Jump to content

Possible FP - Old WUSU Offline Update ESR v9.2.6 (Malware.AI.26769874)


lmacri

Recommended Posts

I have an old ESR (extended support release for Win XP/Vista) version of WSUS Offline Update ESR v9.2.6 named wsusoffline926.zip that I downloaded from https://download.wsusoffline.net/ back in 2020 that is now being detected by Malwarebytes Threat Scans as Malware.AI.26769874. The VirusTotal report athttps://www.virustotal.com/gui/file/d6e3635866810c203e7802d0c4c16d12b2f1ff9de6c34ed21a6273631bfc3046 has a detection rate of 4/65, with Malwarebytes being 1 of 4 security vendors detecting this file as suspicious/malicious.

The first scan on my system that detected this file yesterday was using Update Package v1.0.60732.

Newer versions of this utility like ESR v11.9.1 are not being detected so there must be some executable bundled inside the old Win XP/Vista ESR version that Malwarebytes doesn't like.

I've attached a copy of wsusoffline926.zip as well as today's Malwarebytes scan log.

wsusoffline926.zip

MB Pro v4_5_14 False Positive WSUS Offline Update 07 Oct 2020.txt

-----------
64-bit Win 10 Pro v21H2 build 19044.2006 * Firefox v105.0.2 * Microsoft Defender v4.18.2207.7-1.1.19600.3 * Malwarebytes Premium v4.5.14.210-1.0.1772 * Macrium Reflect Free v8.0.6979
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Edited by lmacri
Changed from v9.2.5 (detected yesterday) to v9.2.6 file (detected today)
Link to post
Share on other sites

  • lmacri changed the title to Possible FP - Old WUSU Offline Update ESR v9.2.6 (Malware.AI.26769874)

Sorry, I was likely editing my original post when you entered the thread.  Every time I scan I get a different file being detected.  My first scan last night detected both v9.2.5 and v9.2.6, but subsequent scans only detected v9.2.5.  When I posted my FP report today I didn't realize Malwarebytes was detecting v9.2.6 (but not v9.2.5), so I edited my original post and attached the zipped file and today's scan log for v9.2.6.

I just ran another Threat Scan a few minutes ago and I'm back to no detections (even though fresh VirusTotal scans of the SHA-256 hashes still show that Malwarebytes is flagging both wsusoffline925.zip and wsusoffline926 as Malware.AI.26769874) so Malwarebytes must be tweaking something in the Update Packages that keeps changing the detection of these WSUS Offline Update zipped files on my system.  There's no point trying to fix this on your end if my scans aren't giving consistent results, so I'll wait until this evening and let you know if my scheduled Threat Scan at 6:00 PM detects either of these files.

Edited by lmacri
Link to post
Share on other sites

My last two Threat Scans (a scheduled scan on 07-Oct-2020 @ 10 PM with Update Package 1.0.60766 and a manual scan on 08-Oct-2022 @ 3 PM with Update Package 1.0.67083) both completed without any detections so I'm guessing a tweak to the AI / machine learning has already corrected my problem.

The only oddity I noticed is that I uploaded wsusoffline926.zip to VirusTotal.com for another analysis today and forced a new scan, and the file still has a detection rate of 4/64, but the Malwarebytes scan engine is now detecting this file as MachineLearning/Anomalous.96% (https://www.virustotal.com/gui/file/d6e3635866810c203e7802d0c4c16d12b2f1ff9de6c34ed21a6273631bfc3046?nocache=1) instead of Malware.AI.26769874.

wsusoffline926.zip

Given that my last two scans have come back clean I'm fine if this thread is marked as resolved.  However, I'll be happy to provide additional scan logs for other Malware.AI.26769874 detections for wsusoffline926.zip I've had in the past few days that I haven't posted yet if they would be useful to you.

-----------
64-bit Win 10 Pro v21H2 build 19044.2006 * Firefox v105.0.3 * Microsoft Defender v4.18.2207.7-1.1.19600.3 * Malwarebytes Premium v4.5.14.210-1.0.1772 * Macrium Reflect Free v8.0.6979
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Link to post
Share on other sites

On 10/7/2022 at 10:24 AM, lmacri said:

VirusTotal scans

Keep in mind the following with VT.

The engine format and configuration in VirusTotal is different than the consumer and corporate products’ default configuration. In VirusTotal Malwarebytes uses a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.