Possible False Postive: Activitiescache.db-shm lastes definitions (6/3/22)

[BobSoul]

Update malwarebytes premium previous days scans clean ran new manual scan and this was the result. Seen as false positive before

Machinelearning/Anomalous.96%

Quarantined out of caution

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/3/22
Scan Time: 11:42 AM
Log File: bb026292-e353-11ec-9c8c-a4badbe3cd80.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1689
Update Package Version: 1.0.55751
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1706)
CPU: x86
File System: NTFS
User: oppc1-PC\oppc1

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 314279
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 1 hr, 10 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
MachineLearning/Anomalous.96%, C:\USERS\OPPC1\APPDATA\LOCAL\CONNECTEDDEVICESPLATFORM\L.OPPC1\ACTIVITIESCACHE.DB-SHM, Quarantined, 0, 392687, 1.0.55751, , shuriken, , FB94F750BE002159FEEE8A238A1D2C03, 11CCE18471849819AD01A8CF8767C509A489E713E43E94AA418AF0D6B5828219

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

 

 

[BobSoul]

The file in question is the windows timeline feature which if you delete remove will be recreated by windows - A know its possible for this file to get corrupt and wonder if this is the reason for the detection? If you try to restore for quarantine it will not because new one is in use by windows  the connected platforms service is using the file.

Microsoft lists its sister file as causing hi system resources and suggests the following:

 

 

I understand that svchost.exe is utilizing disk space and CPU usage on your PC.

 

Based on the information you have provided, ActivitiesCache.db-wal is used by Windows Timeline feature. I would suggest you to follow the steps mentioned below and see if that helps.

 

Method 1: Delete ActivitiesCache.db-wal

 

Try deleting ActivitiesCache.db-wal and see if the usage is reduced. Kindly follow the steps mentioned below:

 

1. Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’
2. In Run dialog box, type services.msc and hit Enter.

3.    Now look for Connected Devices Platform service

4.    Right click on the service and click on Stop

 

After stopping the service follow the steps mentioned below:

 

1.    Press Windows + E to open File Explorer

2.    Now click on View and check the box next to Hidden items

3.    Now navigate to C:\Users\UserName\Appdata\Local\ConnectedDevicesPlatform\4a3b4560b8cf8a2b

4.    Right click on ActivitiesCache.db-wal and click on Delete

 

Method 2: Turn off Timeline

 

Try turning off Timeline feature and check if the usage is reduced.

 

1.    Press Windows + I keys together to open Settings

2.    Now click on Privacy and select Activity history

3.    Uncheck the boxes next to Let Windows collect my activities from this PC and Let Windows synchronize my activities from this PC to the cloud

4.    Now under Show activities from accounts toggle the switch to Off

 

 

Also noticed this was falsely detected in January of this year

 

 

[BobSoul]

Hope that last post helps shed some more light on if its false or not. Was going to run file against emsisoft but malwarebytes wont restore file to do so and I know running files sitting in quarantine folder never reallys gives a full fledge reliable result ( thlough I do it just for the hell of it sometimes :) ) and it was fine with it.

 

 

 

Edited June 3, 2022 by BobSoul

[cli]

Do you have the file?
 

As to why this file was detected, please refer to  MachineLearning/Anomalous Detections and Explanation.

[BobSoul]

I deleted the file since windows  rebuild it after quarantine and prevented restore... I had to get this machine working and cleaned so I just treated it as if it was a valid detection as far as cleaning the system etc.. Emsisoft didnt detect it before I deleted it I scanned it in the quarantine folder directly ( emsisoft ignores those folders unless you specify them) I was just reporting as a possible false since when researching I have seen it detected falsley by Malwarebytes earlier this year and know sometimes this can creep back into new defintions from time to time. I put machine on to an endpoint for better control and monitoring over the next few days, it has since scanned clean.

[cli]

I see. Thanks for reporting.

[BobSoul]

No problem. Thanks for the further definition link on machine learning .. figured as much since it was not detected in the scan the day before. Then after update of Malwarebytes it was found i figured false positive :)

Was easier to just delete and move forward since it wasnt a system critical file etc and wasnt running in memory or services etc or replicating, you know the drill :)