False postives on Microsoft store apps folder - Various

[BobSoul]

I just got a load of detection warnings across every machine all from microsoft app store preinstalled apps

these are some examples i have lots of them on various apps

 

• Category: Malware
• Group name: WMS
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\PROGRAM FILES\WINDOWSAPPS\A278AB0D.MARCHOFEMPIRES_7.3.1.0_X86__H6ADKY7GBF63M\A278AB0D.MARCHOFEMPIRES.EXE
• Policy name:
• Report time: April 5th 2023, 19:25:13 UTC
• Scan time : April 5th 2023, 19:01:01 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

• Category: Malware
• Group name: WMS
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION_4.16.3140.0_X86__8WEKYB3D8BBWE\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION.EXE
• Policy name:
• Report time: April 5th 2023, 19:33:25 UTC
• Scan time : April 5th 2023, 19:01:03 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

• Category: Malware
• Group name: WMS
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.BINGFINANCE_4.53.50611.0_X86__8WEKYB3D8BBWE\MICROSOFT.MSN.MONEY.EXE
• Policy name: Retina Consultants
• Report time: April 5th 2023, 19:33:25 UTC
• Scan time : April 5th 2023, 19:01:03 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

I could go on but its all the windows apps I literally have my email blowing up from every machines scans and all are basically the same just on a different microsoft store app earlier scans this morning did not trigger anything just the afternoon scans so I am assuming its a definitions file issue at the moment

Edited April 5, 2023 by BobSoul

[BobSoul]

Sorry - forgot to add the one which detects the store itself

• Category: Malware
• Group name: WMS
• Public endpoint IP:
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Pro
• Location: C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSSTORE_22301.1401.15.0_X86__8WEKYB3D8BBWE\WINSTORE.APP.EXE
• Policy name: 
• Report time: April 5th 2023, 19:30:04 UTC
• Scan time : April 5th 2023, 19:01:02 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

[blender]

Can you attach a zipped copy of a couple of those files please?

[BobSoul]

I folder is not accessible I get denied access since its a windows system folder... if I take control of the folder windows wont actually give it to me cause its owned by the trusted installer and I believe if i force it windows will not be happy. Its the actual windows app store folder

not sure of another way to get a  sample of the file remotely 

 

where is the quarantine folder for endpoints would it be possible to get it from there

 

[screen317]

@BobSoul If you restore these from quarantine, can you please check for us if they are still being detected? Thank you.

[BobSoul]

 I tried to restore some of those to run another scan after updating and checking for endpoint updates -- one machine wouldnt restore the files anyways.. gonna try another and see .. almost acting as if they never actually got quarantined -- gonna try the other machine now

 

[screen317]

Okay, please keep us updated.

[BobSoul]

It fails to restore those files from the Nebula dashboard -- running scan anyways

[BobSoul]

each one i tried to restore fails to restore - and a rescan of course comes back clean

[BobSoul]

Do you want the diagnostic logs from the machine i tried restore on

[screen317]

Any chance you could get a scan done on the other endpoint?

[screen317]

We're happy to look at logs from the first endpoint as well.

[BobSoul]

I scanned two endpoints and they come up clean they are the ones that failed to restore the files

Malwarebytes Diagnostics.zipI attached them -- Im thinking this is a false id on the store apps from microsoft cause its on various machines that all did a scan at same time others that scanned in morning and after on different schedule ewhen I did a demand scan came clean

 

One machine this one i gave the diags form no one uses its an achive machine that only I use to achive database folders

Edited April 5, 2023 by BobSoul

[screen317]

Yes, we're trying to investigate this on our end since we should already not be detecting these. 

Do you have any endpoints you can test that have not quarantined any of these files on?

Edited April 5, 2023 by screen317

[BobSoul]

Yes I have a few that have not had detections I can rerun a scan now on them ( one is a windows 10 one a windows 11 )

[screen317]

Please rerun a scan on both. We greatly appreciate your help.

[BobSoul]

windows 11 came back clean working on windows 10

[BobSoul]

Ran 2 more windows 11 machines and windows 10  ( total of 4 ) they came back clean - re scanning one of the machines that had detections and wouldnt restore the quarantine file after running any updates in waiting etc and rebooting it -  they all came back clean

 

It appears it was detecting the windows store apps ( didnt matter what it was netflix or disney or whatever ) tried to quarantine and didnt actually do it -- maybe cause that folder is the protected system store folder and the store just replaces the file anyway ( I know if you run wsreset.exe to clear it out it does exactly that repulls any files it has ) all these appear to be the default from install apps that dell and windows install on the machines out of the box since we dont use the store apps anyways.  The detection was always MachineLearning/Anomalous.97% which i know is your generic zero day threat protection -- it didnt really know what it was but it thought it was something.

[screen317]

Thank you for the additional info! I believe we are all squared away on our end. You wont be able to restore the other files from quarantine (due to being a protective folder) but otherwise I think we are good to go.

Let us know if you have any further questions.

[BobSoul]

Thanks! Dont need those files anyways :)

 

[BobSoul]

Happened again on another machine... Do I need to force an update across the board?

• Category: Malware
• Group name: OP
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Home
• Location: C:\PROGRAM FILES\WINDOWSAPPS\A278AB0D.DISNEYMAGICKINGDOMS_7.8.12.0_X86__H6ADKY7GBF63M\A278AB0D.DISNEYMAGICKINGDOMS.EXE
• Policy name: Retina Consultants
• Report time: April 6th 2023, 14:17:09 UTC
• Scan time : April 5th 2023, 19:01:01 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

Im generating logs now on this one -- It didnt flag this yesterday but its last scan was in the AM and it was in PM that these flagged yesterday so wondering if I need to force updates on all machines

[BobSoul]

Malwarebytes Diagnostics (1).zipHeres the log

[BobSoul]

Yeah a few more appearing now again ( trying to get all updated same as before and alway different windowsapp

 

• Location: C:\PROGRAM FILES\WINDOWSAPPS\NORDCURRENT.COOKINGFEVER_17.0.14.0_X86__M9BZ608C1B9RA\NORDCURRENT.COOKINGFEVER.EXE
• Policy name: Retina Consultants
• Report time: April 6th 2023, 14:57:37 UTC
• Scan time : April 5th 2023, 19:01:01 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%

• Location: C:\PROGRAM FILES\WINDOWSAPPS\NORDCURRENT.COOKINGFEVER_17.0.14.0_X86__M9BZ608C1B9RA\NORDCURRENT.COOKINGFEVER.EXE
• Policy name: Retina Consultants
• Report time: April 6th 2023, 14:57:37 UTC
• Scan time : April 5th 2023, 19:01:01 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

[BobSoul]

Had this happen once again - triggering on windows store apps - offcourse it wont let you get file or restore etc cause its a windows protected file and from the last time it was a false detect assumning this again -- 

Im generating logs now and rerunning scan incase its alreayd been updated/fixed again

• Category: Malware
• Group name: offsite
• Public endpoint IP: 
• Endpoint name: 
• OS platform: Windows
• OS release name: Microsoft Windows 10 Home
• Location: C:\PROGRAM FILES\WINDOWSAPPS\A278AB0D.DISNEYMAGICKINGDOMS_7.9.9.0_X86__H6ADKY7GBF63M\A278AB0D.DISNEYMAGICKINGDOMS.EXE
• Policy name: Retina Consultants
• Report time: April 29th 2023, 11:34:42 UTC
• Scan time : April 29th 2023, 11:01:03 UTC
• Action taken: Quarantined
• Threat name: MachineLearning/Anomalous.97%
• Type: file

[BobSoul]

Here's the log file incase you need

MWB_jerryhomenew_Diag_2023_04_29_14_49_18.zip