malwarebytes Malwarebytes Stumbles With False Positive On KB 3197868, The Win7 November Monthly Rollup

[vissha]

Malwarebytes Stumbles With False Positive On KB 3197868, The Win7 November Monthly Rollup

 

Thanks to SC for the heads up.

 

Looks like those of you running Malwarebytes on a Win7 system using Group A updating are in for a rocky ride. Symptoms of the kernel32.dll false positive include locked up systems, and machines that take five minutes or more to shut down.

 

On Thursday, Malwarebytes narrowed down the problem and posted this solution:
 

Quote

 

What can I do if I have been affected by the Kernel32.dll false positive?

 

This detection has been fixed as of database version v2016.11.16.11.

 

This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

 

 

Malwarebytes’ solutions are to uninstall KB 3197868 if you haven’t rebooted after installing it, use System Restore, or manually replace some system files (which is a bear!).

 

Source

 

UPDATE:

 

[Skunk1966]

problems like this can easily be avoided by just waiting with installing Windows updates; I always postpone updates until there's more information about new updates

[Sylence]

only Malwarebytes had this problem or other antivirus vendors as well?

[Ballistic Gelatin]

I installed KB 3197868 on Nov. 8 and never experienced any conflicts with MBAM. Luck of the draw, I guess.

[namek]

I don't think it's false positive

[WALLONN7]

1 hour ago, namek said:

I don't think it's false positive

 

In the last months Windows Updates = PUPs!!! So, it's not a false positive for sure!!!

[vissha]

2 hours ago, Skunk1966 said:

problems like this can easily be avoided by just waiting with installing Windows updates; I always postpone updates until there's more information about new updates

Yes, but installing Security Only Quality Updates can prevent this in a better way and also you'll get the systems patched too. Why we need a troubled Monthly updates packed with $h*t non-security updates? Also, if you install monthly update and got to uninstall it, you are making trouble to all previous monthly update since it is cumulative type.

[steven36]

4 hours ago, Skunk1966 said:

problems like this can easily be avoided by just waiting with installing Windows updates; I always postpone updates until there's more information about new updates

What happened was Microsoft  forgot  to  digitally signi their own file  and this caused the problem .

Quote

We're doing everything we can right now. Ultimately this is on Microsoft for not digitally signing their own file (you can confirm by checking the certificate properties of a file still on the system), which activated Malwarebytes' protections; it was meant to protect you from files like this.

We're trying to figure out to which pending update KB this kernel.dll file is related, it may be possible to save the system by killing that update so that the system will not need to switch over to the Windows side by side holding version of kernel.dll as it restarts.

https://forums.malwarebytes.org/topic/190637-possible-false-positive-trojan-fake-ms/?do=findComment&comment=1072859

 

Its a bad update  MS16-139: Security update for Windows kernel:
 

Quote

Windows6.1-KB3197867-x86.msu
Security Only For all supported 32-bit editions of Windows 7
Windows6.1-KB3197868-x86.msu
Monthly Rollup For all supported x64-based editions of Windows 7:
Windows6.1-KB3197867-x64.msu
Security Only For all supported x64-based editions of Windows 7:
Windows6.1-KB3197868-x64.msu
Monthly Rollup

https://support.microsoft.com/en-us/kb/3199720

kernel32.dll is botched  in the Monthly Rollup because its not signed not sure about  the standalone update  if they signed it in that one ?