News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup

    Posted on November 20th, 2016 at 06:51 Comment on the AskWoody Lounge

    Thanks to SC for the heads up.

    Looks like those of you running Malwarebytes on a Win7 system using Group A updating are in for a rocky ride. Symptoms of the kernel32.dll false positive include locked up systems, and machines that take five minutes or more to shut down.

    On Thursday, Malwarebytes narrowed down the problem and posted this solution:

    What can I do if I have been affected by the Kernel32.dll false positive?

    This detection has been fixed as of database version v2016.11.16.11.

    This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

    Malwarebytes’ solutions are to uninstall KB 3197868 if you haven’t rebooted after installing it, use System Restore, or manually replace some system files (which is a bear!).

    UPDATE: I see some debate online about who’s at fault for the false positive – some blame Malwarebytes, others blame Microsoft. Given the details posted in the comments by abbodi, I think it’s fair to say that neither side committed any grave error. I’m surprised at the way Malwarebytes Anti-Malware reacted to a false positive, but as for the detection there’s plenty of reason to blame (or exonerate!) either side.

    There’s a good note on the situation from Imacri on the Norton Community forum:

    Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.  I don’t see a large number of recent reports in their False Positive board at (link is external) so it doesn’t appear to be a widespread problem.

    Also, as abbodi notes in the comments, it’s likely that this problem also occurs with the Nov Win7 Security-only patch, KB 3197867 – that’s the “Group B” downloaded patch. I have no idea if it happens with the analogous patches for Win 8.1 – KB 3197874 (Nov Win 8.1 “Group A” Monthly Rollup) and KB 3917873 (Nov Win 8.1 “Group B” Security-only update) but wouldn’t be too surprised.