Windows Defender FALSE POSITIVE

[Panda_man]

Hey!

I've been trying to report a false positive to Microsoft re. Windows
Defender detection of my hosts file on Windows Vista but I Microsoft are
doing nothing . This is happening for the first time.

Last week after an update ... I don't remember the day exactly but I update
daily and manually from MMPC , it started detecting the "127.0.0.1 localhost"
line of my hosts as SettingsModifier:W32/PossibleHostsFileHijack

The hosts file is clean . I often submit samples and as always I used the
"Submit a sample" button from MMPC portal , filled in the data , attached the
file , explained everything , got a number , replied to (e-mail address removed)
, stated that this is Incorrect detection and they are doing nothing but
reply me that the file is clean . I know it is clean , why don't they fix it
?!

How do I report it again , give me an email or something else so that I can
re-re-re-re-send the hosts file and they fix it ...

Thanks!

 

[voodoo]

I too experience this exact situation. I tested this on another machine
before accepting the 03/09/09 definition updates. The old definition, which
was current as of yesterday, did not throw this false positive. The
1.53.256.0 version does. 3 different machines. This is clearly a false
positive. Hopefully Microsoft will sort it out by the end of the day or push
an update with patch Tuesday tomorrow.

The hosts file contains only:

127.0.0.1 localhost
::1 localhost

Funny, the hosts file is the original shipping version, dated 9/18/06. It's
Microsofts own untouched file. Now I understand the difficulty in dealing
with false positives, but come on people. It's the same file that shipped
with your OS. At least try running a scan before you push out a definition
update.

 

[Bill Sanderson]

I too experience this exact situation. I tested this on another machine
before accepting the 03/09/09 definition updates. The old definition,
which
was current as of yesterday, did not throw this false positive. The
1.53.256.0 version does. 3 different machines. This is clearly a false
positive. Hopefully Microsoft will sort it out by the end of the day or
push
an update with patch Tuesday tomorrow.

The hosts file contains only:

127.0.0.1 localhost
::1 localhost

Funny, the hosts file is the original shipping version, dated 9/18/06.
It's
Microsofts own untouched file. Now I understand the difficulty in dealing
with false positives, but come on people. It's the same file that shipped
with your OS. At least try running a scan before you push out a definition
update.

--

 

[WTC]

Hi Panda_man,

I know it is clean , why don't they fix it
?!

IMHO, the HOSTS file was never designed to be used this way (security
wise). Internet Explorer's Restrictive Sites or a Firewall appliance
should be used for these type of sites.

 

[Engel]

Vendor Dispute Report form
If you are the vendor of a product which you believe has been incorrectly
classified, contact our research team for a re-evaluation of the software.
Please submit your request in English if possible, as submissions in other
languages may cause a longer response time or impair our ability to respond
completely and correctly.
<http://www.microsoft.com/windows/products/winfamily/defender/cdform.mspx>

False Positive Report form
If you believe that Windows Defender has mistaken your program for another
program, fill out and submit this False Positive Report form. For the fastest
response, please submit your request in English.
<http://www.microsoft.com/windows/products/winfamily/defender/resources.mspx>

How Windows Defender identifies spyware
Before you submit a report learn more about the strategy Microsoft uses to
identify spyware and other unwanted software.
<http://www.microsoft.com/windows/products/winfamily/defender/analysis.mspx>

Microsoft Anti Malware Portal
Find the latest Defender updates and documentation on the top online
threats, as well as additional resources for combating malware.
<http://www.microsoft.com/security/portal/default.aspx>


Have fun

Engel

 

[Tim Clark]

Thank you Panda_man for being among the first to report this:
I believe this INEXCUSABLE FALSE POSITIVE to MS Windows own Hosts file has
been corrected in the Windows Defender Delta update: 1.53.288.0
I WILL NOT POST THE LINK until I can confirm this.

:/
Tim