False positive? Microsoft Security Essentials detects Nemucod in tmp.edb
In response to having this question marked as a duplicate, I added at the end a section explaining why this is not a generic malware removal question.
Today, I got a popup saying that I would be logged off in 1 minute. Sure enough, it happened.
I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence. The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:ProgramDataMicrosoftSearchDataApplicationsWindowstmp.edb. I made the GUI selections to remove that, and was prompted to reboot. Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done. Minutes later, MSE displays a warning again, and the details refer to Nemucod again. So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean iterations so far). The time stamp of tmp.edb always seems about as recent as the most recent reboot.
I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy. I booted in safe mode, but tmp.edb was nowhere to be found. Only when I booted in normal mode again did tmp.edb gets recreated.
Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.
I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.
What should I do? I am using Windows 7 Professional 64-bit.
Why this is not a generic malware removal question
One reader marked this question as a duplicating a generic best practice and recovery thread, but if it is accepted as a duplicate, then it means that the generic original precludes any further question on malware. The specificness of this question includes the fact that it isn't necessarily asking how to remove a virus. It doesn't even presume that there is an infection. I describe how two other AVs do not flag the problem that MSE does, and the fact that the cited file is a Windows file. One that goes away when I boot in safe mode. Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. here and here), which makes it hard to check whether this is a false positive.
UPDATE
To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested by Jatmin and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.
UPDATE
I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?
I have posted this to the Microsoft forum and reported this to Microsoft.
windows-7 security malware
|
show 1 more comment
In response to having this question marked as a duplicate, I added at the end a section explaining why this is not a generic malware removal question.
Today, I got a popup saying that I would be logged off in 1 minute. Sure enough, it happened.
I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence. The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:ProgramDataMicrosoftSearchDataApplicationsWindowstmp.edb. I made the GUI selections to remove that, and was prompted to reboot. Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done. Minutes later, MSE displays a warning again, and the details refer to Nemucod again. So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean iterations so far). The time stamp of tmp.edb always seems about as recent as the most recent reboot.
I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy. I booted in safe mode, but tmp.edb was nowhere to be found. Only when I booted in normal mode again did tmp.edb gets recreated.
Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.
I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.
What should I do? I am using Windows 7 Professional 64-bit.
Why this is not a generic malware removal question
One reader marked this question as a duplicating a generic best practice and recovery thread, but if it is accepted as a duplicate, then it means that the generic original precludes any further question on malware. The specificness of this question includes the fact that it isn't necessarily asking how to remove a virus. It doesn't even presume that there is an infection. I describe how two other AVs do not flag the problem that MSE does, and the fact that the cited file is a Windows file. One that goes away when I boot in safe mode. Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. here and here), which makes it hard to check whether this is a false positive.
UPDATE
To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested by Jatmin and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.
UPDATE
I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?
I have posted this to the Microsoft forum and reported this to Microsoft.
windows-7 security malware
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25
|
show 1 more comment
In response to having this question marked as a duplicate, I added at the end a section explaining why this is not a generic malware removal question.
Today, I got a popup saying that I would be logged off in 1 minute. Sure enough, it happened.
I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence. The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:ProgramDataMicrosoftSearchDataApplicationsWindowstmp.edb. I made the GUI selections to remove that, and was prompted to reboot. Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done. Minutes later, MSE displays a warning again, and the details refer to Nemucod again. So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean iterations so far). The time stamp of tmp.edb always seems about as recent as the most recent reboot.
I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy. I booted in safe mode, but tmp.edb was nowhere to be found. Only when I booted in normal mode again did tmp.edb gets recreated.
Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.
I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.
What should I do? I am using Windows 7 Professional 64-bit.
Why this is not a generic malware removal question
One reader marked this question as a duplicating a generic best practice and recovery thread, but if it is accepted as a duplicate, then it means that the generic original precludes any further question on malware. The specificness of this question includes the fact that it isn't necessarily asking how to remove a virus. It doesn't even presume that there is an infection. I describe how two other AVs do not flag the problem that MSE does, and the fact that the cited file is a Windows file. One that goes away when I boot in safe mode. Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. here and here), which makes it hard to check whether this is a false positive.
UPDATE
To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested by Jatmin and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.
UPDATE
I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?
I have posted this to the Microsoft forum and reported this to Microsoft.
windows-7 security malware
In response to having this question marked as a duplicate, I added at the end a section explaining why this is not a generic malware removal question.
Today, I got a popup saying that I would be logged off in 1 minute. Sure enough, it happened.
I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence. The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:ProgramDataMicrosoftSearchDataApplicationsWindowstmp.edb. I made the GUI selections to remove that, and was prompted to reboot. Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done. Minutes later, MSE displays a warning again, and the details refer to Nemucod again. So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean iterations so far). The time stamp of tmp.edb always seems about as recent as the most recent reboot.
I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy. I booted in safe mode, but tmp.edb was nowhere to be found. Only when I booted in normal mode again did tmp.edb gets recreated.
Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.
I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.
What should I do? I am using Windows 7 Professional 64-bit.
Why this is not a generic malware removal question
One reader marked this question as a duplicating a generic best practice and recovery thread, but if it is accepted as a duplicate, then it means that the generic original precludes any further question on malware. The specificness of this question includes the fact that it isn't necessarily asking how to remove a virus. It doesn't even presume that there is an infection. I describe how two other AVs do not flag the problem that MSE does, and the fact that the cited file is a Windows file. One that goes away when I boot in safe mode. Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. here and here), which makes it hard to check whether this is a false positive.
UPDATE
To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested by Jatmin and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.
UPDATE
I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?
I have posted this to the Microsoft forum and reported this to Microsoft.
windows-7 security malware
windows-7 security malware
edited 2 days ago
asked Dec 16 at 8:00
user2153235
255
255
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25
|
show 1 more comment
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25
|
show 1 more comment
2 Answers
2
active
oldest
votes
You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:
Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.
However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.
Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.
*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
add a comment |
Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).
https://community.sophos.com/kb/en-us/118310
https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1384963%2ffalse-positive-microsoft-security-essentials-detects-nemucod-in-tmp-edb%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:
Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.
However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.
Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.
*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
add a comment |
You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:
Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.
However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.
Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.
*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
add a comment |
You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:
Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.
However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.
Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.
*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.
You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:
Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.
However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.
Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.
*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.
edited Dec 16 at 20:38
answered Dec 16 at 20:32
Twisty Impersonator
17.7k136395
17.7k136395
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
add a comment |
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
Thanks, Twisty Impersonator. If I can get a confident enough assessment without sharing the file, I'll do that. MSE warnings aren't triggered if I disable Windows Search (which removes tmp.edb), so it seems to be a false positive. The lack of alarms from MalwareBytes and SpyBot S&D corroborate this. It's just odd that there aren't more complaints about this. I am rescanning with new MSE definitions created 12:47pm, but regardless of the outcome, I will also take the final measure of rescanning with Malwarbytes, with rootkit detection enabled.
– user2153235
Dec 16 at 20:50
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
I respect your reservations about sharing the file. Unfortunately, there's no way around doing so unless you can confirm the file is clean on your own.
– Twisty Impersonator
Dec 16 at 21:08
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
For me, it will boil down to a judgement of risk. I don't know what goes in to a tmp.edb created by the indexer. Probably just a bunch of filepaths and search phrases that match the file contents, but that's speculation. There's also the fact that this file doesn't even exist in the absence of enabled Windows Search. Again, I can only speculate, but how bad can malware be if the existence of suspect file depends on the enablement of indexing? Er..unless tmp.edb serves as an enabler, e.g., to let other malware find points of vulnerability. (I am not an IT security person!)
– user2153235
Dec 16 at 22:15
add a comment |
Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).
https://community.sophos.com/kb/en-us/118310
https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
add a comment |
Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).
https://community.sophos.com/kb/en-us/118310
https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
add a comment |
Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).
https://community.sophos.com/kb/en-us/118310
https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96
Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).
https://community.sophos.com/kb/en-us/118310
https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96
answered Dec 16 at 8:10
Jatmin
152
152
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
add a comment |
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Thanks, Jatmin. The file is gone. I am full-scanning with new MSE definitions as of this morning, and it should come up clean since the file is gone. However, I like Windows Search, so I will re-enable it afterward and check whether it triggers on the new MSE definitions. I prefer not excluding files from scanning if it can be avoided.
– user2153235
Dec 16 at 15:34
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Jatmin, your answer adds a lot of value, and may actually zero right into the underlying problem. I believe that it may be getting downvotes (not from me!) because of the disparaging reference to Windows. If you could revise it, it may get the positive recognition that it deserves. Thanks for considering this.
– user2153235
Dec 16 at 20:43
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
Naw-I won't edit my humor for the haters. Down vote or not. I am correct, Windows and Linux both suck in their own ways. Strengths/weaknesses you know? All the down-votes will do is prevent me from helping someone else. I couldn't care a less about rep on a user forum. I'm not here for my status on this forum like some; I simply want to give back what I have taken over the years. This site has helped me out on many occasion and I thought I could give some back in my spare moments. Is what it is. Thanks again for the advice. Good luck with you problems, I truly hope all is well in the future.
– Jatmin
Dec 17 at 19:19
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
I'm sorry to hear that this might dissuade you as a source of knowledge that can help others. But I get where you're coming from about humour.
– user2153235
Dec 18 at 0:17
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
Naw - the Haters won't dissuade me either. I'll keep going until their hate prevents me from helping is all. It's on them. Cheers.
– Jatmin
Dec 19 at 16:41
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1384963%2ffalse-positive-microsoft-security-essentials-detects-nemucod-in-tmp-edb%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Moab marked this a a duplicate. But the cited original is just a generic best practices and recovery thread. This is a very specific situation, and the answer could very well be a false positive. If this thread is accepted as a duplicate, then it means that the generic original precludes any other thread as valid. I will revise the text of the question to highlight specificness of this question.
– user2153235
Dec 16 at 14:04
Microsoft docs say this file is supposed to be excluded from virus scanning by default. Did you change any settings? Like modifying the list of scanned file extensions or anything.
– Daniel B
Dec 16 at 15:27
Never. AVs are a black art/box to me. But the article refers to Defender and Windows Server. I use MSE and Windows 7 Professional at home. Would that explain why I am missing a default exclusion? Wouldn't that affect other home users?
– user2153235
Dec 16 at 15:48
The explanation in the paragraph entitled "Why this is not a generic malware removal question". The cited generic original question deals with removal, yet the problem here seems to be about determining whether it is a false positive. About virustotal, I am hesitant to submit files offsite for scanning.
– user2153235
Dec 16 at 18:00
May I suggest you edit your question to be much more explicit about the fact you want to know how to determine if the file is infected, not how to remove the infection? That's not at all what I understand your question to be.
– Twisty Impersonator
Dec 16 at 18:25