false positive with the latest definitions (1.71.26.0) for Windows Defender?

system · November 19, 2009, 4:35pm

Received this from avast this morning:
Sign of “Win32:Delf-MBA [Trj]” has been found in “C:\025fb05bc11ec8618394a3\source.temp” file.

Poking around the event viewer, I saw that a windows update for the latest windows defender started to fail at about the same time. I found this log in c:\windows\temp\MpSigStub.log mentioning the same file. The relative portion of the contents of the log file are below. 99.99% certain this is a false positive, but would like confirmation and figured Avast would like to know about it. I tried to upload the source.temp file to virustotal.com, but it’s over 20 meg.

–

–
Command: c:\025fb05bc11ec8618394a3\MPSigStub.exe WD /q
Start time: 11/19/2009 9:20 AM

================================= CacheMpSigStub ===============================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

================================ PackageDiscovery ==============================

Directory: c:\025fb05bc11ec8618394a3

    SigStub:    Engine:  Signatures:

AS BDE: 2.0.1011.0 ?.?.?.? 1.71.26.0

=================================== ProductSearch ==============================

ERROR 0x80070002 : CreateAntimalwareProduct(WD)
ERROR 0x8007051a : CreateAntimalwareProduct(WD (Vista))
Version: Engine: Signature
s:
Microsoft Windows Defender (Windows 7): 6.1.7600.16385 1.1.5202.0 1.69.995.
0

================================ PatchApplication ==============================

ERROR 0x80070002 : ApplyPatchToFileExW(source = c:\025fb05bc11ec8618394a3\source
.temp, target = c:\025fb05bc11ec8618394a3\dest.temp, patch = c:\025fb05bc11ec861
8394a3\mpasbase.vdm._p)
ERROR 0x80070002 : ApplyPatch(c:\025fb05bc11ec8618394a3\source.temp, c:\025fb05b
c11ec8618394a3\mpasbase.vdm._p, c:\025fb05bc11ec8618394a3\dest.temp)
Using directory c:\025fb05bc11ec8618394a3 for temporary storage,
ERROR 0x80070002 : ApplyVdmPatch(C:\ProgramData\Microsoft\Windows Defender\Defin
ition Updates{09AABB3F-B0D5-4C96-BAB9-DF555DDC9149}\mpasbase.vdm, c:\025fb05bc1
1ec8618394a3\mpasbase.vdm._p, c:\025fb05bc11ec8618394a3\DD009637-BDBD-4946-988F-
E38A80A71B7Cmpasbase.vdm)
Set DeltaUpdateFailure to 1
ERROR 0x80070002 : One or more of the products found failed to update; returning
this error

----------Watson Report Buckets-------------------
P1 - Failure hr: 0x80070002
P2 - FailedFunction: PatchApplication
P3 - FailedOperation: (null)
P4 - SourceComponentVersion: 2.0.1011.0
P5 - SourceComponentName: mpsigstub.exe
P6 - ProductVersion: 6.1.7600.16385
P7 - ProductName: WD (Win7)

ERROR 0x80070002 : MpSigStubMain
End time: 11/19/2009 9:24 AM

Milos · November 19, 2009, 4:51pm

Hello,
send us (virus@avast.com) this file to analyze as password protected attachement, use password “infected” without quotes. Use “False positive” as subject.

Thank you,
Milos

misak · November 20, 2009, 3:41pm

Hello,

thank you for sending the file. Yes this is part of Windows defender databese with plain text signatures witch are detected by Avast. There are reported many detections (Win32:Delf-MBA, Win32:Adloader-AC, Win32:Renos-AM [Adw], Win32:FraudLoad-P [Trj], Win32:Cinmus-J [Rtk], …). We can’t fix this problem on our side. Please pause On access shield while installing this update, or add this location to exceptions.

system · November 20, 2009, 3:55pm

Yes, I had a similar detection some time ago, in ‘ProgramData/Microsoft/Windows Defender…’(Win32:Delf-MBA) Just chested it…oddly though, it hasn’t happened again…

Is this a kinda random thing?

system · November 20, 2009, 9:13pm

I use Windows Defender, am updated and I never had any problem of detection of malicious programs in my computer.