Possible FP

[Malwareremover]

I just upgraded to V 1.26 and ran a quick scan, it reported an empty folder C:\A as a trojan. I use this folder as a temporary working foilder when expanding windows files from the installation CD. I do delete all files when I am done working with them, any input on this is appreciated. I let it delete it on reboot just in case.

Here is the log.

Malwarebytes' Anti-Malware 1.26

Database version: 1112

Windows 6.0.6001 Service Pack 1

9/4/2008 8:38:34 AM

mbam-log-2008-09-04 (08-38-34).txt

Scan type: Quick Scan

Objects scanned: 40289

Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\A (Trojan.Agent) -> Delete on reboot.

[Malwareremover]

I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version.

Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!

Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!

I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123

After reboot tea timer popped up again asking to change the same registry entries., which I denied again.

TIA.

[nosirrah]

This is an obvious case where the expert should whitelist this folder .

The other option is to unprotect the noobs .

[JeanInMontana]

I've merged your topics since they are all the same issue there is no need for two separate threads.

I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version.

Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!

Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!

I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123

After reboot tea timer popped up again asking to change the same registry entries., which I denied again.

TIA.

[Malwareremover]

This is an obvious case where the expert should whitelist this folder .

The other option is to unprotect the noobs .

So, why did MBAM target this directory? Whitelisting does not answer the original question, thanks for your expert help.

[Malwareremover]

I've merged your topics since they are all the same issue there is no need for two separate threads.

Not sure it is the same issue.

1. Why did it target an empty folder as a trojan?

2. Are the registry entries being changed even related to MBAM?

[nosirrah]

Before this gets out of hand I'm putting a stop to it now .

Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .

If it come down to protecting noobs or making geeks happy guess who wins .

If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity .

[Malwareremover]

Before this gets out of hand I'm putting a stop to it now .

Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .

If it come down to protecting noobs or making geeks happy guess who wins .

If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity .

How on earth is this getting out of hand?

Never said I had any unusual customizations, how does an empty folder named "A" mimic malware?

Sorry I ever posted here.

Delete my posts and membership. Please!

[nosirrah]

C:\a

This is not where any folder named that should be and yes , malware does do this .

We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family .

By out of hand I mean explaining why noobs get protection preference over expert annoyance .

I am sorry if I seemed harsh but we get a lot of experts with unusual configurations getting mad that thier oddly named folders in odd locations get flagged . If someone knows enough to see what has happened then they should just whitelist , the noobs that dont have a clue will still be protected .

[nosirrah]

Think of it this way , what would the back hats want me to do here ? Would they want me to keep the detection or remove it along with all other heuristics of this nature ?

[Malwareremover]

Heck all I want you to do is answer my 2 questions as directly as possible, they are questions, not allegations. geez.

1. Any reason this new version said this empty directory is a trojan, when the previous version did not.

2. Do the registry changes have anything to do with MBAM.

Seems like a simple task to me. I am not looking for you to do anything about these issues other than give me straight forward answers if you can, if you cannot just say so.

[nosirrah]

1. updates happen frequestly with MBAM , usual more than 2 a day , likely coincidence .

2. I am asking Marcin , its app side and not my gig

[RubbeR DuckY]

Hey there,

Everytime you remove something Malwarebytes' Anti-Malware attempts to fix certain registry values. This is one of those cases. It notices the registry values are not default and attempts to fix them.

[Malwareremover]

@ Marcin, thanks for the answer. The key was that this was the first time it removed anything from this particular system, so that is why I never saw the tea timer pop up before when running MBAM.

@ Bruce, it was the version change from 1.25 to 1.26 that promted me to think it may have been a bug, sorry I posted it as FP, I was not sure where to post. I just read the bug fix for security providers, you have had alot on your hands lately, I do apologize if I got under anyones skin today.

Thanks again for your help.

[elero]

In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files?

[Malwareremover]

In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files?

I think Bruce answered that earlier in the thread, just in case you missed it.

"This is not where any folder named that should be and yes , malware does do this ."

"We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family ."

I suppose it boils down to what that empty folder is named, whether it is targeted as potential malware or not.

[nosirrah]

In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files?

If a malware family uses a single install launching point then detecting that one point will cripple all installs .

This prevents new family members from being able to slip past protection .

[elero]

I see, thank you for that information