Woody Leonhard just posted an article on AskWoody.com titledMalwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup warning that some Win 7 SP1 users could have corrupted their system files with a recent MBAM scan after some of the 500+ files in the KB3197876 Monthly Rollup that were not digitally signed by Microsoft were detected as false positives. Symptoms can include "locked up systems, and machines that take five minutes or more to shut down."
From what I understand, Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem. I don't see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ so it doesn't appear to be a widespread problem.
Malwarebytes posted a support article What can I do if I have been affected by the Kernel32.dll false positive? in their Anti-Malware for Business FAQ on 17-Nov-2016, but I assume users of both their Home and Business products could be affected by these false positive detections.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1
From what I understand, Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem. I don't see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ so it doesn't appear to be a widespread problem.
A correction to my original post. The MBAM database version v2016.11.16.11 was released 16-Nov-2016. That means that Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 9-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 16-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1
Norton is also reporting that some apps (Mail & Calendar) have unsigned files and asks if they should be allowed to run. On checking it seems that some are signed, some are unsigned and some are signed with a "Not trusted" response.
So how can we get this resolved and be sure that MS's files are from MS?...
If it's a small number of files, you can upload each file at VirusTotal for a simultaneous scan by multiple antivirus engines. A low detection rate (e.g., 2/56) would indicate that most common antivirus engines do not detect the file as suspicious. If you are confident the files are safe you can follow the directions in the support article Check the trust level of a file and manually trust the file (Trust Now) to stop the alerts.
Suspected false positives should also be submitted to Symantec as instructed at https://community.norton.com/en/forums/how-report-false-positives. If Symantec concurs the files are safe they will whitelist the SHA-256 hashes (digital signatures) of those files to ensure the files aren't flagged as suspicious.
------------
32-bit Vista Home Premium SP2 * Firefox v50.0 * NIS v22.8.1.14 * MBAM Premium v2.2.1
Norton is also reporting that some apps (Mail & Calendar) have unsigned files and asks if they should be allowed to run. On checking it seems that some are signed, some are unsigned and some are signed with a "Not trusted" response.
So how can we get this resolved and be sure that MS's files are from MS?
This is on Windows 10 Pro Version 1607 Build 14393.447
Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxAccounts.exe:
Verified: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Link date: 11:46 16/11/2016
Publisher: n/a
Company: Microsoft Corporation
Description: Microsoft Outlook Accounts
Product: Microsoft Office 2016
Prod version: 16.0.7466.4122
File version: 16.0.7466.4122
MachineType: 64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe:
Verified: Unsigned
Link date: 11:47 16/11/2016
Publisher: n/a
Company: Microsoft Corporation
Description: Microsoft Outlook Calendar
Product: Microsoft Office 2016
Prod version: 16.0.7466.4122
File version: 16.0.7466.4122
MachineType: 64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxMail.exe:
Verified: Unsigned
Link date: 11:46 16/11/2016
Publisher: n/a
Company: Microsoft Corporation
Description: Microsoft Outlook Mail
Product: Microsoft Office 2016
Prod version: 16.0.7466.4122
File version: 16.0.7466.4122
MachineType: 64-bit
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41227.0_x64__8wekyb3d8bbwe\HxTsr.exe:
Verified: Unsigned
Link date: 11:46 16/11/2016
Publisher: n/a
Company: Microsoft Corporation
Description: Microsoft Outlook Communications
Product: Microsoft Office 2016
Prod version: 16.0.7466.4122
File version: 16.0.7466.4122
MachineType: 64-bit
The same is true for DLL's (I have only listed two here but its the same for the rest some are and some are not signed):
