Possible false positive detected

[leobando]

I got these alerts that I believe are false positive

Malware threat detected, see details below:

11/28/2020 3:00:28 AM computer name             xx.xx.xx.xx       Spyware.PasswordStealer            < No action taken >                C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1.nupkg

11/28/2020 3:00:28 AM computer name             xx.xx.xx.xx       Spyware.PasswordStealer            < No action taken >                C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1\tools\csc.exe

Total count: 2.

11/30/2020 3:03:50 PM computer name             xx.xx.xx.xx       Trojan.SmokeLoader      < No action taken >                C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support 12.0.0.1039\AppleMobileDeviceSupport64.msi

Can you confirm it.

Thank you

[AdvancedSetup]

Hello @leobando

Can you please post the full log for this detection.

Thank you

 

[leobando]

Hi,

Thank you for replying, this is a notification I received from Malwarebytes Management Server Notification, how can I provide the full log to you?

Thank you

[knguyen1]

Hello @leobando

Please follow these instructions on the endpoint that had the detection to gather logs - https://support.malwarebytes.com/hc/en-us/articles/360039023853

I'm also opening a ticket for you and sending you an e-mail with these instructions and a link where you can provide us with the logs.

It appears that based off of this, csc.exe is a false positive - https://forums.malwarebytes.com/topic/267280-false-positive-cscexe-visual-studio/

I can get verification on the other items with the logs.

Please check your e-mail for log upload instructions. 

[nestrada]

I have the same report. I recently updated ITUNES but never restarted the PC as required. Scan report came today at 1 PM.

[knguyen1]

Hi @nestrada

I also sent you an e-mail with instructions to get us logs and where to upload them. Please check your e-mail and reply there when it's been done. It looks like you have a machine with the same detection C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support 12.0.0.1039\AppleMobileDeviceSupport64.msi

Thank you,

[knguyen1]

Hi @nestrada and @leobando,

My research team confirmed that C:\ProgramData\Apple\Installer Cache\Apple Mobile Device Support 12.0.0.1039\AppleMobileDeviceSupport64.msi was a false positive that is already resolved. You should be able to restore the file from quarantine and you shouldn't get anymore detections on it

Now I'm just waiting on logs from @leobando to confirm if C:\Program Files\Microsoft Visual Studio\Shared\Packages\Microsoft.Net.Compilers.2.6.1.nupkg was also a false positive. 

Edited December 1, 2020 by AdvancedSetup
corrected font issue

[nestrada]

Great!! Thank you!!!

[leobando]

Hi,

I uploaded the logs.

[knguyen1]

Hi @leobando

Thank you for the logs. I've confirmed that all 3 detections were false positives. Since no action was taken or no file was quarantined, you don't need to do anything else. You shouldn't be seeing these detections anymore.

Thank you,