• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Malwarebytes False Positive for Win 7 Monthly Security Rollup KB3197868

Woody Leonhard just posted an article on AskWoody.com titled Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup warning that some Win 7 SP1 users could have corrupted their system files with a recent MBAM scan after some of the 500+ files in the KB3197876 Monthly Rollup that were not digitally signed by Microsoft were detected as false positives.  Symptoms can include "locked up systems, and machines that take five minutes or more to shut down."

From what I understand, Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.  I don't see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ so it doesn't appear to be a widespread problem.

Malwarebytes posted a support article What can I do if I have been affected by the Kernel32.dll false positive? in their Anti-Malware for Business FAQ on 17-Nov-2016, but I assume users of both their Home and Business products could be affected by these false positive detections.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1

Replies

Kudos0

Re: Malwarebytes False Positive for Win 7 Monthly Security Rollup KB3197868

Norton is also reporting that some apps (Mail & Calendar) have unsigned files and asks if they should be allowed to run. On checking it seems that some are signed, some are unsigned and some are signed with a "Not trusted" response.

So how can we get this resolved and be sure that MS's files are from MS?

This is on Windows 10 Pro Version 1607 Build 14393.447

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe>S:\pny-processed\SysInternals\sigcheck.exe *.exe

Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxAccounts.exe:
        Verified:       A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
        Link date:      11:46 16/11/2016
        Publisher:      n/a
        Company:        Microsoft Corporation
        Description:    Microsoft Outlook Accounts
        Product:        Microsoft Office 2016
        Prod version:   16.0.7466.4122
        File version:   16.0.7466.4122
        MachineType:    64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe:
        Verified:       Unsigned
        Link date:      11:47 16/11/2016
        Publisher:      n/a
        Company:        Microsoft Corporation
        Description:    Microsoft Outlook Calendar
        Product:        Microsoft Office 2016
        Prod version:   16.0.7466.4122
        File version:   16.0.7466.4122
        MachineType:    64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxMail.exe:
        Verified:       Unsigned
        Link date:      11:46 16/11/2016
        Publisher:      n/a
        Company:        Microsoft Corporation
        Description:    Microsoft Outlook Mail
        Product:        Microsoft Office 2016
        Prod version:   16.0.7466.4122
        File version:   16.0.7466.4122
        MachineType:    64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxTsr.exe:
        Verified:       Unsigned
        Link date:      11:46 16/11/2016
        Publisher:      n/a
        Company:        Microsoft Corporation
        Description:    Microsoft Outlook Communications
        Product:        Microsoft Office 2016
        Prod version:   16.0.7466.4122
        File version:   16.0.7466.4122
        MachineType:    64-bit

The same is true for DLL's (I have only listed two here but its the same for the rest some are and some are not signed):

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe>S:\pny-processed\SysInternals\sigcheck.exe *.dll

Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\chartim.dll:
        Verified:       Signed
        Signing date:   16:12 30/10/2016
        Publisher:      Microsoft Corporation
        Company:        Microsoft Corporation
        Description:    Microsoft Office Charting
        Product:        Microsoft Office 2016
        Prod version:   16.0.7426.1015
        File version:   16.0.7426.1015
        MachineType:    64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\CsiImm.dll:
        Verified:       Unsigned
        Link date:      11:46 16/11/2016
        Publisher:      n/a
        Company:        Microsoft Corporation
        Description:    Microsoft Outlook Mail
        Product:        Microsoft Office 2016
        Prod version:   16.0.7466.4122
        File version:   16.0.7466.4122
        MachineType:    64-bit

Kudos0

Re: Malwarebytes False Positive for Win 7 Monthly Security Rollup KB3197868

RayG:

Norton is also reporting that some apps (Mail & Calendar) have unsigned files and asks if they should be allowed to run. On checking it seems that some are signed, some are unsigned and some are signed with a "Not trusted" response.

So how can we get this resolved and be sure that MS's files are from MS?...

Hi RayG:

I'm aware of at least two recent threads where this problem is being discussed - ssprinz's thread What is hxtsr.exe and why does Norton keep nagging me about it? in the Norton forum and John555's thread microsoft outlook mail does not have a valid digital signature in the Microsoft Answers forum.

If it's a small number of files, you can upload each file at VirusTotal for a simultaneous scan by multiple antivirus engines.  A low detection rate (e.g., 2/56) would indicate that most common antivirus engines do not detect the file as suspicious.  If you are confident the files are safe you can follow the directions in the support article Check the trust level of a file and manually trust the file (Trust Now) to stop the alerts.

Suspected false positives should also be submitted to Symantec as instructed at https://community.norton.com/en/forums/how-report-false-positives.  If Symantec concurs the files are safe they will whitelist the SHA-256 hashes (digital signatures) of those files to ensure the files aren't flagged as suspicious.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1

Kudos0

Re: Malwarebytes False Positive for Win 7 Monthly Security Rollup KB3197868

lmacri:

From what I understand, Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.  I don't see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ so it doesn't appear to be a widespread problem.

A correction to my original post.  The MBAM database version v2016.11.16.11 was released 16-Nov-2016.  That means that Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 9-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 16-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1

This thread is closed from further comment. Please visit the forum to start a new thread.