Windows Defender sudetection within WinSxS yesterday - false positive?

krzemien · 21 Dec 2019

As per the subject line: Defender just casually told me yesterday evening that WindowsExplorer.adml within C:\Windows\WinSxS\amd64_microsoft-windows-w..lorer-adm.resources_31bf3856ad364e35_10.0.18362.1_pl-pl_954343e68e282099 has been removed as it allegedly contains HackTool:JS/Revobfoos.A

Windows Defender sudetection within WinSxS yesterday - false positive?-image.png

This is obviously nonsense - this file has been put there by OS back in the end of Jul (according to its date/time stamp) and I dutifully just restored it.

I did this file check today again and Defender is okay with it. I also checked with other scanners (as I do weekly) and all is well.

There is similar file under C:\Windows\WinSxS\amd64_microsoft-windows-w..lorer-adm.resources_31bf3856ad364e35_10.0.18362.1_en-us_95faf8061ffdb6de with the same date/time stamp.

So, any ideas? Or - as I suspect - false positive? But scary thing is that removal was just so casual and it was only because I habitually check contents of notifications, I spotted it.

I can share this file should somebody want to take a look?

What is this file by the way?

--

ARGH! Can you please move to AntiVirus, Firewalls and System Security section where it should belong?

Compumind · 21 Dec 2019

Hi.

I think it's a Group Policy Template.

Temporarily restore and exclude the file. Then scan it with Malwarebytes or VirusTotal -

VirusTotal

If clean, it's probably an FP.

Cheers!

P.S. Run a a complete Virus/Malware scan on your entire system anyway.

krzemien · 21 Dec 2019

Yeah, have used MalwareBytes as I use it regularly... Clean as a whistle.

Virustotal report this however:

Link: VirusTotal

Oh dear oh dear...

Compumind · 21 Dec 2019

I see.

HackTool variant, maybe.

Does Defender offer you the choice to clean the file?

If not, download and install SuperAntiSpyware (free) and scan the restored and excluded file -

Remove Malware & Spyware with Anti-Malware Software | Superantispyware

Please post back.

No worries!

Compumind · 21 Dec 2019

@krzemien -

Status, please?

krzemien · 21 Dec 2019

Dinner time, sorry!

My stance on this? Meh! It's Defender's wet dreams - what are the odds that Defender is right?

No option to clear anything up was there, I think? Just 'quarantined' ipso facto and the option to undo. Which I chose, obviously.

In either case have downloaded the suggested program and will update this thread once it finishes scanning (including ..\WinSxS\).

EDITED TO ADD: Yeah, nothing found. QED.

Compumind · 21 Dec 2019

Thanks for your reply.

After reading the log from VT, I would just leave it in it's restored and excluded state.

However, if you wish additional scanning, this might be of use to you:

https://docs.microsoft.com/en-us/win...anner-download

Choose the appropriate distribution for your system, i.e. x64.

Happy holidays!

krzemien · 21 Dec 2019

Yeah, I'm definitely leaving it where it is and as it is.

Last thing I want is to get Windows corrupted (in the view of my joy with attempted cloning exercise, as described elsewhere here).

Just curious if anybody else saw it as well?

WhoSoEver · 21 Dec 2019

krzemien said:

Just curious if anybody else saw it as well?

Same here but I deleted it right away. :)
I did not expect, that windows defender would be wrong on this.

krzemien · 22 Dec 2019

Do you have the details? Can you share?

And yes, I very much expect that Defender (or Microsoft) can be wrong on this - its earlier apparition did corrupt some software on my VAIO couple of years back thinking it's a malware:

Topic: Windows Defender will start blocking and removing malware @ AskWoody

Windows Defender sudetection within WinSxS yesterday - false positive?

Windows Defender detection within WinSxS yesterday - false positive?