Jump to content


Photo

HKLM\SOFTWARE\Microsoft\Security Center| false/positive?

false positives PUM

  • Please log in to reply
5 replies to this topic

#1 Margaret222

Margaret222

    New Member

  • Members
  • Pip
  • 2 posts

Posted 12 February 2012 - 04:17 PM

My computer is Windows XP, and I use McAfee Internet Security. I dowloaded the free version of Malwarebyes Anti-Malware to see if some kind of bug had slipped by. At that time I was having problems with third party ads from possibly malicious sites popping up on the PCH game site. One of the suggestions from Microsoft Answers forum was to download Malwarebytes and SUPERAntiSpyware since McAfee scan showed nothing.

I ran the SUPER... first, and I was a little confus about the findings and how to remove two quarantined items from the computer. It appears that one was left for Malwarebytes to remove. It did, because the only only quarantined item on a second SUPER... was: Trojan.Agent/Gen-Fake Alert C]TEMP\MALWAREBYTES' ANTI-MALWARE\CHAMELEON\WINLOGON.EXE

Because the PCH pop-ups still continued, I did a safe mode System Restore back to the end of December -- about three weeks before the PCH problem began.. Step two was to bring McAfee and Microsoft updates to date. Step three was to again download the free Malwarebytes. The scan log results indicated the same two problems mentioned above. Item one detected: Registry Data Item HKLM\SOFTWARE\Microsoft\Security Center|AntivirusDisableNotify (PUM.Disabled.Security} and an arrow pointing to Bad (l) Good (0) -- Quarantined and repaired successfully. Item two detected has the same description except for: FirewallDisableNotify.

Since McAfee is providing Firewall and Virus Protection, I feel the above items that were quarantined may be false positive detections. Is this correct? If correct, does their removal affect Microsof Security Center's ability to advise when McAfee Internet Security is not providing Firewall and Virus Protection? If the answer to this is yes or you don't know, I can always run another System Restore to put the quarantined items back in the Registry Data. Please provide answers to the two questions.

Because I am not a person who needs to know how computers work, this whole discovery process has been frustrating. I did read the info on False Positives and PUMs and still am in a quandry. I also read the info on Malwarebytes Chameleon and wonder if this is why SUPER...scan indicated the trojan in Malwarebytes. Maybe this was a false positive!

#2 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 12 February 2012 - 07:10 PM

Because the PCH pop-ups still continued, I did a safe mode System Restore back to the end of December -- about three weeks before the PCH problem began.. Step two was to bring McAfee and Microsoft updates to date. Step three was to again download the free Malwarebytes. The scan log results indicated the same two problems mentioned above. Item one detected: Registry Data Item HKLM\SOFTWARE\Microsoft\Security Center|AntivirusDisableNotify (PUM.Disabled.Security} and an arrow pointing to Bad (l) Good (0) -- Quarantined and repaired successfully. Item two detected has the same description except for: FirewallDisableNotify.

Since McAfee is providing Firewall and Virus Protection, I feel the above items that were quarantined may be false positive detections. Is this correct? If correct, does their removal affect Microsof Security Center's ability to advise when McAfee Internet Security is not providing Firewall and Virus Protection? If the answer to this is yes or you don't know, I can always run another System Restore to put the quarantined items back in the Registry Data. Please provide answers to the two questions.

Because I am not a person who needs to know how computers work, this whole discovery process has been frustrating. I did read the info on False Positives and PUMs and still am in a quandry. I also read the info on Malwarebytes Chameleon and wonder if this is why SUPER...scan indicated the trojan in Malwarebytes. Maybe this was a false positive!


If mcafee was sucussfully registered in the security center then these would of never been detected as such by Malwarebytes. This detection means that the either mcafee is damaged and not reporting to windows properly, or some malware disabled the security monitoring of the security center and this is what Malwarebytes is detecting that its disabled.

The superantispyware is a false positive on their part detecting the out of place name of winlogon.exe in the chameleon folder. If you notice there are other files there same size and fingerprint that arent detected.

Cheers.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#3 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,011 posts
  • Gender:Male

Posted 13 February 2012 - 12:41 PM

McAfee disables Windows Security Center's monitoring/notifications since it includes its own self-monitoring software. Several AV's do this, including Norton and McAfee, so that users do not receive duplicate alerts from both their own monitoring tool as well as Windows Security Center.

That being the case, you may have Malwarebytes Anti-Malware ignore these particular detections.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 Margaret222

Margaret222

    New Member

  • Members
  • Pip
  • 2 posts

Posted 13 February 2012 - 09:51 PM

The two responses to my main question are interesting. The first indicates that McAfee may be malfunctioning. The second indicates that the McAfee may disable Security Center alerts, because they are not needed. The second response makes sense to me. I will persue this issue further on a McAfee forum.

The Chameleon answer is beneficial in that I don't have to worry about an actual chameleon infection being downloaded within Malwarebytes. Considering what a chameleon can do to a computer, I question the wisdom of using the word "Chameleon" for a new technology, especially due to the fact that it trigered a false positive in another brand of anti-virus software. Perhaps, the reason it was used was because it hunts for chameleons. My cats hunt for lizards; however, I wouldn't call this process cats or lizards. It is a hunt or detection. I'd name the technology Sherlock. This last part is sort of silliness. I've been searching too long for answers to the computer intrusion issue and need some kind of release for my frustration.

#5 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 13 February 2012 - 10:17 PM

I was not aware of this and the answer from exile360 should be what is happening. Sorry if i led you down the wrong path. So much for mcafee following best microsoft practices.

Cheers.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#6 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,011 posts
  • Gender:Male

Posted 13 February 2012 - 11:18 PM

The Chameleon answer is beneficial in that I don't have to worry about an actual chameleon infection being downloaded within Malwarebytes. Considering what a chameleon can do to a computer, I question the wisdom of using the word "Chameleon" for a new technology, especially due to the fact that it trigered a false positive in another brand of anti-virus software. Perhaps, the reason it was used was because it hunts for chameleons. My cats hunt for lizards; however, I wouldn't call this process cats or lizards. It is a hunt or detection. I'd name the technology Sherlock. This last part is sort of silliness. I've been searching too long for answers to the computer intrusion issue and need some kind of release for my frustration.

I'm not aware of any infections/infection classifications called 'chameleons', and the most likely reason that file was detected by your antivirus was probably due to the name of the file itself, winlogon.exe. Winlogon.exe also being the name of a critical operating system file, it is a name sometimes used by infections to attempt to make a malicious process look less suspicious, but with Chameleon, a tool designed to get Malwarebytes Anti-Malware up and running when it is being blocked from doing so by an infection, we use such names because since many infections block most processes by name, excluding certain required operating system files, we chose that name, and others, like svchost etc. so that Chameleon can bypass those infections and run without being terminated by the infections.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users