False Positive on Heidleberg Engineering Software For Diagnostic software

[BobSoul]

Hello :

 

 I just got the following false postives on our Heidelberg FA machines ( Diagnostic Equipment for taking images of the Retina ) 

These are not new and have been on system for sometime actually the main software for the machine to function

They are being detected as Malware.Sandbox.1

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: C:\PROGRAMDATA\{2A0FDD43-0EB4-490F-85DC-61A60EA69080}\SETUP.EXE
• Policy name:
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: file

 

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Heidelberg Eye Explorer
• Policy name: 
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: reg_key

 

• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro for Workstations
• Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CA920751-9922-42DB-AD51-F199D40F2F0A}
• Policy name: 
• Report time: September 29th 2022, 14:04:26 UTC
• Scan time: September 29th 2022, 14:01:00 UTC
• Action taken: Quarantined
• Threat name: Malware.Sandbox.1
• Type: reg_key

 

Attached Diags as well

 

1552734866_MalwarebytesDiagnostics(5).zip

Edited September 29, 2022 by BobSoul

[miekiemoes]

Hi,

Can you zip and attach the following file please? C:\\PROGRAMDATA\\{2A0FDD43-0EB4-490F-85DC-61A60EA69080}\\SETUP.EXE

This so we can have a look.

Thanks!

[BobSoul]

I'll try the clinic is seeing patients at the moment and its hard to get on the machine remotely -- give me a few minutes

 

[miekiemoes]

They would need to unquarantine it first :)

[BobSoul]

It wasnt quarantiened yet due to live clinic and they have postponed the reboot several times cause of patients being seen and having images taken -- I attached the file its actually the setup file for the heidelberg software 

Setup.zip

[BobSoul]

Also note I ran the file against EMSISOFT and portable ROGUEKILLER and it comes up clean and I do know for a fact it is the actual install file for the Heidelberg software -- Had a false ID a bit back on the same files that you guys corrected.

 

[BobSoul]

This is one of the previous times the heidelberg software got flagged.  Yes its an old file but its a diagnostic machine that doesnt have many software updates - ( there are a total of two previous posts on this ( each fixed each time : ) )

 

 

[miekiemoes]

Thanks for the file. This has been fixed in a meantime already and should no longer be detected anymore.

[BobSoul]

Thank you