Sign in to follow this  
Sunny

OA suddenly blocking Microsoft files daily

Recommended Posts

using MS Security Essentials (trusted) for some time now (months) with OA recognizing & allowing it. No issues.

Friday got an alert on startup about 2 new files in located in C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\ which I trusted. Today got alerts about these 2.

What goes on?

updates no longer recognized? NOT signed by MS & not what I think it is MSE updating, but some other malware?

KSLDriver, 1.1.1010.0, (1.1.1010.0)

C:\WINDOWS\system32\MpEngineStore\MpKsl97cd27c1.sys

Hash(MD5): 5F53EDFEAD46FA7ADB78EEE9ECCE8FDF

Results for "5F53EDFEAD46FA7ADB78EEE9ECCE8FDF"

1 record(s) found.

File Name Vendor Product Status

MpKsl2ea706cb.sys Microsoft Corporation Microsoft Malware Protection Unknown

and

KSLDriver, 1.1.1010.0, (1.1.1010.0)

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE523401-4E78-452E-AE18-48B0106C9A81}\MpKsl7d3a383d.sys

Hash(MD5): 5F53EDFEAD46FA7ADB78EEE9ECCE8FDF

Share this post


Link to post
Share on other sites

Perhaps OA's database just hasn't processed these files yet, so the signatures weren't able to be trusted automatically. Adding MSE to OA's exclusions list would be a good idea. It's best to exclude security programs from each other to avoid conflicts as well as unnecessary alerts. If you trust your security software, you don't need OA telling you about their updates :) It can take of them itself and then you can focus on more important alerts.

Share this post


Link to post
Share on other sites

hello, catprincess. thank you for your response.

all my security sw is excluded already (I used "trusted" incorrectly here, should have said excluded) -- which is why I am concerned. In this case, c:\program files\microsoft security essentials is excluded. all the stuff generating alerts seems to be stored in another location

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\

but presumably update data always has been, & till last week, I never got any alerts about MSE. Is there any reason to suspect this folder is new contains malware, since this just suddenly started causing alerts? or should I just also exclude the ms application data file?

Share this post


Link to post
Share on other sites

As far as I know, that seems to be a standard location for MSE's definition updates to be downloaded to so you could exclude that from OA also to avoid these alerts. If MSE has the ability to perform a manual update check, you could do that and see if you get these alerts, in which case you'd know the files had been downloaded by an MSE update check. That's almost certainly the case but I don't know why you didn't previously get alerts from OA about them.

Share this post


Link to post
Share on other sites

I'm getting this problem as well. It may have something to do with a change in the way MSE now works.

http://social.answers.microsoft.com/Forums/en-US/msescan/thread/05886700-30ac-4512-a943-7221bf0f1a90

No worries, the duplicate is removed now :)

Thanks for the link and information :) I had seen one such link earlier but not all of the recent replies which explain the service. In addition to excluding the main MSE program folder, could you try excluding the folder C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\ (that's for XP) or C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Definition Updates (I believe this is the correct location in Vista and 7) and see if that helps for a start?

Share this post


Link to post
Share on other sites

Thank you all for the link! I'm adding the folder to my exclusions list.

but

boy-oh-boy-oh-boy!!! just gotta laugh reading the advice on that MS link. Windows fw doesn't offer the advanced control (or hips) that oa does, certainly MSE on its own is anti-malware, not hips or a fw, so therefor ... drumroll... an MVP on-site suggests removing OA to remove the alerts. (why don't they digitally sign their drivers as they should so it is recognizable by all the legitimate anti-malware sw out there?!) gotta love the reply of the person who told that smart-alec MVP that his advice is similar to the manufacturer of a badly built furnace which doesn't detect when it emits carbon monoxide, who is informed by customers that since installing the new furnace, their carbon monoxide detector keeps going off, and instead of recognizing the furnace he is selling is faulty, he tells them the problem will be resolved if they remove the CO detector!

Share this post


Link to post
Share on other sites

Thanks for the hints.

One thing though, each time MSE updates OA picks up two of these .sys files. One locates to c:\Program Data\Microsoft\Microsoft Antimalware\Definition updates the other locates to c:\Windows\System32\MpEngineStore. I've added the first one to my exception list, but will leave the other.

Thanks again

Share this post


Link to post
Share on other sites

One thing though, each time MSE updates OA picks up two of these .sys files. One locates to c:\Program Data\Microsoft\Microsoft Antimalware\Definition updates the other locates to c:\Windows\System32\MpEngineStore. I've added the first one to my exception list, but will leave the other.

Thanks again

Do you also have the main MSE folder in Program Files excluded in OA? If you could post a screenshot of any popups you still get even with the Program Files folder and Program Data folder excluded, it might help to determine if there's anything else that can be done to prevent them :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.