Jump to content

Windows Mpasdlta.vdm False Positive


kappclark

Recommended Posts

The past 2 weeks, we have been receiving quarrantine notices for mpasdlta.vdm.new.temp and it is being flagged as Clam.Win.Trojan.Scarh .. it only happens with Windows 7 Pro machines

 

I understand that this is a microsoft file for Windows Defender ...

 

Has anyone else had this issue ??

 

Thank You

 

Bill Clark

VT Center for the Deaf

Brattleboro, VT

Link to comment
Share on other sites

I checked Virustotal just to make sure the file wasn't malicious. There's no info regarding this file at Virustotal so that's a very good sign that it is a legit Microsoft file. Just wanted to make sure. What you can do is restore the file from Quarantine. This will automatically add the file to Immunet's Exclusion list and it will no longer be scanned. Open the GUI and click on Quarantine just below the History tab. Find the file in question and click on it. Then click Restore. Since it is a temp file you may not be able to restore it as it may have been already deleted by the program, however, it actually wouldn't be a bad idea if you added an exclusion with Immunet for the whole Program Files folder for Defender. That should help eliminate any future conflicts with Defender.

 

Cheers, Ritchie...

Link to comment
Share on other sites

Hi Jose, kappclark, Chadvvick, the file in question is indeed a legitimate antispyware defination update file used for both Defender and Security Essentials. The Microsoft Community blog had this to say: mpasdlta.vdm = most recent delta signature set of AntiSpyware definitions

This is a file containing updates of the spyware definitions. It is used during the automatic updates.

 

mpasbase.vdm is the last base signature set and should be there also, having the same modified date.

This is normal behavior and is to be expected.

Link to comment
Share on other sites

I am seeing the same false positives, just got another one today.

The problem is, the file and folder names change, and the extension is too generic to exclude.

I have created a threat exclusion for Clam.Win.Trojan.Scarh as a workaround.

Thank you so much for your attention in this matter ... I am very relieved to get confirmation ... (one of our users got the dreaded Cryptolocker a few weeks ago) .... Bill Clark , VT Center for the Deaf and hard of Hearing , Brattleboro, VT

Link to comment
Share on other sites

Hey all,

 

Been working on this for quite a while. I was never able to reproduce it, but it should be fixed soon.

 

Long Story:

The issue was that the Clam engine was detecting some malware signatures (that MSE or equivalents would use) as malware. So users without Clam enabled, or without MSE would not see the issue. Also, there seems to be a specific update of some sort that is also required to trigger this (hence why I was unable to reproduce it).

 

However, we have gotten some people to work on the Clam side to fix this false positive, and should be ok soon.

--Story End

 

For now, you can try stopping Immunet when updating Microsoft Security Essentials.

 

Sorry for all the trouble.

 

-Jose

 

Edit: I would highly advise against excluding the Threat name, as it could potentially exclude malicious files elsewhere in your Computer.

 

How to stop Immunet:

-Open the Command line (go to Start -> Run -> type 'cmd' when in an admin account (XP), or right click and run as administrator (Windows 7))

-Type in the Command line window 'net stop immunetprotect'

-Update MSE.

-Type in the Command line window 'net start immunetprotect'

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...