Windows Defender Definitions FP - realtime only & odd

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
#1

Hi guys, got an odd false-positive from CAV.

It’s in two directories (one’s a big string of hex digits, the other is called “backups”) inside this directory:

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\

The file is named “mpasdlta.vdm”, the file modification date is January 11 (yesterday, and I believe my Windows Defender did update its definitions yesterday), and the file is digitally signed by Microsoft.

It appears ONLY the on-access part of CAV detects it as FP. It was detected when I happened to access the file as part of something that touches all files on the entire drive (turning off windows’ indexing for the C: drive).

When I right-click the file and select “Comodo Antivirus” for an on-demand scan, it finds nothing wrong with the file. Scheduled and manual whole-computer scans find nothing wrong, either. Curiously, though, realtime CAV doesn’t complain when I right-click and do “properties” on the file… but it did when I turned off indexing and Windows tried to clear the file’s indexing bit.

Also odd is how the detection looked. I didn’t get the usual CAV alert (bottom-right of screen, the usual look). Instead it was on the lower-left corner of the screen, and resembled one of CIS’s “balloon messages”. It stayed up for a few seconds, then disappeared. These weird-looking alerts WERE logged in “Antivirus Events”, but were NOT quarantined even though I have “automatically quarantine” set ON (the files were left in-place, and my quarantine is empty).

According to CAV Events log, “Malware Name” is: “UnclassifiedMalware[at]91598295”

File size: 1.51 MB (1,585,552 bytes)
Created: Monday, January 11, 2010, 12:00:36 PM
Modified: Monday, January 11, 2010, 12:00:31 PM

This almost certainly MUST be a false positive. Can you fix it, guys? Thanks.

#2

Hi puddingpants,

Thanks for reporting.We are going to check that and get back to you.

Regards,
Haja

#3

Wow, you guys are FAST! Thanks! I’ll check this thread for updates.

More info:

CIS 3.13.126709.581
Virus DB: 3567

Windows XP Media Center Edition SP3
The FP occurred while using an administrator account

#4

I got the same alert on two PC’s running Windows 7 x64.
Comodo IS v3.13.126709.581
Database v3567

I’ve submitted it by using comodo’s “Submit Suspicious Files”, I don’t know if thats the right way to do it but I hope it was.

#5

Same here, see att.

[attachment deleted by admin]

#6

Hello, I wanted to add to the first post of this topic. The first occurrence of a warning was today at 7:30am EST, where I too received a message upon bootup (Win XP s/p 2), with a CAV message which unusually was in the center of the screen stating the mpasdlta.vdm was found. The choices: Remove, Quarantine or Ignore. While I studied the screen too long the dialog closed.

The entry shows in the CAV log a location C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates{long string of alpha numerics}\mpasdlta.vdm
Malware Name: UnclassifiedMalware@91598295
Action:Detect, Status:Success
but no action was taken so it is present still.

It is located beneath also in the backup subdir, as stated at first post, too.

I ran a Full scan of the harddrive (twice) and this file goes undetected? With that said I am not sure if this is the FP as mentioned?, and if not how will I properly rid the PC of this if it is not recognized? Thank you for your help.

#7

Hi puddingpants,

This false-positive was fixed with DB 3570. You can update CIS and rescan to confirm.

Thanks and regards,
Ionel

#8
This false-positive was fixed with DB 3570. You can update CIS and rescan to confirm.

Thanks and regards,
Ionel


Well, I can’t rescan to confirm, since scanning manually (or scheduled scans) never caused a detection. It was only the realtime scanner that found it. And why couldn’t I cause the realtime alert to happen again by, say, pulling up the properties on the file? It only happened once (while turning off indexing on the hard drive), and I couldn’t recreate it (even before you guys fixed the definitions!)

Also, why the weird appearance (minimalistic, like a “balloon message”) and location of the alert, and why does it disappear quickly (a matter of seconds), and why did I get no buttons, but another user (see above) got buttons for different actions to take? Why didn’t the file get auto-quarantined when I have CIS set to do that? Are there different kinds of AV alerts in Comodo?

Also, I came across another FP like this… same thing (realtime only, cannot recreate, weird minimalistic-looking window, no choices given, no auto-quarantine performed, file left in-place, etc.). See my new thread, coming soon, for that one.

Thanks!