False positive - dkdm.exe

Matthew Bragg · December 19, 2010

This dkdm.exe file is being misidentified as containing a Trojan. It is part of a system that is in beta testing at present. It manages the download of maintenance updates.

Here is the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4816

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/15/2010 9:24:19 PM

mbam-log-2010-12-15 (21-24-19).txt

Scan type: Full scan (C:\|)

Objects scanned: 355329

Time elapsed: 2 hour(s), 29 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\dkdm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

dkdm.zip

nosirrah · December 19, 2010

C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\ <- this is a root folder designed to store the system folders that house TIFs and nothing else. We do not let you get away with much there nor other root locations not designed for storage/installations. The reasons for this is that malware exploits these out of the way and often illegal to access locations to avoid user interference.

This will not be delisted and I do recommend using a standard location to execute this software from.

Matthew Bragg · December 20, 2010

This file attracts a lot of attention from anti malware programs. Without it my users are totally stuck, as without it they can't get maintenance updates.

My solution was to have a copy of it in an encrypted form, and for my main exe file to regenerate it just before it gets used. So the folder that it is run in has to be one that the main exe has create rights over. This limits the possibilities somewhat: for example anything inside Program Files can't be used. What about one of the following possibilities:

1. The current user's Temporary Internet Files folder plus a subfolder with the name of my application?

2. The Application Data folder for my application?

3. If neither of the above are acceptable, any other possibilities?

Thanks for your help

Matthew

C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\ <- this is a root folder designed to store the system folders that house TIFs and nothing else. We do not let you get away with much there nor other root locations not designed for storage/installations. The reasons for this is that malware exploits these out of the way and often illegal to access locations to avoid user interference.
This will not be delisted and I do recommend using a standard location to execute this software from.

shadowwar · December 20, 2010

Some tips..

1. this files you sent would not be detected if they were somewhere else.

2. When you scanned you scanned with an old version of the software and a database that was over 500 versions old..

3. Maybe you would like to pm the normal executable and not the encrpyted version so we can advise on some changes to make it more legit to malware scanners.

nosirrah · December 20, 2010

The Application Data folder <- this would be a better choice but it should be a sub-folder where the name is searchable to your software.

%APPDATA%\company name\software.exe

This is still not optimal and you should look into what you would need to do to use the standard install procedure.

Matthew Bragg · December 20, 2010

Thanks for the reply Shadowwar.

I will advise the beta tester that she needs to update your program.

Please explain what "pm" means in point 3? I sent the normal executable in for your analysis but you are welcome to the encrypted version if you need.

Some tips..
1. this files you sent would not be detected if they were somewhere else.
2. When you scanned you scanned with an old version of the software and a database that was over 500 versions old..
3. Maybe you would like to pm the normal executable and not the encrpyted version so we can advise on some changes to make it more legit to malware scanners.

Matthew Bragg · December 20, 2010

My software already uses a folder called %APPDATA%\product name\. Would that be just as suitable from your point of view for this dkdm.exe to be created in?

Thanks

Matthew

The Application Data folder <- this would be a better choice but it should be a sub-folder where the name is searchable to your software.
%APPDATA%\company name\software.exe
This is still not optimal and you should look into what you would need to do to use the standard install procedure.

shadowwar · December 20, 2010

PM=Private Message. You can click on our name at left and send a private message and attach the exe file if you do not want it public.

The version you sent was the encrypted version and not a true executable file. It actually does not detect at all here.. only if it was in the temporary internet files due to the illegal location.

False positive - dkdm.exe

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information