Jump to content

Possible false positive detected


Recommended Posts

I got these alerts that I believe are false positive

Malware threat detected, see details below:

11/28/2020 3:00:28 AM computer name             xx.xx.xx.xx       Spyware.PasswordStealer            < No action taken >                C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1.nupkg

11/28/2020 3:00:28 AM computer name             xx.xx.xx.xx       Spyware.PasswordStealer            < No action taken >                C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1\tools\csc.exe

Total count: 2.

11/30/2020 3:03:50 PM computer name             xx.xx.xx.xx       Trojan.SmokeLoader      < No action taken >                C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support\AppleMobileDeviceSupport64.msi

Can you confirm it.

Thank you

Link to post
Share on other sites

  • Staff

Hello @leobando

Please follow these instructions on the endpoint that had the detection to gather logs - https://support.malwarebytes.com/hc/en-us/articles/360039023853

I'm also opening a ticket for you and sending you an e-mail with these instructions and a link where you can provide us with the logs.

It appears that based off of this, csc.exe is a false positive - https://forums.malwarebytes.com/topic/267280-false-positive-cscexe-visual-studio/

I can get verification on the other items with the logs.

Please check your e-mail for log upload instructions. 

Link to post
Share on other sites

  • Staff

Hi @nestrada

I also sent you an e-mail with instructions to get us logs and where to upload them. Please check your e-mail and reply there when it's been done. It looks like you have a machine with the same detection C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support\AppleMobileDeviceSupport64.msi

Thank you,

Link to post
Share on other sites

  • Staff

Hi @nestrada and @leobando,

My research team confirmed that C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support\AppleMobileDeviceSupport64.msi was a false positive that is already resolved. You should be able to restore the file from quarantine and you shouldn't get anymore detections on it

Now I'm just waiting on logs from @leobando to confirm if C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1.nupkg was also a false positive. 

Edited by AdvancedSetup
corrected font issue
  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.