Jump to content

[FP] - C:\Install directory

Doktor Notor

By Doktor Notor
in File Detections

 Share

Recommended Posts

nosirrah

nosirrah

Posted
Posted

This is also the name of a folder that multiple rogues install out of .

If I whitelist this I am putting one person in front of many thousands that I am protecting .

If you would , please right click that entry and select ignore , it will never turn up in a scan again .

Link to post
Share on other sites
Doktor Notor

Doktor Notor

Posted
  • Author
Posted
This is also the name of a folder that multiple rogues install out of .

If I whitelist this I am putting one person in front of many thousands that I am protecting .

Shrug; it's just rather confusing - there's no risk in having C:\Install directory, it's the stuff in there that matters. I didn't assume this is intended to be detected, that's all... :)

Link to post
Share on other sites
ihatespam

ihatespam

Posted
Posted
Shrug; it's just rather confusing - there's no risk in having C:\Install directory, it's the stuff in there that matters. I didn't assume this is intended to be detected, that's all... :)

I must admit I'm surprised by nosirrah's reply but will bow to his superior knowledge on the matter. If your directory contains utilities why not rename it C:\Utils?

Link to post
Share on other sites
Doktor Notor

Doktor Notor

Posted
  • Author
Posted
If your directory contains utilities why not rename it C:\Utils?

Well yeah, I can rename it to whatever else, that wasn't the point... :) I'm just surprised that such a horribly generic directory name triggers this... Maybe some better description of similar stuff instead of Rogue.Multiple would reduce the possible confusion. :)

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

Rogue.Multiple is the def for all rogue antispyware/antivirus components that belong to more than one rogue application .

It is designed to remove the confusion between multiple rogue families . There are some rogues that have parts for 3 or more rogues and having defs like that would generate what looked like 3 completely different infections at the same time all the while there was only one .

This generic def is a big hammer that prevents the installation of an entire rogue family as every single installer jumps from temp to %ROOTDRIVE%\Install and then installs .

I do not like adding these and remove them once we no longer need them for protection but for now it is doing a lot of good .

Link to post
Share on other sites
  • 2 weeks later...
GT500

GT500

Posted
Posted
If I whitelist this I am putting one person in front of many thousands that I am protecting .

If you always detect it, then you are detecting and removing the installers for CompuCom's applications and drivers in their base image. CompuCom is not the only company that uses such a directory in the root of C: to store applications and drivers, so you are making it hard for Malwarebytes to score corporate contracts by always detecting that directory as malware. There either needs to be more advanced checks to determine if the software in this directory is safe, or you need to remove it from defs.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.