• Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup

    Posted on November 20, 2016 at 06:51 CST by Comment in the Forums

    Thanks to SC for the heads up.

    Looks like those of you running Malwarebytes on a Win7 system using Group A updating are in for a rocky ride. Symptoms of the kernel32.dll false positive include locked up systems, and machines that take five minutes or more to shut down.

    On Thursday, Malwarebytes narrowed down the problem and posted this solution:

    What can I do if I have been affected by the Kernel32.dll false positive?

    This detection has been fixed as of database version v2016.11.16.11.

    This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

    Malwarebytes’ solutions are to uninstall KB 3197868 if you haven’t rebooted after installing it, use System Restore, or manually replace some system files (which is a bear!).

    UPDATE: I see some debate online about who’s at fault for the false positive – some blame Malwarebytes, others blame Microsoft. Given the details posted in the comments by abbodi, I think it’s fair to say that neither side committed any grave error. I’m surprised at the way Malwarebytes Anti-Malware reacted to a false positive, but as for the detection there’s plenty of reason to blame (or exonerate!) either side.

    There’s a good note on the situation from Imacri on the Norton Community forum:

    Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.  I don’t see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ (link is external) so it doesn’t appear to be a widespread problem.

    Also, as abbodi notes in the comments, it’s likely that this problem also occurs with the Nov Win7 Security-only patch, KB 3197867 – that’s the “Group B” downloaded patch. I have no idea if it happens with the analogous patches for Win 8.1 – KB 3197874 (Nov Win 8.1 “Group A” Monthly Rollup) and KB 3917873 (Nov Win 8.1 “Group B” Security-only update) but wouldn’t be too surprised.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.