Author Topic: MBAM False Positive!  (Read 3368 times)

0 Members and 1 Guest are viewing this topic.

BobbyZee67

  • Guest
MBAM False Positive!
« on: May 18, 2010, 01:18:09 AM »
Hi, I would be grateful for any answer to this problem.

    I have been running free vers.5.0.545 for approximately three weeks with no problems but I got a warning of
    infection, namely C:\WINDOWS\system32\drivers\mbamswissarmy.sys!

    This rather perplexes me because I have set all MBAM files to be excluded from scans, so like I say, I would be
    grateful for any answers. Though MBAM is paid version, realtime protection is disabled.

    Prior to installing 5.0.545, I was running MSE which I uninstalled with Revo Uninstaller. I update Windows as
    they become available and MBAM updates and scans on a daily basis, no problems.

    OS: Vista SP2 Home Premium, Avast5 free, MBAM paid version and Windows Firewall.

    Many thanks,

    BobbyZee67/b]

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: MBAM False Positive!
« Reply #1 on: May 18, 2010, 01:22:50 AM »
http://forums.malwarebytes.org/index.php?showtopic=6931
http://www.bleepingcomputer.com/forums/topic173703.html

And since it is avast doing the detection, the headline of this topic should be " avast false positive "
« Last Edit: May 18, 2010, 01:26:59 AM by Pondus »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89325
  • No support PMs thanks
Re: MBAM False Positive!
« Reply #2 on: May 18, 2010, 02:32:17 AM »
I have just scanned that file in my system and no alert, see image.

Hash info on the mbamswissarmy.sys on my system:
MD5: 7364D8A830F91C487F430A57FDBD2BBB
SHA1: 3A693F4E63E130B9CDD284FA7036D04DD457DDC8

What version and build of MBAM are you using ?

What avast virus definition version are you using ?
My scan was with 100517-1, the latest at the time of the scan.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

BobbyZee67

  • Guest
Re: MBAM False Positive!
« Reply #3 on: May 18, 2010, 10:35:04 AM »
  Hi DavidR, Many thanks for your reply.

  I'm afraid that in my first post I did not furnish you with all the facts!

  I'm quite "computer illiterate" and when I received the MBAM file warning, I suppose I was both surprised, shocked
  and not knowing quite what to do, uninstalled Avast5, reinstalling MSE on a temporary basis until I heard from the
  forum and hopefully reinstall Avast. I'm sorry but I do not remember the virus definition version obviously, however,
  MBAM build version is 1.46.

  As I say, both MBAM and MSE scans are clean, so I suppose my question now is, can I reinstall Avast?

  Once again, sorry for my naivety and yes "Pondus" I do now realise heading should have read Avast detects
  MBAM false positive!

  BobbyZee67

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89325
  • No support PMs thanks
Re: MBAM False Positive!
« Reply #4 on: May 18, 2010, 03:07:23 PM »
Yes, you can reinstall avast5, but when you do so MSE should have its Resident scanner function disabled as they could conflict.

There was more information missing in the first post, but since you uninstalled avast5 you don't have a record only memory, e.g. what type of scan was it that detected this and what the malware name was ?

The reason I gave the MD5: and SHA1: (Hash) numbers as that would allow you to check your mbamswissarmy.sys file against mine, these numbers are unique to a file version and if they match they are identical so the two are the same and not infected (as mine isn't).

In any case a detection isn't the end of the world, the automated action in avast5 would send it to the chest (a protected area) unless you have changed the automated actions. This gives you time to investigate the detection, like you have here.

The last thing I would do however is uninstall the program making the detection but send the file to the chest and investigate.

You say you excluded all the mbam files, first there is no need to do this (I haven't) and secondly it depends on what scanner made the detection (why I asked) as there is a difference the avast Settings, Exclusions deals with 'all' on-demand scans, those initiated by you. If this detection was by one of the resident (on-access) scanners then the on-demand exclusions wouldn't work, so the most likely scanner to make the detection would be the File System Shield.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security