I wouldn’t say FP at MBAM is rare, infrequent yes, rare no.
All of the detections I have had on MBAM have been FPs not that I expect to get any detections in the first place. I switched off the malicious IP feature very shortly after getting the MBAM Pro version, for me more pain than gain ;D
Incomming…Sophos is quick as usuall, only 40min ;D
he file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.
user_69.exe – identity created/updated ( New detection Troj/Agent-UAZ )
and from ThreatExpert report it seems Sophos was already sniffing on this as one of the .dll created ( %System%\vfpdxnd.dll ) was already detected as Troj/Virtum-Gen
The IP block is particularly bad as it is essentially touted as malicious website blocking and it is nothing of the sort. Its blocking is many more categories than malicious sites, so for me those other sites are essentially FPs.
Not to mention we have the network shield attending to true malicious sites (and of course the web shield), I honestly believe I’m better off without it.
Remember my reply was based on your comment that FPs are ‘rare’ in MBAM and believe that to be incorrect.
Well thanks for the reactions in this threat, Pondus, Dim@rik, DavidR. As the IP mentioned is known to infect with VUNDO, Virus.Win32.Vundo, TR/Vundo.odalz, Backdoor/Win32.Agent and Dropper/Win32.Cidox etc *. I thought to run the malware URL through Anubis to get to binairies there analyzed as Anubis has become available again after a short “overhaul”.
Just walking the analysis, I found:
Unexpected exeptions in the native code. Heap corruption here: VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
Malicious spam spoofing code found at this attack code: S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\C
Pop-Dealio trojan like code detected through {1E66F26B-79EE-11D2-8710-00C04F79ED0D}\INPROCSERVER32
Falsepos case on file user_69.exe (d8acd0f20eeeb5af0d7460860c8bc5d4) has been processed. No FP found!
Avira lab
The file 'user_69.exe' has been determined to be 'MALWARE'.Our analysts named the threat TR/Offend.KD.409679.The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.17.177.
