Jump to content

Massive FP with Windows Defender and MB


Recommended Posts

I'd just like to mention that I also had this issue, but for me, the cause was that Windows Defender had mistakenly flagged a ton of things (about 52 detections) as Trojans ("Trojan:Win32/Bearfoos.A!ml"), and it had automatically removed them in a single run. I had to go and restore the massive false positive from the Windows Security dashboard, then wait a couple of minutes until it finished the restoration process, and restart my PC. Afterwards, MB started working again.


Before I restored the files, I decided to run a scan with MalwareBytes, just in case it wasn't a big false positive, but MB it also detected them as malware ("Trojan.Agent"). Weird thing is, when I uploaded each file to VirusTotal, none of them were flagged by any antivirus. Also, when I scanned the files individually from the file explorer with right-click -> Scan with MalwareBytes, none of them were flagged by MB. These false positives include a program I've coded and compiled myself, which I'm certain isn't malware.


I've attached the massive false positive scan from MB.


Link to post
Share on other sites

  • Staff


Can you let Malwarebytes quarantine this one only?

Trojan.Agent, C:\PROGRAM.EXE, No Action By User, 490, 202208, 1.0.54556, , ame, , C02ACC9A62DA88CF842CBD0963048E2A, 5A388847C1DA8FAA63BBE69F898A3F21DF83E4028B7946297E84C6F8F6E93BE1

Then restart the scan and see if that still detects the rest. It looks like an unpredictable behavior happening here where we will look into this further.

Link to post
Share on other sites

That first post used to be a reply to this thread btw. That's why it starts like that.



That's a little program I engineered to detect if another program called a path under "C:\Program Files" without using quotes. It helps me to detect which programs are vulnerable to privilege escalation. I've attached the .exe and the source code in a ZIP with the password "infected". I've verified that program.exe wasn't replaced by a rogue process; It's the same program I initially compiled. I don't think my program should be whitelisted though. Any exe under that path should be flagged.


Also, I can't replicate that massive false positive now. All I did since then was restart my PC, and update the "Update Package Version" from v1.0.54556 to v1.0.54606. I have no clue of what could've caused so many false positives in that scan, both in Windows Defender and in MalwareBytes, but the issue is gone now.


Before I restarted my pc though, I ran mb-check-, mb-clean-, and FRST64.exe, because a comment that was there before suggested it. I can PM you the logs if you'd like to go through them.

Improper Quotes Monitor.zip

Link to post
Share on other sites

Here's the full timeline, for more clarity:

  1. I'm editing a video on SONY VEGAS PRO 17.0 when suddenly..
  2. Windows Defender flags a ton of files
  3. I run a MalwareBytes scan, and it detects the files too
  4. I verify that both scans are indeed false positives by uploading many files to VirusTotal
  5. I restart my pc without telling Windows Defender to "quarantine" the entries
  6. MB doesn't start
  7. I run mb-check-, mb-clean-, and FRST64.exe
  8. I realize that Windows Defender has quarantined those files without telling me
  9. I tell Windows Defender to restore the files
  10. (Wait 5 mins)
  11. MB shows up on the tray area of the taskbar
  12. Restart PC
  13. MB is working as normal

I could just say it was a crazy bit flip, but the fact that they both went crazy at the same time is unbelievable. Before the mayhem started though, Windows Defender created an event log for an interaction between VEGAS PRO and my Program.exe. I shouldn't have cleared my program's access-log.txt before posting the source code here 🤦‍♂️.


My copy of VEGAS PRO isn't "original". There's a possibility that a long time fuse finally went off; I installed VEGAS on 2019-09-23, but I've rarely used it since. OR this could all just be a big coindidence caused by a bunch of bitflips. Either way, all the symptoms are gone: Scanning with WD and MB reports only the ussual stuff, and running VEGAS PRO shows something completely different than what it showed before on my access-log.txt.


The only signs that all of this ever happened are the scan I exported from malwarebytes, and the Windows Defender "Protection History" GUI: On the GUI there are a LOT of detections, far more than the 52 that MB reported, all in a single item: "Trojan:Win32/Bearfoos.A!ml". But only a small fraction of these detections were registered in the event logs. I've also analyzed some of these detections on VirusTotal, and none of them were detected as malware.


Every scan I've made since this incident has detected nothing out of the ordinary, so I'll continue to use my PC as normal. I'd still like to leave a record of this, just in case it happens to someone else 😅

Link to post
Share on other sites

39 minutes ago, PinkDev1 said:

I run mb-check-, mb-clean-

Side note, Those programs are for older versions only. Do not use with the current version of Malwarebytes installed.

Currently, there is one tool( Malwarebytes Support Tool ), that does the same functions as the ones you listed and more.


Link to post
Share on other sites

13 minutes ago, miekiemoes said:

We have been troubleshooting this, found and fixed this unpredicted behavior

Nice work! That was quick.

11 minutes ago, miekiemoes said:

This is a real rare case though

No joke. I've been using MB for years and never came across this issue. I have a hunch my recently added program.exe had something to do with this 😆

Link to post
Share on other sites

  • AdvancedSetup changed the title to Massive FP with Windows Defender and MB

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.