Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KIS + MBAM Pro = False Positive??


  • Please log in to reply
6 replies to this topic

#1 okap1

okap1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 04 July 2015 - 11:17 PM

Received this warning from KIS:  False Positive? Running KIS + MBAM Pro (permissions for each)  Win 8.1

Capture_07042015_221837_zps69jxauvi.jpg


Edited by okap1, 04 July 2015 - 11:28 PM.


BC AdBot (Login to Remove)

 


#2 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:08:04 AM

Posted 05 July 2015 - 09:23 AM

Hello okap1 / DInosanto:
 
My opinion here would also hold true for the similar topic in DSLReports.com forum. https://www.dslreports.com/forum/r30152499-KIS-MBAM-Pro-False-Positive
 
IMO the findings of KIS are likely accurate where the C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware directory became the unwitting receptacle through denied use of the integral Malwarebytes Anti-Malware (MBAM) self-protection module.
 
Reference: https://www.malwarebytes.org/support/guides/mbam/AdvancedSettings.html

If asked, I would recommend allowing KIS to process the above discovery as a positive find. Furthermore, I would re-evaluate enabling MBAM's self-protection module.
 
A more detailed investigation would be necessary to confirm the above. The system in question may very well benefit from a thorough examination by a genuinely qualified malware removal expert followed by a re-assessment of the user's computer security processes.
 
Cheers


Edited by 1PW, 05 July 2015 - 09:46 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 05 July 2015 - 09:31 AM

I'm using Kaspersky Internet Security with Malwarebytes Premium. I could enable both options of the "Self protection module" and see if I can reproduce the detections. But in the years I've been using both programs together, this kind of detection never occured.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 MoxieMomma

MoxieMomma

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 05 July 2015 - 11:39 AM

Hi:

Here is the explanation for this KIS detections:
 
https://forums.malwarebytes.org/index.php?/topic/170153-kis-warning-mbam-files/#entry974308
 

These are not mbam files directly but created by our rootkit portion to do a file compare to see if the file is forged.

I should be a compare of this file: C:\windows\system32\drivers\ttnfd.sys

Would be a good idea to add this folder to exclusions in Kaspersky to prevent this from happening.


Cheers,

#5 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 05 July 2015 - 03:11 PM

Somewhat of a novice here...so..

So they are MBAM created files and are safe? Let them remain and instruct KIS to ignore them?

As a novice, not sure I understand the secod line - is shadowwar suggesting putting the ttnfd.sys file located in system32\drivers into the KIS exclusion file?

 

Thanks

 

okap1/DInosanto


Edited by okap1, 05 July 2015 - 03:17 PM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:04 PM

Posted 05 July 2015 - 03:29 PM

Hi there,

I believe what shadowwar meant to say is to add the path of the folder mentioned in the Kaspersky report (looks like C:\ProgramData\Malwarebytes Anti-Malware - I uninstalled MBAM so cannot confirm it) to KIS' exclusion list.

#7 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 05 July 2015 - 03:39 PM

Thanks, Alexstrasza..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users