Jump to content

Possible false positive with v1.45 and 5231 defs


dougatwork
 Share

Recommended Posts

We have had a few users today call our Help Desk saying that Malwarebytes Anti-Malware had detected some legit files (McAfee, Quicktime, and a few others - see the log) as "=Backdoor.Bot" infections. These files are definitely not infected, but Malwarebytes says they are.

The common factor seems to be the computers are running Malwarebytes Anti-Malware v1.45, but have definitions of at least 5231. I thought that older versions of the app could not use newer definitions, so I'm not sure how this happened.

Also, one of the users said her computer is scheduled to update Malwarebytes' daily, and has been updating the definitions, but has not been updating the application.

It appears there is/was an issue with the 5231 definitions and the 1.45 application that is causing it to produce these false positives.

I'm having the users upgrade to v1.50 of the client, and see if that resolves this false positive issue.

mbam_log_2010_12_02__12_37_26_.txt

Link to post
Share on other sites

Ah, sorry I missed those instructions.

Two of the users have since upgraded to 1.50 and have gone through a quick scan and are no longer seeing the 'infection'. The third is running the scan with the /developer flag and is still seeing the infection, so we'll get that log soon. I also launched a VirtualPC with Windows XP, McAfee VirusScan 8.7, and Malwarebytes v1.45 with 5234 definitions. I did a Flash Scan and it detected four VirusScan files are false positives.

I have attached the mbam log file while in /developer, the mbam-info file from the Tools tab, and the two files listed as infected, which are part of VirusScan and are not infected with anything. The VirtualPC this was done on is also not infected as it's just Windows XP, VirusScan, Clean Access, and Malwarebytes.

Most of the campus is on v1.46, so we are only seeing this with a few users who haven't upgraded.

mbam_fp.zip

Link to post
Share on other sites

And here's the one from the other person's computer. Lots of files come up as 'infected' but they're not really infected.

Since she's a Director in IS, I had her upgrade to the latest version of Malwarebytes so she can get back to work. I still have the VirtualPC with 1.45 and this issue, so I can still troubleshoot using that.

mbam_log_2010_12_02__15_03_17_.zip

Link to post
Share on other sites

Awesome! Thanks for the fast resolution.

I've just been informed we do have one computer where a user did remove the files. If the computer can no longer boot due to the missing files, is there a way to get the files from wherever the Malwarebytes' Anti-Malware quarantine is located? We can boot off other devices (USB or CD) to get to the hard drive.

Link to post
Share on other sites

  • Staff

Unfortunately the best way to do this is the following steps.

1. Run a windows xp repair install.

2. After repair install is completed run Malwarebytes and restore the files from inside of malwarebytes.

3. Re run any windows updates as necessary.

Note: Because of the registry keys removed and the way malwarebytes stores quarintined files you must restore them from inside of malwarebytes.

Link to post
Share on other sites

It's a relief to discover that there have been some recent false positive incidents that seem similar to mine... but did anyone else get 775 supposedly infected objects with a scan, LOL? The Norton that I received from Comcast (for "free") detected nothing, and now I've updated malwarebytes and started another scan--no objects detected so far, and it's well over halfway done. I've been using malwarebytes, free version, for a couple of years now--this is the first time I've had false positives. I knew it would inevitably happen, but 775 is a staggering number... did something like this happen with anybody else?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.