MBAM False Positive!

[b]Hi, I would be grateful for any answer to this problem.

I have been running free vers.5.0.545 for approximately three weeks with no problems but I got a warning of
infection, namely C:\WINDOWS\system32\drivers\mbamswissarmy.sys!

This rather perplexes me because I have set all MBAM files to be excluded from scans, so like I say, I would be
grateful for any answers. Though MBAM is paid version, realtime protection is disabled.

Prior to installing 5.0.545, I was running MSE which I uninstalled with Revo Uninstaller. I update Windows as 
they become available and MBAM updates and scans on a daily basis, no problems.

OS: Vista SP2 Home Premium, Avast5 free, MBAM paid version and Windows Firewall.

Many thanks,

BobbyZee67/b]

http://forums.malwarebytes.org/index.php?showtopic=6931
http://www.bleepingcomputer.com/forums/topic173703.html

And since it is avast doing the detection, the headline of this topic should be " avast false positive "

I have just scanned that file in my system and no alert, see image.

Hash info on the mbamswissarmy.sys on my system:
MD5: 7364D8A830F91C487F430A57FDBD2BBB
SHA1: 3A693F4E63E130B9CDD284FA7036D04DD457DDC8

What version and build of MBAM are you using ?

What avast virus definition version are you using ?
My scan was with 100517-1, the latest at the time of the scan.

Hi DavidR, Many thanks for your reply.

I’m afraid that in my first post I did not furnish you with all the facts!

I’m quite “computer illiterate” and when I received the MBAM file warning, I suppose I was both surprised, shocked
and not knowing quite what to do, uninstalled Avast5, reinstalling MSE on a temporary basis until I heard from the
forum and hopefully reinstall Avast. I’m sorry but I do not remember the virus definition version obviously, however,
MBAM build version is 1.46.

As I say, both MBAM and MSE scans are clean, so I suppose my question now is, can I reinstall Avast?

Once again, sorry for my naivety and yes “Pondus” I do now realise heading should have read Avast detects
MBAM false positive!

BobbyZee67

Yes, you can reinstall avast5, but when you do so MSE should have its Resident scanner function disabled as they could conflict.

There was more information missing in the first post, but since you uninstalled avast5 you don’t have a record only memory, e.g. what type of scan was it that detected this and what the malware name was ?

The reason I gave the MD5: and SHA1: (Hash) numbers as that would allow you to check your mbamswissarmy.sys file against mine, these numbers are unique to a file version and if they match they are identical so the two are the same and not infected (as mine isn’t).

In any case a detection isn’t the end of the world, the automated action in avast5 would send it to the chest (a protected area) unless you have changed the automated actions. This gives you time to investigate the detection, like you have here.

The last thing I would do however is uninstall the program making the detection but send the file to the chest and investigate.

You say you excluded all the mbam files, first there is no need to do this (I haven’t) and secondly it depends on what scanner made the detection (why I asked) as there is a difference the avast Settings, Exclusions deals with ‘all’ on-demand scans, those initiated by you. If this detection was by one of the resident (on-access) scanners then the on-demand exclusions wouldn’t work, so the most likely scanner to make the detection would be the File System Shield.