There were several threads on the MBAM forums.
RB
Submit one of the suspect files to Virustotal or Jotti to help ascertain
if it is a false positive.
FredW wrote:
>
> Looks like the same kind of problem Avast had today.
Huh? Why did MBAM and Avast have problems around the same time?
What is the connection??
Do they share or steal each others definitions?
Buffalo
| FredW wrote:
Pure coincidence of a rash of False Positives!
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>
>> FredW wrote:
>
>>> Looks like the same kind of problem Avast had today.
>
>> Huh? Why did MBAM and Avast have problems around the same time?
>> What is the connection??
>> Do they share or steal each others definitions?
>> Buffalo
>
>
>
> Pure coincidence of a rash of False Positives!
I really don't believe that explaination!
Buffalo
I did that. When it came back 'negative', I checked the MBAM forums.
RB
>> Pure coincidence of a rash of False Positives!
| I really don't believe that explaination!
| Buffalo
Sorry, that's the way it is.
If it were more than a coincidence, it would be the *same* malware being
purportedly found by each program, since you are talking about the def
files being possibly shared or stolen. For example if both entities
stole their defs from PCButts - all three would FP on the same files for
the same malware (possibly giving different malware names as a result).
Even the best programs can and will FP - it is nice to have a
programmatical consensus available online. When online is not possible,
it is nice to have an alternative program available locally for a second
opinion.
All is well. My 12/3 update installed 3287 and the scan indicated
problems I stated.
Today (12/4) I updated and installed 3289, full scan showed zero problems.
One curious note: I don't recall having to re-start the computer after
yesterday's update. Today I received and responded to that message.
Thanks for all your replies.
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>>> Pure coincidence of a rash of False Positives!
>
>> I really don't believe that explanation!
>> Buffalo
>
>
> Sorry, that's the way it is.
I guess so. That kind of coincidence just throws up a red flag to me.
Thanks for the response.
Buffalo
> For example if both entities stole their defs from
> PCButts - all three would FP on the same files for the same malware...
FTR,
Do you imagine, in the scenario described above, either entity
functioning well enough to make it to that point?
Regards,
Len Agoado
ago...@msn.com
I understand.
Of course, virus (or malware) description language is not a programming
language.
:oD
Butt's programs work reasonably well even though the data files
describing the malware are stolen from the actual people doing the
research to create them (the "engines" consuming that data are probably
stolen as well, by this has not been demonstrated as well as the other
aspect has).
If you recall the "other" thieves (from China?) - they actually gave the
same malware name (marker) in the alert, probably because the engine
(maybe even the GUI) is stolen as well.
Often, that is indicative of a program update as opposed to just a
definitions update. I'm not sure if Malwarebyte's Anti-Malware shares
this nature so familiar with the AV programs.
>> "FromTheRafters" <err...@nomail.afraid.org> wrote
>> FTR,
::oD
Yes, IObit's theft of the Malwarebytes database is an excellent example.
Those who decrypted the IObit database and the Malwarebytes database have *NO DOUBT* of
this theft.
Oh, yeah, I also did that. I ran SAS, Spybot S&D, Ad-Aware, and Norton
AV (the corporate version), before I sent a file to VT, and checked the
forums.
RB
It sounds like you have things pretty well covered with respect to
sorting out FP's. :o)
A lot depends (for me) on where a file is found as well. For instance
some months ago a had detection of malware in my IBM utilities folder -
I suspected FP's and did nothing - subsequent scans did not repeat the
issue. Some months later I got a detection in my Java jar's zip files -
I quarantined (or deleted) them, because I didn't care about saving
FPed malware in Java jars.
> FredW wrote:
>>
>> Looks like the same kind of problem Avast had today.
>
> Huh? Why did MBAM and Avast have problems around the same time?
We had temporary problems with our database... Shrug. Sorry. We fixed it
quick, but evidently not quick enough; some systems did get the bad
definitions.
> What is the connection??
None.
> Do they share or steal each others definitions?
We don't share definitions with anyone. It wouldn't do much good;
Definitions are typically custom and very specific to the antimalware
engine. For example, the definitions system in use by BugHunter (my app) is
entirely 100% incompatable with the definitions system used by malwarebytes
antimalware. While some definitions can and do consist of hashes or
checksums of some sort, others do not.
--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk
> On Thu, 3 Dec 2009 20:08:48 -0700, "Buffalo" <Er...@nada.com.invalid>
> wrote:
>>David H. Lipman wrote:
>>> From: "Buffalo" <Er...@nada.com.invalid>
>>>> FredW wrote:
>>>
>>>>> Looks like the same kind of problem Avast had today.
>>>
>>>> Huh? Why did MBAM and Avast have problems around the same time?
>>>> What is the connection??
>>>> Do they share or steal each others definitions?
>
>>>
>>> Pure coincidence of a rash of False Positives!
>>
>>I really don't believe that explaination!
>
> Sometimes the reality is amazing.
> :-))
>
Even better than science fiction.
> "FromTheRafters" <err...@nomail.afraid.org> wrote
>
>
>> For example if both entities stole their defs from
>> PCButts - all three would FP on the same files for the same malware...
>
>
> FTR,
>
> Do you imagine, in the scenario described above, either entity
> functioning well enough to make it to that point?
You would have to have the entire staff from both companies really,
insanely out of their heads for this to happen; and actually go live. :)
Hard to have doubt when it's line for line, character for character.
Hell, iobit modified their software to support our definitions! <G>
No. Our engine update consists of a new version installation. We do not
presently do things the way some, but not all antivirus companies do.
Thanks for the info Dustin.