Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 936 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positives for Mal/FakeMS-D?

Bungle_Bear

Morning, folks. We're having multiple machines report in the following messages this morning:

Virus/spyware 'Mal/FakeMS-D' has been detected in "C:\Program Files\MSDN\2003FEB\1033\dnduwam.hxs\/$Samples/5301/5301.exe\d4tests.cab\sgp.exe". Cleanup unavailable.

Virus/spyware 'Mal/FakeMS-D' has been detected in "C:\Program Files\MSDN\2003FEB\1033\dnduwam.hxs\/$Samples/5302/5302.exe\d4tests.cab\sgp.exe". Cleanup unavailable.

Virus/spyware 'Mal/FakeMS-D' has been detected in "C:\Program Files\MSDN\2003FEB\1033\dnduwam.hxs\/$Samples/5315/5315.exe\d4tests.cab\sgp.exe". Cleanup unavailable.

Infected file "C:\Program Files\MSDN\2003FEB\1033\dnduwam.hxs" has been deleted.

Anyone else seeing this? All these files have been resident on the machines for years, if the time is to be beleived. 

Cheers, 

B

:23101


This thread was automatically locked due to age.
Parents
  • 0

    Hello Bungle_Bear,

    (ok, so Sandy beat me - but some words from the "other side" do no harm; might as well add some additional remarks)

    please submit a sample to the labs (here's the Submitting samples of suspicious files to Sophos article). Looks like it was digging in an archive - are these results from a scheduled scan? If so, it might be simple to grab the file and submit it (but zip it up with a password). Otherwise please see Collecting samples blocked by on-access scanning (although, as it is likely not harmful, you could simply turn off on-access scanning for the few seconds needed to zip it).

    Note that the articles mention zipping only when you send the samples by mail,  BUT - depending on your settings even the moved files might be intercepted. Once it is archived with a password it will neither be blocked nor can it do harm (unless of course you unpack it) so you can safely keep it (something I always do, whether for false positives or suspicous/malicious files, to verify that the updated detections work as expected).

    False positives are encountered from time to time, usually with generic detection (and the analysis - if available - will ask you to submit a sample) but I also had a few "non-generic" cases and all indicated pretty old files. You should be careful with judging from the timestamps though - while malware most of the time doesn't care about them ou can't rule it out that it does. If you have a backup for comparison it's always a good idea to check it. Anyway - in all but one rather complex case updated detections were issued literall within hours and the problem was resolved.

    Christian

    :23109
Reply
  • 0

    Hello Bungle_Bear,

    (ok, so Sandy beat me - but some words from the "other side" do no harm; might as well add some additional remarks)

    please submit a sample to the labs (here's the Submitting samples of suspicious files to Sophos article). Looks like it was digging in an archive - are these results from a scheduled scan? If so, it might be simple to grab the file and submit it (but zip it up with a password). Otherwise please see Collecting samples blocked by on-access scanning (although, as it is likely not harmful, you could simply turn off on-access scanning for the few seconds needed to zip it).

    Note that the articles mention zipping only when you send the samples by mail,  BUT - depending on your settings even the moved files might be intercepted. Once it is archived with a password it will neither be blocked nor can it do harm (unless of course you unpack it) so you can safely keep it (something I always do, whether for false positives or suspicous/malicious files, to verify that the updated detections work as expected).

    False positives are encountered from time to time, usually with generic detection (and the analysis - if available - will ask you to submit a sample) but I also had a few "non-generic" cases and all indicated pretty old files. You should be careful with judging from the timestamps though - while malware most of the time doesn't care about them ou can't rule it out that it does. If you have a backup for comparison it's always a good idea to check it. Anyway - in all but one rather complex case updated detections were issued literall within hours and the problem was resolved.

    Christian

    :23109
Children
No Data