Old Database MBAR Detections, False Positives?

[Lipton]

I regularly do a quick scan using MBAM on my computer. I recently decided to try the MBAR scan, however I forgot to update the database version.

Database version:
  main:    v2017.10.25.11
  rootkit: v2017.10.14.01

I did a scan and it detected 16 malware which had never ben detected by MBAM.

mbar-log-2022-07-02 (15-11-00).txtsystem-log.txt

I had then clicked on clean up to remove the detected items and I did a scan again on MBAR but this time updating the database version, and found nothing.

These detections did not pop up within MBAM when I do regular scans, but I decided to do a MBAR scan on the old database and found detections. Could this be a false positive?

I have done a bit more digging, and I think I’ve discovered that the files flagged as Spyware.Pony were false positives as they seem to be legitimate files, could all these detections be because I was running MBAR on the old database? Is there any way to check whether the detections in the old database would be considered a detection in the newer databases? 

Assuming MBAM and MBAR use the same database, I am guessing that MBAM didn’t detect anything before because it is the updated database and there are no infections, however MBAR when I ran it on the old database it detected things, whereas the new database wouldn’t have, which would mean the detections I got in my scan are all false positives? 

 

[Lipton]

Sorry, I thought that I had put it in the wrong topic. My apologies.

[miekiemoes]

Hi,

These look like false positives indeed, that's why it's always recommended to update the database before doing a scan, as FPs get always fixed immediately.

[Lipton]

@miekiemoes

Thank you. As a very anxious person, is it possible to check these against the update database on your side? As I have already had the detections removed, therefore I can not scan them against the updated database. Thank you in advance.

[miekiemoes]

I know that these exact signatures are not in our database anymore. 

[Lipton]

@miekiemoes

Thank you. As a confirmation so I am understanding this. All 16 detections found using the old database are not detections in the newer database?

[miekiemoes]

That's correct. We typically remove the signature hat causes false positives within the day already.

[Lipton]

@miekiemoes

That is great! And how do I check for signatures exactly?

1 hour ago, miekiemoes said:

I know that these exact signatures are not in our database anymore. 

 

[miekiemoes]

You can't. :)

Only staff can based on the log and decrypting :)

 

[Lipton]

@miekiemoes

I see okay got it. So just a last and final question so I can get rid of my anxiety. The signatures of the 16 detections using the old database are removed in the newer databases as the signatures are false positives?

[miekiemoes]

Yes, that's correct. We don't keep signatures that cause false positives in our database, for obvious reasons :)

 

[Lipton]

@miekiemoes

So I don’t have to worry about a thing? No need to change passwords or anything? Sorry for asking so many questions.

[miekiemoes]

Hi,

No, you don't, as it was an FP, so these files/key weren't malicious :)

[Lipton]

I see thank you. Do you have any idea what these files and keys were? So I know what I had deleted incase I run into an error or an issue later down the road. Thank you in advance!

[miekiemoes]

The files are related with this: https://support.2k.com/hc/en-us/articles/5534336523155-2K-LAUNCHER-TROUBLESHOOTING

So if you have any issues, it says there how to reinstall the lastest one (as some do delete these contents manually already in case of problems)

As for the keys, these shouldn't be a problem if they got deleted, since if a new program requires/needs it, it will re-register these again anyway. So you should be ok.

 

[Lipton]

When you say “…files/key…” do you mean “keys”? So all files and keys were not malicious, their signatures were on the old database whereas in the new one they are not because they were found to not be malicious, am I right in saying this? I am just trying to wrap my head around this.

[Lipton]

@miekiemoes

and if I scanned with the newer database, there would be no detections compared to the older database where there are 16 detections.

[miekiemoes]

Everything in the log were false positives, so not malware. And yes, that's correct, there won't be any detections anymore for these files/keys.