2 false neg's caught by MBAM, nasty VT reports...

I ran a MBAM scan last night - it turned up several items, but two of them look pretty bad, and CIS doesn’t flag them. Plus the name MBAM gives them (spyware.passwords.XGen) is a big horrifying, although none of the other VT detections give a name that sounds so specifically bad.

I’ve submitted both to Comodo (did it through the software instead of the web interface - is it preferable to use the web?).

They are “test.exe” inside an online poker application folder (which I, strangely enough, think of as being reasonably trustworthy), and 1818543287[1].exe inside the directory:

…\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GHNNA8G

Neither exact file had been seen by VT before, but it analyzed them and gave beck a lot of badness:



Hello huge1,

Thank you for your submission. We’ll check this and get back to you soon.

Kind Regards,
Erik M.

This is to inform you that the submitted file is not a false positive. The file is detected because it’s a malware application.

Kind Regards,
Erik M.
Comodo AntiVirus Lab

Erik - Thanks for the reply, but I submitted these because I think they’re false NEGatives (abbreviated in the post title). MBAM and VT are clearly flagging them, but CIS is not giving me a warning on scanning them. Are you saying that on your system CIS is flagging them as malware?

Hi huge1,

Please, post this both files here archived and passworded, or via WebInterface

Kindest Regards,
Erik M.

I submitted both of them already, through the CIS software. And then I nuked them both, since they seemed pretty clearly to be bad news, and I figured you guys had them already. I also previously submitted them both to VT.

So I’m afraid I don’t have copies anymore. Do you have access to the files I submitted through the software? Is it better somehow for us to submit files through the web interface?

Ahh, but wait … they’re still in MBAM quarantine … I’ll submit them via web and then re-quarantine them.