Weird Detections by Malwarebytes Premium

Topic

New Reply

Hey Y’all,

Today I got the following from MB Premium:

As you can see I quarantined all 4 of them. However, I don’t really understand what they are trying to tell me even after reading the explanation on the MB website.

Below is the output of the export function with fuller details. I don’t use Edge so it doesn’t bother me much that I quarantined them but I’d sure like to know what it’s all about…a bit above my pay grade!

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/2/2024
Scan Time: 1:36 PM
Log File: af7963e7-50f5-11ef-b7da-5847ca748b60.json

-Software Information-
Version: 5.1.6.117
Components Version: 1.0.1280
Update Package Version: 1.0.87406
License: Premium

-System Information-
OS: Windows 11 (Build 22631.3880)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 245638
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 1 min, 4 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSEDGE.EXE, Quarantined, 3640, 1263920, 1.0.87406, , ame, , , 
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSEDGE.EXE, Quarantined, 3640, 1263920, 1.0.87406, , ame, , , 

Registry Value: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSEDGE.EXE|DEBUGGER, Quarantined, 3640, 1263920, 1.0.87406, , ame, , , 
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSEDGE.EXE|DEBUGGER, Quarantined, 3640, 1263920, 1.0.87406, , ame, , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Replies

It’s quarantined you shouldn’t have to do anything.  If you want to know what it’s about just type in RiskWare.IFEOhijack in your search engine.

Reply | Quote

https://www.malwarebytes.com/blog/detections/riskware-ifeohijack

..The presence of RiskWare.IFEOHijack should be grounds for an investigation. Users should look at the intercepted executable and the executable set as a debugger to see whether there’s reason to take further action. The Malwarebytes log will tell you which executable was intercepted, and by looking in the registry, you can see the executable set as a debugger…

* It could be false positive.

Reply | Quote

Just a thought: In MBAM v5, on the “Settings > Scan and Detections” page have you got the “Use artificial intelligence to detect threat” tick box ticked?

As “AI” sometimes “hallucinates” (in the AI jargon or “makes mistakes” in everyday language), this could lead to a false positive.

I only changed to MBAM V5 from V4 a couple of weeks ago (when I finally realised that I needed to have entered my lifetime ID + Key combination into my “account” and then to have associated my “account” with each PC separately beforehand – what a palaver, V4 and earler were simpler). Going through the “Settings” in case something had changed, I noticed this “Use artificial intelligence …” thing was already set. I don’t remember it from V4, but I had not tweaked V4 for a long time so maybe it or something like it was already there. As I run MBAM as a 2nd check (not tied into Windows Security) alongside the Panda AV as my main AV (less resource intensive than Defender on my old PC), I unticked the “Use AI …” setting. I did a V5 full scan and nothing new came up compared to V4.

If you have this “Use AI” thing set, as an experiment you could try unticking it (possibly restarting your PC?), restoring those things and scanning again to see if the “non-AI” i.e. “non-educated guesswork” functionality in MBAM detects the same issue.

HTH. Garbo.

PS: After posting the stuff above, I temporaily ticked the “Use AI …” thing, restarted my PC and did a full “threat scan” again, but it did not detect anything extra on my PC. Also Edge (which I rarely use) opened a few webpages without problem. Of course my PC is not the same as your PC.

 

Reply | Quote

@RetiredGeek,
For what its worth, there are no IFEO entries for MsEdge.exe on my Win10 22H2 system.

Reply | Quote

I don’t pay. I use the ADWcleaner for free.   It’s sufficient.  Defender for my antivirus.

Reply | Quote

Hey Y’all,

Resolution, well maybe?

I had a though that using EdgeBlocker may have caused the problem so I did some testing.

Test 1:

• Use EdgeBlocker to un-block Edge.
• Remove the blocked items from MB quarantine.
• Re-boot.
• Run MB Scan.

Results: No detections.

Test 2:

• Use EdgeBlocker to Block Edge.
• Run MB Scan.

Results: No detections? Beats me…

It will be interesting to see if the detections show up in the future.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Did you investigate the executable that MB identified as the application (debugger) to be launched instead of  and possibly prior to “msedge.exe”?

Reply | Quote