Windows Defender FALSE POSITIVE


P

Panda_man

Hey!

I've been trying to report a false positive to Microsoft re. Windows
Defender detection of my hosts file on Windows Vista but I Microsoft are
doing nothing . This is happening for the first time.

Last week after an update ... I don't remember the day exactly but I update
daily and manually from MMPC , it started detecting the "127.0.0.1 localhost"
line of my hosts as SettingsModifier:W32/PossibleHostsFileHijack

The hosts file is clean . I often submit samples and as always I used the
"Submit a sample" button from MMPC portal , filled in the data , attached the
file , explained everything , got a number , replied to (e-mail address removed)
, stated that this is Incorrect detection and they are doing nothing but
reply me that the file is clean . I know it is clean , why don't they fix it
?!

How do I report it again , give me an email or something else so that I can
re-re-re-re-send the hosts file and they fix it ...

Thanks!
 
Ad

Advertisements

V

voodoo

I too experience this exact situation. I tested this on another machine
before accepting the 03/09/09 definition updates. The old definition, which
was current as of yesterday, did not throw this false positive. The
1.53.256.0 version does. 3 different machines. This is clearly a false
positive. Hopefully Microsoft will sort it out by the end of the day or push
an update with patch Tuesday tomorrow.

The hosts file contains only:

127.0.0.1 localhost
::1 localhost

Funny, the hosts file is the original shipping version, dated 9/18/06. It's
Microsofts own untouched file. Now I understand the difficulty in dealing
with false positives, but come on people. It's the same file that shipped
with your OS. At least try running a scan before you push out a definition
update.
 
B

Bill Sanderson

voodoo said:
I too experience this exact situation. I tested this on another machine
before accepting the 03/09/09 definition updates. The old definition,
which
was current as of yesterday, did not throw this false positive. The
1.53.256.0 version does. 3 different machines. This is clearly a false
positive. Hopefully Microsoft will sort it out by the end of the day or
push
an update with patch Tuesday tomorrow.

The hosts file contains only:

127.0.0.1 localhost
::1 localhost

Funny, the hosts file is the original shipping version, dated 9/18/06.
It's
Microsofts own untouched file. Now I understand the difficulty in dealing
with false positives, but come on people. It's the same file that shipped
with your OS. At least try running a scan before you push out a definition
update.

--
 
W

WTC

Hi Panda_man,
Panda_man said:
I know it is clean , why don't they fix it
?!
IMHO, the HOSTS file was never designed to be used this way (security
wise). Internet Explorer's Restrictive Sites or a Firewall appliance
should be used for these type of sites.
 
E

Engel

Vendor Dispute Report form
If you are the vendor of a product which you believe has been incorrectly
classified, contact our research team for a re-evaluation of the software.
Please submit your request in English if possible, as submissions in other
languages may cause a longer response time or impair our ability to respond
completely and correctly.
<http://www.microsoft.com/windows/products/winfamily/defender/cdform.mspx>

False Positive Report form
If you believe that Windows Defender has mistaken your program for another
program, fill out and submit this False Positive Report form. For the fastest
response, please submit your request in English.
<http://www.microsoft.com/windows/products/winfamily/defender/resources.mspx>

How Windows Defender identifies spyware
Before you submit a report learn more about the strategy Microsoft uses to
identify spyware and other unwanted software.
<http://www.microsoft.com/windows/products/winfamily/defender/analysis.mspx>

Microsoft Anti Malware Portal
Find the latest Defender updates and documentation on the top online
threats, as well as additional resources for combating malware.
<http://www.microsoft.com/security/portal/default.aspx>


Have fun

Engel
 
Ad

Advertisements

T

Tim Clark

Thank you Panda_man for being among the first to report this:
I believe this INEXCUSABLE FALSE POSITIVE to MS Windows own Hosts file has
been corrected in the Windows Defender Delta update: 1.53.288.0
I WILL NOT POST THE LINK until I can confirm this.

:/
Tim
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows Defender false positive on RegRun Security Suite 3
False positive 0
False Positives 14
False Positive 1
False positive 0
False Positive 1
false positive 1
False Positives 1

Top