Author Topic: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED  (Read 4418 times)

0 Members and 1 Guest are viewing this topic.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 707
    • View Profile
MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« on: April 15, 2013, 10:44:09 PM »
MBAM Pro has just "gone crazy", labeling just about everything (including system files) as Trojan.Downloader.ED

Several people are now reporting this at the MBAM forum.  http://forums.malwarebytes.org/index.php?showforum=42

BE CAREFUL.

Sorry, I don't have a database version , as I had to "kill" MBAM on my system in order to access anything else.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20870
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #1 on: April 15, 2013, 10:52:47 PM »
Thank you, ky331.

From what I can ascertain from the MBAM Forum the version information is as follows:

Running version 1.75.0.1300
Build date: 4/4/2013 2:50:30 PM

Database Information:

Date: 4/15/2013 6:33:21 PM
Database Version: v2013.04.15.12
Fingerprints loaded: 260233

A report has been received that update v2013.04.15.30 is Ok.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 707
    • View Profile
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #2 on: April 15, 2013, 11:21:54 PM »
Now that all is back to normal, I can assert/confirm:

The disastrous database was v2013.04.15.12
the F/P has been fixed with v2013.04.15.13

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20870
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #3 on: April 15, 2013, 11:22:16 PM »
From Malwarebytes:

Quote
Malwarebytes had a bad update that was up briefly for ten minutes today and has impacted some of our customers. Those who were impacted we will post shortly with instructions. For now we encourage you to contact Support if you are experiencing issues.

Database version v2013.04.15.12 (bad)
Database version v2013.04.15.13 (good)

http://www.malwarebytes.org/contact_consumer/
 
Malwarebytes : Contact us for Consumer Support, www.malwarebytes.org
If you're seeking assistance, please use the form below. One of our customer service representatives will answer your request as soon as possible, typically within one business day.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20870
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #4 on: April 15, 2013, 11:30:33 PM »
Additional information:

Quote
We sincerely apologize for this false positive.  An update has already been pushed out to remove the offending definition that caused this.

For those of you still having problems, please contact support via the following links and they will assist you directly in getting your systems functioning properly again:

Home User Support
Business Support

Please be sure to include the following information to expedite the repair process:
  • OS installed (i.e. XP, Vista, 7, 8 etc.)
  • Whether you have restarted your computer yet or not
  • Whether or not the system is bootable if you have attempted a restart of your system yet
  • Whether or not you have your Windows installation media (CD, DVD, recovery discs etc.)
We have also taken extensive measures to ensure that a false positive like this never happens again.  Once more, I apologize that this occurred and hopefully we will be able to get everyone's systems in proper working order once more without too much trouble.

and

Quote
One additional thing to add.  For anyone running Windows 7, please try System Restore first as that may fix the problems since System Restore on Windows 7 also recovers deleted files.

You may find this information to be helpful as well.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 707
    • View Profile
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #5 on: April 16, 2013, 11:33:25 AM »
Now that things have calmed down, I'd like to take some time to discuss the MBAM False-Positive (F/P) experience:

As a preface, let's note that, effective with version 1.70 (released on or about 27 December 2012), MBAM introduced a new feature in the PRO (paid) version, that "Threats detected by the protection module are now quarantined automatically by default".  This was documented and discussed here:   http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/19483097/20261376.aspx#20261376


In that thread, I noted my concern about this option, and wanting to be in total control of the decision-making process, I UNchecked it.


I did so, out of fear of potential F/P's... but knowing that the burden of decisions would then fall entirely upon me [a task which I was willing to accept].

The MBAM F/P yesterday was major:   it was objecting to hundreds --- more likely thousands --- of critical Windows system files... as well as to several of MBAM's own modules!   Presumably, PRO users who had left the above option checked would have had all such files automatically quarantined  :embarrassed: .   Worst case scenario:  Upon attempting to reboot, with critical system files missing, Windows would no longer load   :sos: .


What happened in my case, with the option UNchecked, was somewhat different:


Let me re-emphasize that I have the PRO (paid) version, with its REAL-TIME protection activated.   So I'm NOT simply talking about an on-demand scan that generated a whopping list of F/Ps.   Rather, shortly after MBAM automatically updated itself to database v2013.04.15.12, its real-time protection module popped-up to warn me it detected a  Trojan.Downloader.ED   infection in one of my [Windows system] files.   


As I have multiple layers of protection on my computers, and strive to keep them "squeaky clean", my first reaction was to suspect it was likely a F/P.   The choices it gave me were to ALLOW that file (either temporarily [i.e., just this once], or "permanently"), or to quarantine it.   I intended to allow it (once), so as to be able to investigate the matter further.   Unfortunately, as soon as I did so, MBAM immediately popped up with a 2nd file warning... then a 3rd... and so on.   [During all these detections, my anti-virus, Avast, was sitting by silently, not finding any problems.]


I wanted to temporarily turn-off MBAM, but was unable to simply do so:   Perhaps by virtue of strong strong self-protection, I was unable to do anything else other than reply to the allow/quarantine prompts.   Specifically, I could not interrupt the bombardment to open WinPatrol, nor the Task Manager, to "kill" MBAM.   Absolutely nothing was working... meaning I had no choice but to hold down the power button, forcing a "hard" shut down   :thud:


I was able to boot-up the system... but since MBAM was set to automatically start with Windows, the same problem was happening all over again.   So I was forced into another "hard" shut down.


This time, I started Windows in Safe Mode, and opened the Services monitor (services.msc) to DISABLE the MBAM service.   Upon doing so, I rebooted (normally this time), and Windows restarted, but without MBAM automatically running.   I now was able to use my computer, and confirmed that other people were reporting the same issue at the MBAM forum.   I posted here as quickly as possible, to alert people about what was happening.


MBAM says the faulty update was only online for about 10 minutes. 


I think there's a saying:   "Humans can make mistakes, but it takes a computer to really screw-things-up royally". 


F/P's can happen to ANY security program... none can claim immunity.    Indeed, I commend Marcin (the creator/owner of MBAM) for being forthcoming on Facebook, where he wrote:  "Hey guys, this is Marcin. Sorry for the inconvenience everyone, we really are. We're going to be working night and day to improve our false positive prevention. It's embarrassing to me and our company to ever have to address an issue like this".


The bottom line:  I will continue to use MBAM --- including its real-time protection --- just as I continue to use Avast [despite it having had such a major F/P a few years ago].   I'm just happy I was able to maintain my composure throughout this ordeal.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20870
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: MBAM PRO - MAJOR F/P - Trojan.Downloader.ED
« Reply #6 on: April 16, 2013, 03:49:04 PM »
Excellent report, ky3331.  Thank you! 

I agree with you completely on all points --
  • I want to be in total control of the decision-making process;
  • At one point or another, all security programs face dealing f/p's;
  • I also commend and respect Marcin, and
  • I, too, will continue using MBAM Pro.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.