False Positives (on "RAM idle" .EXEs)

[TheGeekinator]

Rec'd false positives on two files. Submitted both to VirusTotal.com. They both scan clean there:

1. File "C:\Program Files\`Utilities\RAM Idle\RAM_98.exe" received on 10.22.2008 19:46:31 (CET)

2. File "C:\Program Files\`Utilities\RAM Idle\RAM_ME.exe" received on 10.22.2008 19:53:46 (CET)

Also scanned both files with "a-Squared" and "Ad-Aware 2008 Pro" (latest updated signatures) ... clean also.

----------------------------------------------

Malwarebytes' Anti-Malware Scan Log:

----------------------------------------------

Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|M:\|)

Objects scanned: 281607

Time elapsed: 6 hour(s), 36 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\`Utilities\RAM Idle\RAM_98.exe (Trojan.FakeAlert) -> No action taken.

C:\Program Files\`Utilities\RAM Idle\RAM_ME.exe (Trojan.FakeAlert) -> No action taken.

-----------------------------------------------------------------------------------------------------

I am aware you request a </developer> parameter switch scan log. But after cursory review of this forum, it appears the only additional info contained in it vs the above standard log is file hash checksum elements. If I'm mistaken, please let me know and I'll comply. I just didn't want to subject myself/system to another redundant several-hour-long scan if not necessary [as the VirusTotal links above provide multiple hash checksums (MD5, SHA*)] ... unless perhaps there's an undocumented switch that allows narrowing the scan to other than "/quickscan" or "/fullscan"?

Thanks in advance.

"Today's the best day of my life...and NOW you're part of it!"

Craig, Puget Sound, Washington USA

[nosirrah]

I am aware you request a </developer> parameter switch scan log. But after cursory review of this forum, it appears the only additional info contained in it vs the above standard log is file hash checksum elements.

This is incorrect and we do need the developers log .

It would also help if you could zip and attach a copy of the files to your next post .

[lordpake]

I just didn't want to subject myself/system to another redundant several-hour-long scan

Why not check the options and see that the right-click context-menu scanning is enabled? Then only scan the location(s) needed That way you can start the app in dev mode and quickly scan the suspect locations

[TheGeekinator]

Why not check the options and see that the right-click context-menu scanning is enabled? Then only scan the location(s) needed That way you can start the app in dev mode and quickly scan the suspect locations

To lordpake (and all):

Thanks so much to for your suggestion. At first I tried it verbatim in the hopes there was a going to be a way to direct MBAM's context-memu initiated GUI to perform a developer scan. But just as when directly launching, no joy. Also tried first launching a developer GUI, then via context-menu, but alas, encountered error dialog "Malwarebytes' Anti-Malware is already running". But then gave it a try via CLI including the target directory using this format:

"%PROGRAMFILES%\Malwarebytes Anti-Malware\mbam.exe" "%PROGRAMFILES%\`Utilities\RAM Idle" /developer

...Success!

Q: Is there also a way to perform a delevoper scan on a target directory via context-menu as you describe? Is so, please advise.

To nosirrah (and all):

Thanks for the email I recieved by "Marcin Kleczynski on 10/26/2008 stating "Thanks, I hope to get this resolved by tomorrow".

At the time of my original post, I'd only been using MBAM since earlier that day, and was in the process of writing a batch script (my usual preference whenever CLI is available). Therefore, at that time I didn't realize there was a volume-level choice when performing a full scan via MBAM's GUI. And now, I'm even more gratified to see that I can include any desired target path in the CLI. I didn't initially attempt this because the help section didn't include that as an option.

Q: Are there ANY other undocumented switches/option available?

I'm sorry for only now providing the developer log. I was simply OBE (overcome by events). Also, these particular files have no importance to me since they are merely the Win98 and Me versions of the app installed by default. The subject system is WinXP, so pretty low priority to me.

I have attached the subject files (password: falsepositive). Also curious why .RAR files are "not allowed" to be uploaded (per error message stating so)?

Thanks to all for your time and efforts.

DEVELOPER LOG:

Malwarebytes' Anti-Malware 1.30

Database version: 1338

Windows 5.1.2600 Service Pack 3

10/29/2008 11:42:22 PM

mbam-log-2008-10-29 (23-42-19).txt

Scan type: Quick Scan

Objects scanned: 10

Time elapsed: 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\`utilities\RAM Idle\RAM_98.exe (Trojan.FakeAlert) -> No action taken. [5253514247405230538380756679153966767034777083851301182426191301391739383939393

93835213725353725253520381720223917362535392617202434172120353739242217342535211

9

17212535182319262119173638352020253518341720223417212526223619211721253520382535

2

43917252535193817202437173619353935252624361921172519353625253517232526212517362

5

37222119211721253517233825213739383939393925213617242217212020361738351825351717

1

83835182125351723253517172526172325351723203521211921173617392522222639393939393

9

20203617252036211817223722392238223536202617222022232224253537342535391725183938

1

71717171817]

c:\program files\`utilities\RAM Idle\RAM_ME.exe (Trojan.FakeAlert) -> No action taken. [5253514247405230538380756679153966767034777083851301182426191301391739383939393

93835213725353725253520381720223917362535392617202434172120353739242217342535211

9

17212535182319262119173638352020253518341720223417212526223619211721253520382535

2

43917252535193817202437173619353935252624361921172519353625253517232526212517362

5

37222119211721253517233825213739383939393925213617242217212020361738351825351717

1

83835182125351723253517172526172325351723203521211921173617392522222639393939393

9

20203617252036211817223722392238223536202617222022232224253537342535391725183938

1

71717171817]

_RAM_Idle__False_Positive_Files.zip

_RAM_Idle__False_Positive_Files.zip

[nosirrah]

I could not replicate on the newest download but I did find the problem in your case , this will be fixed this morning .