxxx Scan Summary Scan Type: Threat Result: Completed Objects scanned: 279969 Time elapsed: 0h 14m 48s Processes: 0 Modules: 0 Registry keys: 1 Registry values: 0 Registry data: 0 Folders: 0 Files: 0 Scan Options Memory: True Startup: True File system: True Rootkits: True Heuristics: True Archives: True PUM: True PUP: True Threats Found Name Type Location Action ID Adware.Ghokswa Registry Key HKLM\SOFTWARE\WOW6432NODE\BIRDEYE Quarantined 66f8770e-1dbb-11eb-a228-109836a0bf9f This is the same detection every night during the automated scan at 4 AM. Edited November 3, 2020 by ktechno1 Link to post Share on other sites More sharing options...
exile360 Posted November 3, 2020 ID:1418249 Share Posted November 3, 2020 Thank you. I've asked that this thread be moved to the FP area so that a member of Research may check to verify whether or not this is indeed a false positive (I suspect that it may be since it is the only item being detected). In the meantime, have you had a chance to open the registry on the affected endpoint and verify that the key exists and tried deleting it by hand? If not, that may be worth a try since it could simply be a permissions issue or something similar causing Malwarebytes to fail to remove it, resulting in the repeated detections with each scan. You can create a backup of the key by exporting it in case it does turn out to be a false positive so that you don't risk damaging any legitimate application's installation. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 4, 2020 Root Admin ID:1418363 Share Posted November 4, 2020 The Research Team says this is not a False Positive Link to post Share on other sites More sharing options...
ktechno1 Posted November 4, 2020 Author ID:1418430 Share Posted November 4, 2020 7 hours ago, AdvancedSetup said: The Research Team says this is not a False Positive Ok. It finds this detection every night during the scan. What do you advise to remove it if the program isn't doing that? And why is it not able to remove it? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 4, 2020 Root Admin ID:1418452 Share Posted November 4, 2020 Hi @ktechno1 Let me have you run the following so that I can review the logs from the workstation. Upload Malwarebytes Support Tool logs offline Thanks Link to post Share on other sites More sharing options...
ktechno1 Posted November 6, 2020 Author ID:1419022 Share Posted November 6, 2020 On 11/4/2020 at 12:03 PM, AdvancedSetup said: Hi @ktechno1 Let me have you run the following so that I can review the logs from the workstation. Upload Malwarebytes Support Tool logs offline Thanks Here is the log mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 6, 2020 Root Admin ID:1419047 Share Posted November 6, 2020 Thank you very much for the logs @ktechno1 I've requested the Research Team to take another look. So far it looks like it is a FP to me, but we should hear back a bit later today from Research. Link to post Share on other sites More sharing options...
Staff Solution blender Posted November 6, 2020 Staff Solution ID:1419049 Share Posted November 6, 2020 Hi @ktechno1 Indeed it is a false positive. Next database update should take care of it. Thank you for reporting! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now