Author Topic: ===> False Positives <===  (Read 351444 times)

0 Members and 3 Guests are viewing this topic.

Reply #210February 08, 2017, 09:47:30 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #210 on: February 08, 2017, 09:47:30 PM »
Hi counselorgene,

You are welcome.
Thanks for the kind words.

Regards.

Reply #211February 16, 2017, 11:29:16 AM

EmilioFr

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #211 on: February 16, 2017, 11:29:16 AM »
Hello,
First, Thanks for all your Great Job !...
I just inform you, that i think it has a new "False Positive",
with the Last New Version of "Malwarebytes Antimalwares 3.06"...
Today, after different update & change of software,
including the installation of the new Malwarebytes 3.06, I wanted to do a Roguekiller scan control
and to my surprise, the only detection in red is the process service: "MBAMservices.exe" of Malwarebytes 3...
(*** [Tr.Zeus] MBAMService.exe(2224) -- C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
  • -> Trouvé(e) *)


For me is the first time, because i use malwarebytes, RogueKiller and Bitdefender from somes years now.
I read the news for *Remove "Zeus" * guide on the web page that opens after the scan,
who say to not consider this detection if it was and concern our "Antivirus".
Out there, apparently, this includes too the "Antimalware" softwares, now,
including the most complet, who analyses systems, with real time detection
and struggles against threats such as Malwarebytes 3...
So, for the record, if it is not already reported, please find attached
the report * Txt of Roguekiller indicating that, with this "false positive" (in my opinion).
Thanks for everything and let me know if this is really a "false positive"
or if I have to take measures against it, but with the risk of damaging
"Malwarebyte 3", as well as my system ?...
I wish you a good day to all...   8)
Kind regards.  :-*
EmilioFr (from France)   ;)
« Last Edit: February 16, 2017, 12:11:10 PM by EmilioFr »

Reply #212February 16, 2017, 12:09:05 PM

EmilioFr

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #212 on: February 16, 2017, 12:09:05 PM »
Hello....
"Re" for the "Zeus False Positive" (???)
of "MBAMservices.exe" (process) from Malwarebytes 3.06 premium...
I send you the report in "Jason" format too...

Thanks for your answers...   :)
EmilioFr.

Reply #213February 16, 2017, 06:48:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #213 on: February 16, 2017, 06:48:17 PM »
Hi Emilio,

You are using an outdated version of RogueKiller (12.1.2.0).
Could you please update it to latest version and check if this false positive is still present ?

Regards.

Reply #214February 19, 2017, 03:17:51 PM

EmilioFr

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #214 on: February 19, 2017, 03:17:51 PM »
hello...
Thanks for answer...
When i do the scan, i try to update Roguekiller before, but the message tell me that i have the last update (?)...
T'm going to try again and see if its the same with this false positive...  I tell you after...
I hav'nt the premium now, because no money at this time....
And no money for the moment to buy a "Lifetime" or "Technician" license....
I'm waiting to buy another Premium licence....   :-\

Reply #215February 19, 2017, 06:49:28 PM

EmilioFr

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #215 on: February 19, 2017, 06:49:28 PM »
Hi Emilio,

You are using an outdated version of RogueKiller (12.1.2.0).
Could you please update it to latest version and check if this false positive is still present ?

Regards.

Re Hello....  (France - 19.02.2017)
After Update Roguekiller (to 12.9.7.0) there is no more "False Positiv" for "Malwarebytes"
and "MBAMservices.exe" !....
Thanks and very Great Job for Staff & Developpers !!!....

It Just found the usual changes to my homepage on Firefox
because I use the page and the Ixquick.com search engine...
After the rest, at the "Proxy" level, I think it's from the same reasons
and I do believe that it is not so very "dangerous" (in my opinion)...?
Please take a look in the "jason" report attached & that I join in the case of.
and in the "Browsers" part ...  (Thanks :) )

Thanks to you for answer & help too !....
Kinds regards...

EmilioFr.

Reply #216February 20, 2017, 11:01:27 AM

Jatune

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #216 on: February 20, 2017, 11:01:27 AM »
Hello, i have RK version 12.9.7.0 and it has found in "mbamservice.exe" a threat, is a FP? or i am really infected?. This is exactly what it says:
[Adw.Elex|PUP.Divcom] mbamservice.exe(1788) -- C:\Programas Instalados\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Encontrado

I have Malwarebytes but not the v.3, but the 2.2.1.1043. I attach the report.
Both PUM.DNS, are changes made by me. There are some Suspicious, the two "mfe_rr.sys" are the antirootkit from McAfee (i think, i used it), and the two "HWiNFO64A" i think that are from the HWInfo32 program to watch temperature sensors and voltages."esihdrv" im not sure but i think it can be the EsetSysInspector, and "ALSysIO" don't have any idea of what it can be... I'm writin' all this just to see if it helps you.

Really infected or just a False Positive?

Reply #217February 20, 2017, 04:07:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #217 on: February 20, 2017, 04:07:07 PM »
Hi Emilio,

I'm glad the issue is now solved.
Yes, these detections are PUMs, and in your case, they are perfectly legit.

Regards.

Reply #218February 20, 2017, 04:20:09 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #218 on: February 20, 2017, 04:20:09 PM »
Hi Jatune,

Welcome to Adlice.com forum.
Your computer is indeed not infected. These are all false positives

RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location.

ALSysIO belongs to Core Temp and esihdrv indeed belongs to Eset SysInspector.
Currently, every process or system driver is detected as [Suspicious.Path] when located in temporary Windows folders. We hope to improve this in future versions of RogueKiller.

Regards.

Reply #219February 20, 2017, 11:52:05 PM

tiberious35

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #219 on: February 20, 2017, 11:52:05 PM »
hello first time posting, my Roguekiller is detecting the dumpfve.sys file as being forged is this a false positice, has been detecting it for some time this way and ive been afraid to touch it.

log
RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : JR [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/19/2017 19:29:44 (Duration : 00:19:26)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] C:\Windows\System32\drivers\dumpfve.sys -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SK hynix SC210 2.5 7MM 128GB +++++
--- User ---
[MBR] 5b0b88d9030834f364e05f4d548da2a4
[BSP] 7a9f7d067d6e128e5215d64e37548ed4 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1107968 | Size: 128 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1370112 | Size: 750 MB
4 - Basic data partition | Offset (sectors): 2906112 | Size: 111920 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 232118272 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] Microsoft recovery partition | Offset (sectors): 233039872 | Size: 8314 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: TOSHIBA DT01ACA200 +++++
--- User ---
[MBR] 39e68f425841dc2464a3fec004ee98d5
[BSP] 45e6b52d9dc562e8c2278eddeaa9d81e : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #220February 21, 2017, 03:08:35 PM

EmilioFr

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #220 on: February 21, 2017, 03:08:35 PM »
Hi Emilio,

I'm glad the issue is now solved.
Yes, these detections are PUMs, and in your case, they are perfectly legit.

Regards.

Hi & Thanks  Curson, and me Too....
but for me, with the (12.1.2.0 old version of Roguekiller) it was detected
not as a "PUM" in Grey or other,
but as a "ZEUS" Malwares, in "Red"...    :o  :'(

Ok, no problems and the new version run very well   8)
& nothing more with the "False Positive"....   ;D

Bests regards....  Maybe at a next time....   :D
EmilioFr.

Reply #221February 22, 2017, 01:17:15 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #221 on: February 22, 2017, 01:17:15 PM »
Hi tiberious35,

Welcome to Adlice.com forum.
Could you please attach the corresponding JSON log with your next reply ?

Regards.

Reply #222February 22, 2017, 01:19:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #222 on: February 22, 2017, 01:19:41 PM »
Hi EmilioFr,

That's normal, it was a false positive.
To be more minutely, The [Tr.Zeus] detection was not a PUP but a conflit with Malwarebytes signature database.

Regards.

Reply #223February 23, 2017, 04:36:42 AM

tiberious35

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #223 on: February 23, 2017, 04:36:42 AM »
here ya go,

Reply #224February 23, 2017, 05:02:05 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #224 on: February 23, 2017, 05:02:05 PM »
Hi tiberious35,

Thanks for your feedback. Your computer is not infected.
It seems to be a bug on our end.

Regards.