farbar

Malwarebytes is going after legit tools

18 posts in this topic

Malwarebytes has been a highly recommended and frequently used program on our forum. Lately we see malwarebytes is removing legit services when a MS file is patched by ZeroAccess forcing a lengthy restore operation.

Worse is when we see it is going after legit tools for no reason, flags them as trojan and removes them as in the following topic:

Files Detected: 1

C:\Documents and Settings\Celia\Desktop\MiniToolBox.exe (Trojan.Agent) -> Quarantined and deleted successfully.

http://www.bleepingc...23#entry2583223

I would like to know where that kind of detection is based on.

Share this post


Link to post
Share on other sites

You mean this tool ?

http://download.bleepingcomputer.com/farbar/MiniToolBox.exe

I didn't get a MBAM detection on it when it was on a "Y:" drive or when it was on my Desktop.

EDIT:

BTW: You expressed this as "going after legit tools" when your post indicates a singular utility. That's not fair post to Malwarebytes.

Share this post


Link to post
Share on other sites

Yes, I mean MiniToolBox and I'm the author of the tool. I have no clue why Malwarebytes detected and removed the tool.

Share this post


Link to post
Share on other sites

I just downloaded it to my desktop and scan it with MBAM.

Protection: Enabled

2/3/2012 4:57:50 PM

mbam-log-2012-02-03 (16-57-50).txt

Scan type: Custom scan

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P

Objects scanned: 1

Time elapsed: 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

Share this post


Link to post
Share on other sites

farber, if you are the author, why didn't YOU post the URL and a sample. Why did I have to seek it ?

Additionally, do we know for 100% fact that your EXE file was on the desktop ?

Remember, any file can be named anything and it is often the case that malware is named using a legitimate file name to mask it malicious nature. I am not saying that's the case here but I had no detection by MBAM on the utility I downloaded and you didn't upload a sample of your utility that is being falsely detected as Trojan.Agent.

Share this post


Link to post
Share on other sites

Files Detected: 0

(No malicious items detected)

Same as my findings.

Share this post


Link to post
Share on other sites
farber, if you are the author, why didn't YOU post the URL and a sample. Why did I have to seek it ?

In case "YOU" need a sample you can download it from your own forum as the tool is used by the the helpers of the forum here:

http://www.google.nl/search?hl=&q=%22minitoolbox%22+malwarebytes&sourceid=navclient-ff&rlz=1B3GGGL_enNL300NL300&ie=UTF-8#q=site:forums.malwarebytes.org+%22minitoolbox%22+malwarebytes&hl=nl&rlz=1B3GGGL_enNL300NL300&prmd=imvns&ei=h2csT7-fMOiZ0QWHjNmuCA&start=0&sa=N&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=de221d1662c7103a&biw=1241&bih=822

Share this post


Link to post
Share on other sites

And this is another thread reporting it:

http://forums.malwar...howtopic=105515

And that's detected as; Trojan.AutoIT which is not Trojan.Agent.

At this time there is nothing Malwarebytes can do as you haven't provided the utility this is being detected as Trojan.AutoIT or Trojan.Agent and the file Larry and I downloaded is NOT being detected at all.

Please read the notes I wrote in thread post #5

Share this post


Link to post
Share on other sites

If you can't do anything about the detecdtion I suggest none of my tools will be used on Malwarebytes forum (that includes Farbar Service Scanner and Farbar Recovery Scan Tool or any other tool). I will make an anouncemt on BleepingComputer about this and add a message to the tools in order not to run on any system if Malwarebyte detected on the system.

Share this post


Link to post
Share on other sites

If you can't do anything about the detecdtion I suggest none of my tools will be used on Malwarebytes forum (that includes Farbar Service Scanner and Farbar Recovery Scan Tool or any other tool). I will make an anouncemt on BleepingComputer about this and add a message to the tools in order not to run on any system if Malwarebyte detected on the system.

Malwarebytes can't reverse a detection for something that is not presently being detected. It is that simple.

Many legitimate tools get falsely identified.

sUBs is a Malwarebytes' employee and HIS ComboFix is falsely detected.

https://www.virustot...85e1e/analysis/

OldTimer's OTL has False Detections.

Anti malware software can't whitelist a file just by name. As I wrote earlier, any file can be named anything and often is the case where a file with malicious intent will be named using a legitimate file name to mask its malicious intent.

If an AM/AV/AT utility falsely identifies a utility, the objective is to submit that file which is falsely identified to the AM/AV/AT vendor such that the signature can be negated. However a new version could subsequently be re-detected.

I also want to reiterate. You posted "Malwarebytes is going after legit tools" when in reality it was maybe the case of one tool, not plural as in "tools" as the post suggests.

Share this post


Link to post
Share on other sites
If you can't do anything about the detecdtion I suggest none of my tools will be used on Malwarebytes forum (that includes Farbar Service Scanner and Farbar Recovery Scan Tool or any other tool).
He can't do anything because he isn't a Malwarebytes employee.

Can you please upload the file that is being detected so our research team can see why it is being detected, please?

Edit: We have specific guidelines for reporting false positives, which are stickied to the top of this forum:

http://forums.malwar...?showtopic=3228

Edit:

I will make an anouncemt on BleepingComputer about this and add a message to the tools in order not to run on any system if Malwarebyte detected on the system.
Please don't do that. I and others here use your tools often. We can fix this; we just need your help...

Share this post


Link to post
Share on other sites

I'm glad to see the intention to do something about this.

This is another topic, this time about Farbar Service Scanner, which is not replied:

http://forums.malwarebytes.org/index.php?showtopic=105520

I may update the tools many times in a short period depending on necessity of it. None of the tools download anything, or make any changes to the system unless the user actively implement the instruction of the helper. In case of MiniToolBox it might set the start type of eventlog service to auto (which is the MS default start type) if it is disabled and start it in order to be able to read the event viewer errors.

The tools are compiled by the autoit compiler and none of the antivirus vendors detect the tools as Trojan. Up to now it has been limited to Malwarebytes and I have considered it a temporary FP that can be expected.

I don't have a sample of the version that is detected as it has been brought to my attention when the above user had posted a topic and I found previous reports on Malwarebytes forum about it and FSS.

I will be glad to help in anyway to resolve this in case there is a chance that Malwarebyte detect the tools again.

Share this post


Link to post
Share on other sites

I am (personally) not getting any detections on the latest versions of both FSS or the Toolbox. It's likely that the false positives have already been fixed in the database, but if a detection recurs, please do not hesitate to let us know. With a copy of the file(s) in question, our research team can take appropriate action.

Thank you for your cooperation.

Edit: I have pointed my manager to this topic, so he may post if he has anything to add.

Share this post


Link to post
Share on other sites

Hello Farbar,

I have also scanned it with our Corporate version and neither the Protection Module or the On Demand scanner is detecting it.

If you have a detection we need to have you do the following so that we can check on it and remove the detection if it is a False Positive.

The one that turtledove reported was fixed by Rich Matteo on 01/31/2012

Are you saying that there is another one that is still being detected?

I've downloaded both tools and neither one are being detected by 3 different products

Before reporting a false positive, you need to save a log in developer mode. This will allow us to figure out how the false positive came to be. Simply follow these directions.

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Additionally, please attach the file with your post. Make sure it is in ZIP or RAR format.

Note: The above need not be done for IP false\positives.

Thanks

Ron

Share this post


Link to post
Share on other sites

Hello Ron,

I have not personally tested any of the versions of any of the tools before to see if Malwarebyte detects them. I just saw those topics and the reports of FP. One hour ego I ran Malwarebyte on the directory containing all the tools and Malwarebyte flagged none of them.

I think there is no problem at the moment. If the detection happens again I'll add your post to the discussion thread of the tools to let the helpers know what to do if they came across a log detecting it.

Thank you.

Share this post


Link to post
Share on other sites

Apparently the one reported by turtledove was being detected and Rich fixed it. In most cases though if possible its best to make sure the user has updated Malwarebytes first so that we know the database is not old.

Okay then, we're all here trying to help people and thank you for your part and your tools too. Feel free to send me a PM if needed any time and we'll look into any issues for you.

Cheers

Ron

Share this post


Link to post
Share on other sites

Indeed we are all on the same side and trying to help people. I will send you a PM in case it is needed.

Thank you Ron.

Regards,

Farbar

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.