Jump to content

Possible FP


Malwareremover

Recommended Posts

I just upgraded to V 1.26 and ran a quick scan, it reported an empty folder C:\A as a trojan. I use this folder as a temporary working foilder when expanding windows files from the installation CD. I do delete all files when I am done working with them, any input on this is appreciated. I let it delete it on reboot just in case.

Here is the log.

Malwarebytes' Anti-Malware 1.26

Database version: 1112

Windows 6.0.6001 Service Pack 1

9/4/2008 8:38:34 AM

mbam-log-2008-09-04 (08-38-34).txt

Scan type: Quick Scan

Objects scanned: 40289

Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\A (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version.

Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!

Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!

I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123

After reboot tea timer popped up again asking to change the same registry entries., which I denied again.

TIA.

Link to post
Share on other sites

I've merged your topics since they are all the same issue there is no need for two separate threads.

I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version.

Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!

Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!

I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123

After reboot tea timer popped up again asking to change the same registry entries., which I denied again.

TIA.

Link to post
Share on other sites

Before this gets out of hand I'm putting a stop to it now .

Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .

If it come down to protecting noobs or making geeks happy guess who wins .

If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity .

Link to post
Share on other sites

Before this gets out of hand I'm putting a stop to it now .

Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .

If it come down to protecting noobs or making geeks happy guess who wins .

If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity .

How on earth is this getting out of hand?

Never said I had any unusual customizations, how does an empty folder named "A" mimic malware?

Sorry I ever posted here.

Delete my posts and membership. Please!

Link to post
Share on other sites

C:\a

This is not where any folder named that should be and yes , malware does do this .

We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family .

By out of hand I mean explaining why noobs get protection preference over expert annoyance .

I am sorry if I seemed harsh but we get a lot of experts with unusual configurations getting mad that thier oddly named folders in odd locations get flagged . If someone knows enough to see what has happened then they should just whitelist , the noobs that dont have a clue will still be protected .

Link to post
Share on other sites

Heck all I want you to do is answer my 2 questions as directly as possible, they are questions, not allegations. geez.

1. Any reason this new version said this empty directory is a trojan, when the previous version did not.

2. Do the registry changes have anything to do with MBAM.

Seems like a simple task to me. I am not looking for you to do anything about these issues other than give me straight forward answers if you can, if you cannot just say so.

Link to post
Share on other sites

@ Marcin, thanks for the answer. The key was that this was the first time it removed anything from this particular system, so that is why I never saw the tea timer pop up before when running MBAM.

@ Bruce, it was the version change from 1.25 to 1.26 that promted me to think it may have been a bug, sorry I posted it as FP, I was not sure where to post. I just read the bug fix for security providers, you have had alot on your hands lately, I do apologize if I got under anyones skin today.

Thanks again for your help.

Link to post
Share on other sites

In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files? ;)

I think Bruce answered that earlier in the thread, just in case you missed it.

"This is not where any folder named that should be and yes , malware does do this ."

"We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family ."

I suppose it boils down to what that empty folder is named, whether it is targeted as potential malware or not.

Link to post
Share on other sites

In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files? ;)

If a malware family uses a single install launching point then detecting that one point will cripple all installs .

This prevents new family members from being able to slip past protection .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.