Microsoft Error Reporting: Mallware Signeture--Is this legitimate?

[tivo1]

Tried to update Defender earlier today...it failed and I tried a few more
times until it told me there were no new updates. I shut my computer down
for a few hours and when I reconnected to the net, I got a Microsoft Error
Reporting box that wanted to know if I wanted to report an error for this:

Mallware Signeture Download

With this misspelling, I got nervous and just closed the box. I tried
searching Microsoft and got one result that has been deleted so that was no
help at all...Can someone tell me if this is legitimate? I didn't find
anything on the net that told me one way or another. Kaspersky Online
Scanner is running and has not detected any problems yet. Thanks.

 

[Bill Sanderson]

There have been a few reports of spelling errors within legitimate dialogs
presented by Windows Defender.

You might try a google search on that phrase.

My guess is that this was legitimate (I'm somewhat sorry to report!)

 

[Engel]

Have a look at this thread. It may be relevant to your prºblem.
http://www.pcreview.co.uk/forums/thread-2938166.php

I hope this post is helpful.

Let us know how it works ºut.
- -- --

 

[tivo1]

Bill, Thanks for your response...I searched the phrase on Yahoo and Google
and really didn't find anything at all. Only about 2 pages were returned. A
few people received the Error Reporting box and posted questions and nothing
seemed to come of it...there were no conclusive answers. The time on the
error report was right in line with the time I first tried to update
Defender. It showed up after I connected back to the net...it said that for
whatever reason the error wasn't reported at that time (I disconnected right
after I tried to update Defender) and would I like to send it now. I haven't
seen the message again after I closed it.

Two spelling mistakes are alarming...so, do you really think it was just bad
spelling and not a threat?

 

[tivo1]

Thanks, the thread doesn't really provide a conclusive answer. I found so
little on the net that my concern has lessened a little bit...usually, there
are tons of pages if a supsicious dialog box lead to a virus...It does bug
that the thread you mentioned is 2 years old and this is still an
issue...maybe this sort of thing is common and I haven't been paying
attention to the spelling errors for other programs...

 

[Bill Sanderson]

I can't provide a conclusive answer, but I believe that I've seen this one
myself on a machine I know to be clean. I was able to find a number of hits
in Google, I think I quoted the two-word phrase--and each of them seemed to
me to relate the same experience--an otherwise legitimate error-reporting
dialog box, but with these mis-spellings.

My thoughts, fwiw: 1) it's too bad that nobody caught this, and that it has
remained uncorrected in the shipping product, and 2) I'm glad that Microsoft
is employing the best programmers they can find, even if their English
spelling and/or grammar aren't top notch!

My feeling is based on having seen a dribble of this same report over
substantial time. I haven't verified that these strings occur in the
code--that might be worth looking for, but perhaps not easy with double-byte
unicode--but I really don't think this is evidence of malware.

 

[Engel]

That post is now over a year old. High time for rediscovery.
- -- --

 

[Dude]

OMG... I can't believe this still hasn't been addressed by MS, let alone not
completely described anywhere on the web nor in this discussion group.

In any case, using the command line tool, strings, included with GNU cygwin,
I was able to determine where the message was coming from:

$ cd "$PROGRAMFILES/Windows Defender"
$ for file in *; do strings -t x -e l $file | grep Mallware | grep Signeture
&& echo $file ; done
10cdc Mallware Signeture Download
MSASCui.exe
26fc Mallware Signeture Download
MpSigDwn.dll

This pretty much hits the nail on the head in showing the message comes from
Windows Defender.

Case closed... Well, until MS fixes the bug. Yes, a misspelling is
definitely a bug, especially in security software.

Hope this saves someone else the waste of time tracking down this non-issue.

 

[Bill Sanderson]

You've called it a non-issue yourself.

I agree that it is a bug, and that such an issue in security-related
software is not insignificant.

How much money is worth spending to fix it?

I've no idea how such things are accounted for, but I'm reasonably sure this
is on a list, and that the next time the piece of code that contains this
string is changed, this fix will be among the changes. Whether that will be
before the next version of Windows, I've no idea.

 

[DavidPelton]

Thanks, but I think there may be some mistakes here. I think all of us were previous (or may still be) infected with malware.

I believe this because in addition to several “Mallware Signeture Download” lines I also had "Microsoft Office Word".

The difference between my error reporting dialog and the one you show is that I have a link under more information (maybe that goes away after you send the information). Anyway, when I click that for one of the “Mallware Signeture Download” links I am taken to a dialog that shows the error signature which lists the EventType as mptelemetry.

Searching the web for the that eventtype led me to http://www.microsoft.com/communitie...67-817e-3cf9071e41ec&cat=&lang=&cr=&sloc=&p=1 where I see that the error is an inability to connect to a website usually for an update.

I think what we have here is that a malware (which I had on my machine and cleaned up) was trying to report and failed. That malware, I'll bet, was entitled “Mallware Signeture Download”.

Also, when I look through the attached CAB file about the report (and look at the one for Word) it even more points to “Mallware Signeture Download” being the name of an application as opposed to the action being performed here.

 

[DavidPelton]

Mallware Signeture

So, I did more investigation.

The tool that brought up the dialog is the Microsoft Error Reporting Tool, this tool gets invoked whenever any application crashes (although it might be behind the scenes sometimes). When the application crashes, data is collected about the state the application was in when it crashed. That data is then sent back to Microsoft servers, and from there companies (third parties as well Microsoft for their own applciations) can access the crash logs and hopefully glean enough information to fix their product.

What the dialog is showing is that the program "Mallware Signeture" crashed at some point, and then when the Error Reporting Tool tried to upload the data to the Microsoft Servers it was not able to reach the internet. Why it could not reach the internet at this time I could only speculate - perhaps the Mallware had crashed for the same reason, perhaps a hiccup in the intenet connection - who knows. What we do know is that the data was not tranmitted up.

For the user, this is a lucky thing, because now we are notified through indirect means that there is Malware on our machines. I for one, know I had this on my machine in September and October and spent a long time trying to clean it off. For the rest of you, I would recommend looking to see if you have it on your machine. I used spybot and a variety of other tools to eventually eradicate it from my machine.

 

[DavidPelton]

So, I did more investigation.

The tool that brought up the dialog is the Microsoft Error Reporting Tool, this tool gets invoked whenever any application crashes (although it might be behind the scenes sometimes). When the application crashes, data is collected about the state the application was in when it crashed. That data is then sent back to Microsoft servers, and from there companies (third parties as well Microsoft for their own applciations) can access the crash logs and hopefully glean enough information to fix their product.

What the dialog is showing is that the program "Mallware Signeture" crashed at some point, and then when the Error Reporting Tool tried to upload the data to the Microsoft Servers it was not able to reach the internet. Why it could not reach the internet at this time I could only speculate - perhaps the Mallware had crashed for the same reason, perhaps a hiccup in the intenet connection - who knows. What we do know is that the data was not tranmitted up.

For the user, this is a lucky thing, because now we are notified through indirect means that there is Malware on our machines. I for one, know I had this on my machine in September and October and spent a long time trying to clean it off. For the rest of you, I would recommend looking to see if you have it on your machine. I used spybot and a variety of other tools to eventually eradicate it from my machine.