Windows Mpasdlta.vdm False Positive

[kappclark]

The past 2 weeks, we have been receiving quarrantine notices for mpasdlta.vdm.new.temp and it is being flagged as Clam.Win.Trojan.Scarh .. it only happens with Windows 7 Pro machines

 

I understand that this is a microsoft file for Windows Defender ...

 

Has anyone else had this issue ??

 

Thank You

 

Bill Clark

VT Center for the Deaf

Brattleboro, VT

[ritchie58]

I checked Virustotal just to make sure the file wasn't malicious. There's no info regarding this file at Virustotal so that's a very good sign that it is a legit Microsoft file. Just wanted to make sure. What you can do is restore the file from Quarantine. This will automatically add the file to Immunet's Exclusion list and it will no longer be scanned. Open the GUI and click on Quarantine just below the History tab. Find the file in question and click on it. Then click Restore. Since it is a temp file you may not be able to restore it as it may have been already deleted by the program, however, it actually wouldn't be a bad idea if you added an exclusion with Immunet for the whole Program Files folder for Defender. That should help eliminate any future conflicts with Defender.

 

Cheers, Ritchie...

[Jose]

Hey kappclark,

 

Looking into this, setting up MSE on my end and checking for any false positives.

 

Assuming I can find them, I'll get them set to clean ASAP.

 

Thanks,

 

-Jose

[Chadvvick]

I've been getting the same thing. I'm guessing I should wait before restoring the file, in the off chance that it is something that could be causing problems

[ritchie58]

Hi Jose, kappclark, Chadvvick, the file in question is indeed a legitimate antispyware defination update file used for both Defender and Security Essentials. The Microsoft Community blog had this to say: mpasdlta.vdm = most recent delta signature set of AntiSpyware definitions

This is a file containing updates of the spyware definitions. It is used during the automatic updates.

 

mpasbase.vdm is the last base signature set and should be there also, having the same modified date.

This is normal behavior and is to be expected.

[spackleheart]

I am seeing the same false positives, just got another one today.

The problem is, the file and folder names change, and the extension is too generic to exclude.

I have created a threat exclusion for Clam.Win.Trojan.Scarh as a workaround.

[kappclark]

I am seeing the same false positives, just got another one today.

The problem is, the file and folder names change, and the extension is too generic to exclude.

I have created a threat exclusion for Clam.Win.Trojan.Scarh as a workaround.

Thank you so much for your attention in this matter ... I am very relieved to get confirmation ... (one of our users got the dreaded Cryptolocker a few weeks ago) .... Bill Clark , VT Center for the Deaf and hard of Hearing , Brattleboro, VT

[Jose]

Hey all,

 

Been working on this for quite a while. I was never able to reproduce it, but it should be fixed soon.

 

Long Story:

The issue was that the Clam engine was detecting some malware signatures (that MSE or equivalents would use) as malware. So users without Clam enabled, or without MSE would not see the issue. Also, there seems to be a specific update of some sort that is also required to trigger this (hence why I was unable to reproduce it).

 

However, we have gotten some people to work on the Clam side to fix this false positive, and should be ok soon.

--Story End

 

For now, you can try stopping Immunet when updating Microsoft Security Essentials.

 

Sorry for all the trouble.

 

-Jose

 

Edit: I would highly advise against excluding the Threat name, as it could potentially exclude malicious files elsewhere in your Computer.

 

How to stop Immunet:

-Open the Command line (go to Start -> Run -> type 'cmd' when in an admin account (XP), or right click and run as administrator (Windows 7))

-Type in the Command line window 'net stop immunetprotect'

-Update MSE.

-Type in the Command line window 'net start immunetprotect'