News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Essentials False Positive Scan?

    Home Forums AskWoody support Windows Windows 7 Questions: Windows 7 Microsoft Essentials False Positive Scan?

    Viewing 16 reply threads
    • Author
      Posts
      • #106379 Reply
        KarenS
        AskWoody Lounger

        I tried searching the forum for an answer to this question but I can’t seem to find anything no matter what I put in the search box. Normally I don’t pay too much attention to the Microsoft Essentials program, I just let it do its thing. It does the automatic updates every day, and it is set to do a scheduled scan every Saturday night around midnight. When bringing my laptop out of sleep mode this past Saturday night I noticed the scan had not been done because it was asleep so I ran it manually. During the scan a message popped up at the bottom saying “preliminary scan results show that malicious or potentially unwanted software might exist on your computer. You can review the detected items when the scan is completed”.  When the scan was completed no results showed in the history.   The little monitor showed green with a check mark as usual but didn't say that “no threats were detected during this scan” at the top as it usually does. I ran the scan several times with the same results so I then did another scan using Malwarebyes and no threats were detected there. Is ME giving me false positive scan results? If so what do I do about it? I have NOT installed any of the March Patch Tuesday updates yet. My husbands laptop has ME and the same exact updates and I don’t get that message when I run a scan on his.  We have Windows 7 home premium on both.

        UPDATE: Tried it again yesterday morning and today the message is still popping up at the bottom. It seems to pop up with it is scanning a file called schost (see attached screenshot). Is anyone else having this issue?
        
        Attachments:
      • #106388 Reply
        PKCano
        Da Boss

        I searched for MSE. There was a mention of false positives Here and apparently the main topic of this reply.

        2 users thanked author for this post.
        • #106398 Reply
          woody
          Da Boss

          Yes! That’s the discussion I was looking for…

      • #106441 Reply
        anonymous
        Guest

        ? says:

        Maybe look at the MSE version? A couple of days ago v4.3.215 pre release on XP would not update definitions on the GUI from Microsoft Update or manually downloaded. When I ran several scans there was a yellow triangle near the bottom of the scan page saying that there was a preliminary indication of an infection when it crossed the (a) svchost.exe file. The scans finished with no infection(s) found. Yesterday, Microsoft Update sent v4.5.212.0 which was the red house kiss o death. My guess it that MSE on Vista is going to share the same fate. So, check the version and update if necessary.

      • #106635 Reply
        anonymous
        Guest

        MSE (7) and Windows Defender (10) have not been updating successfully, according to Windows Update, over the past couple of days (4-5 days). It has been reported on both tenforums and sevenforums. This link just came in yesterday …

        https://www.sevenforums.com/windows-updates-activation/406568-mse-not-updating.html

        Me also on W7. As one poster said it started after the malware popup during the scan a few days back (I got this too). After running several other product scans my system has no malware. I think MSE did update successfully and it is Windows Update that has gone strange. According to tenforms, MS is aware of the problem (but no indication as to what).

      • #106639 Reply
        anonymous
        Guest

        Microsoft just released a fix.

        https://www.microsoft.com/security/portal/definitions/whatsnew.aspx

        Virus: 1.239.837.0
        Spyware: 1.239.837.0
        Definition available date:
        Apr 05,2017 09:27 AM UTC

        Mine just updated (def file 841) and MSE is currently running a scan as I type this. Wilderssecurity posters are reporting that Windows Defender on 10 is updating successfully also. I just checked Windows Update history and it shows as successful.

        1 user thanked author for this post.
      • #106827 Reply
        anonymous
        Guest

        Thank you PKCano for that link to the post, I knew that I had read something about it here but just couldn’t find it. I wasn’t putting the S in MSE. It has been 5 days since I last discovered the False Positive reading and I am still getting the same message. My MSE is up to date with updates and according to my Windows Updates I have not had a failed update since Jan. 27th so I don’t know why the problem has not been fixed. I run a Malwarbytes scan every day and the results are negative for any threats. Also the other day after I installed the March Patch Tuesday updates I ran a quick MSE scan to see if that fixed the situation (it didn’t) and when I did it scanned over 85000 items but now it is only scanning just over 23000 items, is it not doing a whole scan?

        • #106828 Reply
          KarenS
          AskWoody Lounger

          Sorry I forgot to log into my account before making the above post, so that is why it is under Anonymous!

      • #106969 Reply
        anonymous
        Guest

        What about the definition files that did not install successfully over the past few days. I thought they could not be installed out of sequence. They are not cumulative are they?

      • #106982 Reply
        anonymous
        Guest

        The problem appeared to be with Windows Update reporting incorrectly, not MSE itself. MSE was updating the definitions file successfully. Windows Update was able to initiate the update.

        MSE has a log file that you can check to see if the definition files are installed on your system.

        > C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx (text file)

        I checked the log on W7 and according to WU, I had 3 days of ‘failed’ MSE updates, but all the definition files that WU said failed, were shown as being downloaded and installed successfully on the dates they were sent.

      • #107028 Reply
        KarenS
        AskWoody Lounger

        Anonymous, when it comes to computers I am not very knowledgeable and you might as well be speaking another language. I had no idea how/where to find the MSE log file that you speak of. Is this it? (see screenshot).  If it is I have no idea what/how to read that text that is in the box that pops up! I was so excited when I saw Woody’s post on the Home Page titled “Microsoft Security Essentials Finally Fixed” until I followed the link he posted, installed the latest MSE version (1.239.956.0), ran a scan and still got the same Malware message at the bottom of the scan box as soon as it hit the svchost item. All I know is that the WU is showing that all the definition updates are successfully installed. Attached is a screenshot of all the updates that have been installed since April 1st, according to my WU log. My husband and I have the same exact updates installed on our computers and he is not getting the malware message. This is soooo confusing and I am getting really frustrated at this point.

        Attachments:
      • #109064 Reply
        BrianL
        AskWoody Lounger

        Have you tried reinstalling the newest version of MSE? When it reinstalls it is installed completely up to date. Follow the directions on reinstalling. I think that will solve the problem.

      • #109065 Reply
        BrianL
        AskWoody Lounger

        Add-on comment: be sure the new install is for your specific Windows version, if you are asked.

      • #109161 Reply
        KarenS
        AskWoody Lounger

        I have uninstalled, rebooted, reinstalled, ran a scan, rebooted again and ran two more scans and I am still experiencing the same exact issues I was before I uninstalled, Nothing changed!

        1 user thanked author for this post.
      • #109164 Reply
        anonymous
        Guest

        @karen

        Do you by any chance have “System Restore” On?

        System Protection = System Restore” width=”695″ height=”525″ />

        My wild idea is that it is ON and somehow flagging that svchost PID, because a restore point was made with some maleware way back in the past.

        If you feel brave:
        Make a restore point now.
        Delete all but the last one shown by todays date.
        Reboot
        Run Scan
        Report back.

        PS>. I had given up on System Restore way back in 2012. I do weekly full sysimages.

        Sorry for cross posting my frienly MOD.. it was getting tight on the column in other thread. Delete one or the other. But lets see if we can help Karen.

        • #109168 Reply
          PKCano
          Da Boss

          Screenshot can be added to a reply two ways.
          You can attach it to the reply, then insert it.
          Or you can put it on a shared folder on the Internet and point at it.
          But I don’t think you can do either unless you are registered/logged in.

        • #109176 Reply
          KarenS
          AskWoody Lounger

          I am not brave at all when it comes to doing things on my laptop. This is the first one I have ever owned and I am pretty uneducated with it comes to them. I have no idea what you are telling me to do. This problem is just a recent situation (just over 2 weeks).

          • #109186 Reply
            anonymous
            Guest

            No worries Karen. It is a mystery yet Malewarebytes tells you “OK” and Microsoft Security Ess. has a hiccup but comes out clean and the log files on both display no errant thread.  So is it a worry or is it just a frustration that you see a prompt with a probable false warning?

            I don’t know, but I would trust to run the scan again after deleting all but the most recent “Restore Points” from my system.

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

            The process that runs on most consumer PC/Laptop called System Restore is a service ~ behind the scenes task that runs. It is one of many svchost item found in the task manager.

            It is responsible for capturing registry settings that are the backbone of all Windows systems since Windows 95.

            The applications use or configuration is managed via the windows seen below: If Image does not post here it is the same image hyper-linked as “System Restore” above.

            The visual above is showing two windows overlaid. The one on top shows that the user’s mouse is choosing to do a restore (Only restore previous version of files). This is not what you need to do.

            The visual with the window upper left showing a button “Create” is what you would want to do.   And after making/creating a restore point; you could then “Configure” the restore point that exist on your laptop.

            My suggestion is to first “Create” a restore point, then “Configure” the existing lot down to the most recent restore point you had just made.

            With that accomplished, I would reboot my system to ensure a proper restart and then run the scan knowing that the scan by MSE will not be scanning garbage.

            That brings me to an analogy.  If a waste basket in your kitchen stinks and is full of trash (like mine is now) it would not make sense to spray the house with air freshener, until after I emptied the garbage and cleaned the waste from the kitchen.  Now I ready to spray!

            Garbage can collect in the “System Restore” within the point that are made without your knowledge.  And it will contain as many points as allowed by the size of the wastebasket (hard drive space) allocated on the picture above depicted by the slider.  So get rid of the bulk waste and be tidy as opposed to BRAVE!

            Empty the recycle bin too for good measure.  Or just don’t sweat it and smile more at you husband to make him feel loved.

            • #109350 Reply
              KarenS
              AskWoody Lounger

              Anonymous, where I appreciate your trying to help as I said I have absolutely no experience with computers so your post about creating a restore point and configuring is all greek to me. I can’t see your image about system protection in the above post either. When doing anything on a computer step by step instructions are the only way that I can do anything and screenshots are always helpful as well.

              Steps that I have taken so far to fix the issue is:

              1. Uninstalled and reinstalled MSE

              2. Uninstalling KB4012215 (which I read could be causing the issue). That resulted in having my laptop stalling in “configuring windows don’t shut off your computer” for an hour.

              Neither of those have worked to solve the situation! You asked “So is it a worry or is it just a frustration that you see a prompt with a probable false warning?”, my answer is it is both frustrating that nothing seems to fix the issue and a worry not knowing if my laptop is properly protected from viruses or not.

              1 user thanked author for this post.
              • #109373 Reply
                anonymous
                Guest

                SevenForums will guide you with screenshots.
                https://www.sevenforums.com/tutorials/336-system-protection-restore-points-delete.html

                Please go to OPTION 2
                Use Disk Cleanup to Delete Restore Points

                Let me know where / if you get stuck with thoes instructions. We are now on the same sheet of music.
                Thanks for previous responses and followup.

                I can assure you I take no offense that you may become disinterested in pursuit of this path.

              • #109383 Reply
                Kirsty
                Da Boss

                Let me know

                @anonymous #109373

                As you choose to keep your posts anonymous, no-one knows which posts are yours, and taking advice from anonymous posters is a risk without knowing their credibility, which we cannot tell without either linking your other posts or perhaps, by way of a brief profile bio.

                If you feel registering is a risk, perhaps you could adopt a personalised sign-off for all your anonymous posts. The question of hesitation about registering was discussed
                and @Elly‘s post is very informative – please read them 🙂

                5 users thanked author for this post.
              • #109385 Reply
                KarenS
                AskWoody Lounger

                Kirsty, thanks for your post as that that is what I am uncomfortable about. I don’t know if all the anonymous posts are from one person(s) or a possible scammer where I could in fact get into a worse situation if I follow their advice. I have been caught by scammers in the past so I am very uncomfortable taking advice from people I don’t know… I totally trust Woody and a handful of others on this forum  because they have given me some amazing advice and saved both my laptop and my husband’s from Windows 10.

                1 user thanked author for this post.
              • #109388 Reply
                woody
                Da Boss

                Scammers wouldn’t survive around these parts very long, with the MVPs on the lookout. Kirsty or PKCano or satrow would knock ’em out.

                More problematic, though, are posters who have good intentions but don’t realize the consequences of what they recommend. I’m not immune to that problem, either!

                3 users thanked author for this post.
              • #109389 Reply
                anonymous
                Guest

                I can respect that with earnest appreciation. Good fortune to you.

              • #109392 Reply
                anonymous
                Guest

                Kristy Woody.
                Freely advise Karen, the matter seemed stalled and I offered. Albeit the forum has perks for members, yet it is by virtue of this “unique respite” that I choose to post.  Either of the two anon methods you suggest still pose intercept and abuse.  Moniker or not.  Any anon could include a post hash, or sign off.   Defeated that idea even before your suggestions were made.  I choose to be polite and most importantly be me.  Some anon post have not made a thread or two. but it’s the MOD’s I respect for their ability to sterilize this place some call home.

                Like a voice on the phone Woody can spot a mrbrian Post without hesitation.

                I purposefulness remain anon, and will cease this line of troubleshooting for the members to affront.

                Respectfully

                This Anon posters.

              • #109407 Reply
                woody
                Da Boss

                Don’t go away!

                You were making great strides.

                Just realize that responding to anonymous can be confusing.

                There’s a reason why I’ve maintained anonymous posting, even if it’s inconvenient. If you want to maintain anonymity, it’s your call. No problem.

              • #109429 Reply
                KarenS
                AskWoody Lounger

                Anonymous, I in no way meant to offend you or nor was I implying that you were in fact a scammer and I sorry if it came across that way. I am just a little uneasy with doing things on my laptop because of past history of following advice from people who said they were experts. I certainly appreciate all the help you were giving me trying to get me over this frustrating hurdle.

              • #109433 Reply
                anonymous
                Guest

                Karen you did not offend. Post #109389 My Post < > that you addressed Kirsty < was directed to you.
                Continue the “Frustrating Hurdle” further down in open range.

      • #109170 Reply
        anonymous
        Guest

        ? says:

        Maybe try the Windows Defender Offline Scanner and\or the Safety Scanner?

        from the Microsoft Malware Protection Center page:

        https://www.microsoft.com/en-us/security/portal/mmpc/products/default.aspx

         

         

      • #109416 Reply
        BrianL
        AskWoody Lounger

        I, too, am running Windows 7 SP1 x64 and I first open MSE and go to update tab then click on the update rectangle and let it update. I record the update number, then I close MSE. I, then, open windows update window and click on check for updates. After it finishes checking I compare the resulting optional defination number : if they are the same, I hide the update. I always run MSE first. My MSE has been updating daily.

      • #109420 Reply
        BrianL
        AskWoody Lounger

        I always disable diagnostics and Windows update from the Services window. Then No updates can sneak in overnight.

      • #109440 Reply
        anonymous
        Guest

        …Continued in open range… “Frustrating Hurdle”

        My line of thought in regards to “System Protection – System Restore” is based on the ability for these restore points to hold previous setting and possible infection vectors that have already been mitigated by an update or fruitful scan quarantining the nasty, yet are stumping MSE into a Yellow warning snagging on svchost.

        Yawn!

        I see your eyes rolling in your head.. no problem.. hang in there...

        Since you posted that a full run of Malewarebytes came up GREEN,  it is my supposition that a restore points holds the mystery.  I do not know and have not bothered to investigate the “White Paper” on MSE.  So I’m going with a gut feeling that by purging old restore points will trim out and clean your system so that MSE can run it’s scan over known good system files.

        Another hint is that restore point are made at intervals and will consume whatever allocation is given them (Hard drive space) to make more restore point.   Kinda like a puppy on a leash.. it will run till its yanked back because the allocation of the leash allowed.  Over time your restore points will purge themselves as in a First in First out (FiFo) type dealio; thus what was once a new restore point ages and becomes the eldest restore point, tagged to purge.  Thus the problem would seemingly resolve itself.. Ahhhhhhh.. magic!!

        So you could trust Malewarebytes scans that come in flawless while keeping an eye out for MSE to see if it ever catches up:

        Or you could visit Seven Forums and hasten the troubleshooting by learning how to delete all but the most recent restore point.  Then run MSE to eliminate this line of thought (cause it fails to resolve) or hopefully solve the issue at hand.  Simple!

        • #109472 Reply
          Kirsty
          Da Boss

          On reading something about McAfee Stinger, it refers to disabling System Restore prior to scanning for viruses; disabling System Restore removes all prior restore points!

          Windows utilizes a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder…
          Note: Disabling System Protection will delete all existing restore points.

          If you are not familiar with McAfee’s Stinger, it is a free virus-removal tool, which has been made available for many years. It removes certain viruses and ransomware, such as CryptoLocker. Always download a fresh copy though, to ensure the latest threats version.

          2 users thanked author for this post.
          • #109562 Reply
            anonymous
            Guest

            @Kristy and satrow, the anon here.
            I’m sure your trust and credentials are well vetted. Yet you’ve just posted (and liked) a procedure to delete all points of return. That’s step 6ish..
            Your aiming for the jugular when it has been posted by the user that Malwarebytes scans GREEN.

            Karen, I would advise against deleating all restore points until you’ve exhausted other possibilites.

            On the onset I mentioned that I gave up on “System Restore” but that is because I have a safty net in a backup. I havn’t used Mcafee stinger or [who] knows “TDDSKiller” from “kaparsky” in years!!!

            Respect

            • #109593 Reply
              satrow
              AskWoody MVP

              Kirsty’s post had a warning about deletion of SR points up front, which is why I thanked the post, rather than creating a more thorough reply, as I was about to logoff to rebuild my PC (PSU/GPU switch for greater efficiency) before I ran out of natural light.

              TDSSKiller was a much more useful tool than Stinger has been for over a decade.

              My preference would be to point the OP to a forum that specialises in malware removal under supervision, where SR removal would be the final step, alongside removal of the tools used for detection/cleaning.

            • #109622 Reply
              Kirsty
              Da Boss

              @anonymous #109562
              In no way was I recommending deleting all restore points. I was pointing out that the mention of deleting them in previous posts may have merit, but that if all were not deleted, it may not be sufficient, based on the information I referenced.
              I apologise if this was unclear.
              Until I read up about it, I had not heard of that theory in this thread, and was giving additional reading for those who may also be interested.

              1 user thanked author for this post.
    Viewing 16 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft Essentials False Positive Scan?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.