Jump to content


Photo

False Positive with beta only?


  • Please log in to reply
18 replies to this topic

#1 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 03:05 AM

Before I upgraded to 1.50 beta this morning I ran a Full scan with latest
database on my computer - no infections found.

after upgrading to 1.50 beta I ran a FLASH scan with same database (5156)
and now it gives me 2 infections which IMO are something standard from
Microsoft so I guess a false positive or am I wrong?

Strange thing is that with same database the "infections" are only visible with the 1.50 beta.

So my question is is this a FP due to the beta or is it a real infection? :)


Malwarebytes' Anti-Malware 1.50 Public Beta
www.malwarebytes.org

Database version: 5156

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/11/2010 8:57:58
mbam-log-2010-11-20 (08-57-54).txt

Scan type: Flash scan
Objects scanned: 115075
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#2 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 04:34 AM

Ok, after a search it is known as a False Positive but it wonders me
why it came up with the beta only and why Malwarebytes didn't do
anything to avoid this showing up. I can see that the same
False Positive is also already mentioned in your forums in 2008...

#3 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 20 November 2010 - 04:53 AM

Greetings :)

These aren't necessarily false positives, they're actually system settings that we check and if they aren't set to default, we detect them. If the settings are set to their defaults then these would be false positives. Please do the following so we can determine which is the case:

Create a Batch File:
  • Please copy and paste the following text exactly as written into notepad (not wordpad or any other text editor):
    @color 48
    @echo off
    reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StartMenuLogoff">"%userprofile%\desktop\Info.txt"
    reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowHelp">"%userprofile%\desktop\Info.txt"
    "%userprofile%\desktop\Info.txt"
    del /f /q "%userprofile%\desktop\Info.txt"
    del /f /q %0
    Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file Check.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it finishes it will open the file it created in notepad, please copy and paste the file's contents into your next reply.
Thanks :)
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 05:43 AM

Did that and notepad wasn't opened so batch file and info file was deleted as you put in
del /f /q "%userprofile%\desktop\Info.txt

#5 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 05:47 AM

I see very fast window opening and when I repeat the .bat I could see some path was wrong

#6 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 05:50 AM

Ok, since I'm an advanced user I opened Registry and this are the settings:

Start_ShowHelp is ste to 0
StartMenuLogoff is set to 1

#7 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 06:04 AM

By the way, I can't imagine why this would ever be a malware issue, if I disable or enable the help or any other
change for the startmenu (icon) that never should be related to malware, it's just a setting for
showing content (shortcuts) to help/run etc... So anyone who change their startmenu looks gets False Positives?

#8 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 20 November 2010 - 06:12 AM

Please try this one instead:
@color 48
@echo off
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StartMenuLogoff">"%userprofile%\desktop\Info.txt"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowHelp">>"%userprofile%\desktop\Info.txt"
"%userprofile%\desktop\Info.txt"

By the way, I can't imagine why this would ever be a malware issue, if I disable or enable the help or any other
change for the startmenu (icon) that never should be related to malware, it's just a setting for
showing content (shortcuts) to help/run etc... So anyone who change their startmenu looks gets False Positives?

They aren't false positives. If the settings are set in a way other than default, that's what we're detecting. We make these detections because infections will often alter these settings as well and we have found that most users that know how to alter these settings recognize what MBAM is detecting when it shows them and will simply have MBAM ignore them since they know that they themselves made the changes, not an infection.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 06:24 AM

That code didn't work also, I guess a path error or something.
However I made a printscreen of the registery settings, hope this helps?

And yes, Malwarebytes can detect the change if "Help" is enabled or disabled
in the StartMenu's view, but what's the point? Altering that view isn't doing anything else,
you could detect hundreds of changed settings that kind, it's imo useless because I have
changed severel user-interface settings and if I would get a warning every time I change
how the StarMenu or f.i. the Desktop's layout apear that would drive me nuts...

Posted Image

#10 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 07:01 AM

I changed the code to get a result

@color 48
@echo off
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StartMenuLogoff"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowHelp"

This is the result:


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
StartMenuLogoff REG_DWORD 0x1


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Start_ShowHelp REG_DWORD 0x0

#11 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 20 November 2010 - 09:39 AM

So that confirms that the settings are as MBAM detected them, meaning it is not a false positive. You've simply chosen to remove the Help link from the Start Menu and disable the Log Off button the Start Menu. This would only be a case of FP's if they were set to their defaults.

Now, since you've chosen to have the settings this way I would recommend that you click once on one of the items when it is detected and then click the Ignore button and then do the same for the other and then click on Remove Selected (there should be no items left in the list when you do this) and MBAM won't detect them any more.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 20 November 2010 - 10:24 AM

Ok thanks for the info and i did move them to the ignore list.

However, now they are ignored so if a Malware would alter them afterwards I don't get a message...
So you see there is not much point in detecting or ignoring these kind of settings,
it only confuses people imo. I dont want a "possible" treath found because I changed the
look of my system. The detection should be smart enough to find out if a suspicious program does it,
not because it's changed by the user himself.

Ok ok, I rest my case :)
Thanks again.

#13 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 20 November 2010 - 07:25 PM

Ok thanks for the info and i did move them to the ignore list.

However, now they are ignored so if a Malware would alter them afterwards I don't get a message...
So you see there is not much point in detecting or ignoring these kind of settings,
it only confuses people imo.

No, that's not true. Malware would not enable the Help menu item or the Logoff button, it would only disable them, but since you choose to keep it that way, there would be no change to alert you to or fix with regards to these settings. The issue is when the user has not chosen to alter the settings themselves, but instead, an infection has done so, which is something we've seen occur frequently enough that detection was added for the setting to reset it back to the default.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 21 November 2010 - 03:47 AM

No, that's not true. Malware would not enable the Help menu item or the Logoff button, it would only disable them, but since you choose to keep it that way, there would be no change to alert you to or fix with regards to these settings. The issue is when the user has not chosen to alter the settings themselves, but instead, an infection has done so, which is something we've seen occur frequently enough that detection was added for the setting to reset it back to the default.


Ok, last response, I promise :)

Why only those settings, you could check the whole system and set all settings to default...!
Where do you draw that line... If you can set your "Help" shortcut back in the StartMenu with a click there is no
real harm done. And a lot of people change the looks of menu's, desktops etc. So after a scan giving a "Hijack"
notice for something you changed by yourself is imo useles.

Malwarebytes would be superb if it could detect that such change is made by a program.
So if Malwarebytes installs for the first time and checks those settings to compare afterwards
that would be better. If it gives a possible treath because you did set the system as you like it to be
is not the best choice. I hope you see my point :)

Regards, Wijllie

#15 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 21 November 2010 - 04:34 AM

Yes, unfortunately we have no way of detecting if the setting was altered by an infection or simply by the user. The detections of this type that we do detect are all settings we've seen modified by malware and it's simply an additional step in trying to undo the damage and alterations made by infections. It is inconvenient for a user such as yourself (and even myself, as I often alter such settings to my liking as well), but the real issue is that many users simply don't know how to reset these settings after an infection has made the change.

If there were a way for us to detect whether an alteration were made by an infection or the user themselves, believe me, that's what we'd do. Unfortunately that is not the case :).
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 23 November 2010 - 05:52 AM

Yes, unfortunately we have no way of detecting if the setting was altered by an infection or simply by the user. The detections of this type that we do detect are all settings we've seen modified by malware and it's simply an additional step in trying to undo the damage and alterations made by infections. It is inconvenient for a user such as yourself (and even myself, as I often alter such settings to my liking as well), but the real issue is that many users simply don't know how to reset these settings after an infection has made the change.

If there were a way for us to detect whether an alteration were made by an infection or the user themselves, believe me, that's what we'd do. Unfortunately that is not the case B).


Hmmm, I'm sure you guys find a way to detect changes of such things made by user or malware,
and if you can use it to check A LOT more...
Succes :D

#17 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 23 November 2010 - 09:41 AM

Hmmm, I'm sure you guys find a way to detect changes of such things made by user or malware,
and if you can use it to check A LOT more...
Succes :D

Nope, there is absolutely no way to tell because it's simply changing a 0 to a 1 or a 1 to a 0. The infections that make these changes do so in precisely the same way that you did so yourself by modifying those registry values. After the change has been made there is absolutely no way to track down what program made the change.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 drdancm

drdancm

    New Member

  • Members
  • Pip
  • 6 posts

Posted 23 November 2010 - 12:21 PM

Nope, there is absolutely no way to tell because it's simply changing a 0 to a 1 or a 1 to a 0. The infections that make these changes do so in precisely the same way that you did so yourself by modifying those registry values. After the change has been made there is absolutely no way to track down what program made the change.


I think it would be extremely useful if you included a help message with detection of these changes, which are often made by users, or other legitimate utilities. For example, if you have an antivirus program which monitors how up to date it is, so that Windows monitoring is turned off.

I find it doubtful that most users will recognize from the terse/unhelpful Malwarebyte description, that this particular change from default, is in fact the change they (the users) have made, maybe 2 months or 1 year ago. For example, when Spybot detects such a change, they explain that this may in fact be a user made change.

Thanks,

Dan

#19 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 23 November 2010 - 01:29 PM

Agreed, and I believe that now that we have the detection settings for PUM (Potentially Unwanted Modifications) that many, if not all of these detections will get reclassified into that category at some point once the final version of 1.50 is released :D.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users