Windows Defender Definitions FP - realtime only & odd

Hi guys, got an odd false-positive from CAV.

It’s in two directories (one’s a big string of hex digits, the other is called “backups”) inside this directory:

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\

The file is named “mpasdlta.vdm”, the file modification date is January 11 (yesterday, and I believe my Windows Defender did update its definitions yesterday), and the file is digitally signed by Microsoft.

It appears ONLY the on-access part of CAV detects it as FP. It was detected when I happened to access the file as part of something that touches all files on the entire drive (turning off windows’ indexing for the C: drive).

When I right-click the file and select “Comodo Antivirus” for an on-demand scan, it finds nothing wrong with the file. Scheduled and manual whole-computer scans find nothing wrong, either. Curiously, though, realtime CAV doesn’t complain when I right-click and do “properties” on the file… but it did when I turned off indexing and Windows tried to clear the file’s indexing bit.

Also odd is how the detection looked. I didn’t get the usual CAV alert (bottom-right of screen, the usual look). Instead it was on the lower-left corner of the screen, and resembled one of CIS’s “balloon messages”. It stayed up for a few seconds, then disappeared. These weird-looking alerts WERE logged in “Antivirus Events”, but were NOT quarantined even though I have “automatically quarantine” set ON (the files were left in-place, and my quarantine is empty).

According to CAV Events log, “Malware Name” is: “UnclassifiedMalware[at]91598295”

File size: 1.51 MB (1,585,552 bytes)
Created: Monday, January 11, 2010, 12:00:36 PM
Modified: Monday, January 11, 2010, 12:00:31 PM

This almost certainly MUST be a false positive. Can you fix it, guys? Thanks.

Hi puddingpants,

Thanks for reporting.We are going to check that and get back to you.


Wow, you guys are FAST! Thanks! I’ll check this thread for updates.

More info:

CIS 3.13.126709.581
Virus DB: 3567

Windows XP Media Center Edition SP3
The FP occurred while using an administrator account

I got the same alert on two PC’s running Windows 7 x64.
Comodo IS v3.13.126709.581
Database v3567

I’ve submitted it by using comodo’s “Submit Suspicious Files”, I don’t know if thats the right way to do it but I hope it was.

Same here, see att.

[attachment deleted by admin]

Hello, I wanted to add to the first post of this topic. The first occurrence of a warning was today at 7:30am EST, where I too received a message upon bootup (Win XP s/p 2), with a CAV message which unusually was in the center of the screen stating the mpasdlta.vdm was found. The choices: Remove, Quarantine or Ignore. While I studied the screen too long the dialog closed.

The entry shows in the CAV log a location C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates{long string of alpha numerics}\mpasdlta.vdm
Malware Name: UnclassifiedMalware@91598295
Action:Detect, Status:Success
but no action was taken so it is present still.

It is located beneath also in the backup subdir, as stated at first post, too.

I ran a Full scan of the harddrive (twice) and this file goes undetected? With that said I am not sure if this is the FP as mentioned?, and if not how will I properly rid the PC of this if it is not recognized? Thank you for your help.

Hi puddingpants,

This false-positive was fixed with DB 3570. You can update CIS and rescan to confirm.

Thanks and regards,

This false-positive was fixed with DB 3570. You can update CIS and rescan to confirm.

Thanks and regards,

Well, I can’t rescan to confirm, since scanning manually (or scheduled scans) never caused a detection. It was only the realtime scanner that found it. And why couldn’t I cause the realtime alert to happen again by, say, pulling up the properties on the file? It only happened once (while turning off indexing on the hard drive), and I couldn’t recreate it (even before you guys fixed the definitions!)

Also, why the weird appearance (minimalistic, like a “balloon message”) and location of the alert, and why does it disappear quickly (a matter of seconds), and why did I get no buttons, but another user (see above) got buttons for different actions to take? Why didn’t the file get auto-quarantined when I have CIS set to do that? Are there different kinds of AV alerts in Comodo?

Also, I came across another FP like this… same thing (realtime only, cannot recreate, weird minimalistic-looking window, no choices given, no auto-quarantine performed, file left in-place, etc.). See my new thread, coming soon, for that one.