Jump to content

Possible False Positive DBUtil.sys in Windows Temp folder

eliuri

By eliuri
in File Detections

 Share

Recommended Posts

eliuri

eliuri

Posted
Posted

The following Windows/Temp/DBUtil .sys file was detected in MB real time detection today.

Attached find zipped files of this detection as well as MB .txt file of the event

Neither file was found as malware by VirusTotal after release from Quarantine

Nor did i download/install anything from Dell in a very long time

Please evaluate possibility of false positive

Thank you

eliuri

Windows 7 SP1

Malwarebytes Premium 4.3.0

af397ef28e484961ba48646a5d38cf54.db.zip af397ef28e484961ba48646a5d38cf54.zip dbutil-log-malwarebytes-jan 17.txt

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)
10 minutes ago, eliuri said:

Please evaluate possibility of false positive

Dell dbutil_2_3. sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. ... This driver may have been installed on to the Windows operating system of your Dell Client platform by one or more impacted products or components.

https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

This detection is not a FP.

Personally I would remove all Dell utilities from the computer and let Malwarebytes remove the rest.

Edited by Porthos
Link to post
Share on other sites
eliuri

eliuri

Posted
  • Author
Posted

Thank you, Porthos...

Yes, I do get detection notices of this every few days now. AFAIK I havent downloaded or installed anything from Dell in years.

 

"Summary: Dell has released remediation for a security vulnerability affecting the dbutil_2_3.sys driver packaged with Dell Client firmware update utility packages and other products."

https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

 

This is baffling,  since I cant find this vulnerable driver:

dbutil_2_3.sys

anywhere on my laptop

Would you kindly elucidate why i keep getting this exploit notification in spite of quarantine of that .Temp file?

How is Dell installing/ reinstalling  it?

Thank you

eliuri

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
6 minutes ago, eliuri said:

How is Dell installing/ reinstalling  it?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

Link to post
Share on other sites
eliuri

eliuri

Posted
  • Author
Posted

Yes, it is that same Dell 1545

Can I simply disable the relevant services to stop it from doing this?

I'm mostly concerned that some of those programs you're suggesting I uninstall might actually be needed. Since it's an outdated Dell laptop,I'd have no way of getting those back if I simply uninstall...

********************************

It's odd that only one out of all those 64 detection engines at virus total--including Malwarebytes-- flags that file when I upload it 

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
2 minutes ago, eliuri said:

I'm mostly concerned that some of those programs you're suggesting I uninstall might actually be needed. Since it's an outdated Dell laptop,I'd have no way of getting those back if I simply uninstall...

Those programs were not needed the day the laptop was made and they are not needed now. No Dell NEEDS those apps. I have been removing them from every Dell I have ever serviced in my career.

I do the same for other brand name computers as well.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept