A bad definition file affected Malwarebytes Anti-Malware yesterday. It detected scores of files as false positives and labeled them as Trojan.Downloader.ED. Processes, memory modules, files, and registry entries were all affected. If an unsuspecting user of the program chose to ‘clean’ the files, it would render the computer unbootable as key Windows system files were missing after being quarantined and moved from their normal location. Windows XP, Vista, 7, and 8 PCs were affected if manual action was taken at the end of a scan.
There was only a small window of time where people could update their system to the bad definitions, v2013.04.15.12, before they were replaced by a fixed definition database, v2013.04.15.13.
Some of those affected by the false positive reported their plight and the files detected in this thread on the Malwarebytes forums. Malwarebytes staff have another thread providing steps to fix the problem.
- Boot into Safe Mode with Networking
- Install Malwarebytes Anti-Malware (because Malwarebytes itself was detected as a false positive)
- Go into the quarantine and restore all of the items quarantined incorrectly.
- Reboot into normal Windows.
You may also need to download and install VB 6.0 Run-Time service pack 6, as those files were quarantined and are a prerequisite to running Malwarebytes.
From the Malwarebytes staff:
We have also taken extensive measures to ensure that a false positive like this never happens again. Once more, I apologize that this occurred and hopefully we will be able to get everyone’s systems in proper working order once more without too much trouble.
I know the war between malware and security software definitions are an ongoing battle and it’s hard to criticize but I think this event shows that Malwarebytes at the time had little to no quality assurance in place. How did a definition get out that detected so many files incorrectly across the system? I could understand if some random third-party software gets detected as a false positive but when you are detecting and quarantining key Windows files across all version, something got missed. Not to mention that mbam.exe itself was detected and quarantined. Running a simple flash scan with the definitions in-house would have caught this problem before it was distributed to the masses.