knwillis

dozens of files equal false positives

14 posts in this topic

I've been finding the same group of files all over my company. We have clients all over the state and nearly every machine we scan with MBAM comes up with these results. The files are non-existent on the computers.

I've attached the initial quick scan logs for two computers along with the /developer quick scan logs for the same machines.

mbam logs.zip

Share this post


Link to post
Share on other sites

Greetings and welcome to our support forums :)

What antivirus and/or endpoint security solution are you using?

I suspect it is Kaseya, and if so, then please either be sure to whitelist Malwarebytes Anti-Malware's 3 main executables from it, all located by default in C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware for x64 systems:

  • mbam.exe
  • mbamgui.exe
  • mbamservice.exe

Also note that if you are running Kaseya's endpoint solution, that the latest released version does not cause this issue as we reported it to them and they corrected it.

Please let me know if this has resolved the problem for you or not.

Thanks :)

Share this post


Link to post
Share on other sites

You are correct on Kaseya! I'll give this a shot and see if it helps us. Thanks for the quick reply!

Share this post


Link to post
Share on other sites

You're welcome :)

Either of the above options I provided should resolve it, but if not, then please do contact your system administrator so that they can get the latest Kaseya endpoint solution installed (which is the recommended option).

Share this post


Link to post
Share on other sites

Hi Sam, some of the systems I'm running MBAM on do not have Kaseya's endpoint solution. I have some with MSE and some home users with Norton/Symantec. Still getting the same results. Any other ideas?

Share this post


Link to post
Share on other sites

For the systems not running Kaseya agent at all, I'd recommend posting a developer's log of one of the scans as you did in the first post.

I'll have to get one of our Research team members to take a look for you.

Share this post


Link to post
Share on other sites

Thanks Sam. The files I posted in the first post actually have two different machines. One computer is running the Kaseya agent with the Kaseya anti-virus (re-branded AVG) and one machine runs the Kaseya agent but not their anti-virus (using MSE instead). The Kaseya agent does not manage any virus scans without that re-branded AVG installed.

Share this post


Link to post
Share on other sites

Ah, OK, so they do all have Kaseya agent installed and running?

If so, then it is the same issue I was referring to, and you'll likely need to upgrade your Kaseya software to the latest version. I don't believe it's related to AVG when used in Kaseya for AV, it's actually older versions of Kaseya agent itself that cause this.

Share this post


Link to post
Share on other sites

I just updated the Kaseya agent on my computer to the newest version and ran a quick scan but got the same results from MBAM.

Share this post


Link to post
Share on other sites

Thanks for letting me know. I got a bit more detailed info on the issue for you.

Please have your Kaseya admin whitelist mbam.exe in the App Blocker on the server side and that should eliminate it, though you may still want to have your Kaseya admin contact Kaseya Support as this was supposed to be fixed in one of their recent releases.

Also make certain that your Kaseya App Blocker on the server is the latest, as that's the root cause of the detections.

Share this post


Link to post
Share on other sites

I've opened a support request with Kaseya directing them to this forum thread. I'll let you know what I find out. Thanks

Share this post


Link to post
Share on other sites

Excellent, thanks for the follow up.

I look forward to hearing back from you, hopefully with good news.

Share this post


Link to post
Share on other sites

Thanks for keeping me posted. I'm sorry that they haven't been able to correct the problem yet. I hope that they will soon so that you won't have to deal with the issue any longer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.