Windows Defender reports Trojans as false positives

[German]Users of Windows seem to have been startled in the last few weeks by false alarms from Windows Defender. Defender suddenly believed to have detected the Trojan Win32/Bluteal.B!rfn in regular files.


Advertising

First reports end of May 2018

In recent days, several users have reported false alarms on the forums of Bleeping Computer and other websites such as Tom's Hardware. For Tom's hardware, a user writes on June 1, 2018:

So yesterday Windows Defender notified me saying it found Bluteal.B!rfn trojan which I got it to quarantine and then remove. I couldn't find a lot of info after googling the trojan so decided to hopefully get some advice here.
I received the notification about the trojan when I was loading up Unity and Visual Studio, it said that the affected file was:

C:\Windows\assembly\NativeImages_v4.0.30319_32
\Microsoft.Vde5ed89a#\457b4a4c20bed2246e03f1f9e5eaa1a5
\Microsoft.VisualStudio.Utilities.Internal.ni.dll

Could Windows Defender be getting confused and it's just a false positive? I thought I had read somewhere that Windows Defender is okay for protection these days but maybe I should go back to Avast or Avira?
I've run a scan with Malware Bytes and a standard scan with Windows Defender but should I use something else to do a deeper scan if this was in fact a legit trojan? I've since made sure to update Windows 10 in case that has any part of this.

In the Technet forum there is this tread, which was started on June 1, 2018. A Trojan was also reported there in the Visual Studio component. The case is confirmed in this forum thread by several users. The developer community has already had this thread since May 31, 2018, which indicates the case.

Report at Bleeping Computer

At Bleeping Computer there is a forum post from a user reporting possible false alerts of Trojan:Win32/Bluteal.B!rfn in Windows Defender. Lawrence Abrams addressed this within this article. Windows Defender flags the following file, which is a legit Windows file.

C:\Windows\assembly\NativeImages_v4.0.30319_64
\Microsoft.C26a36d2b#\daf01e12fa59ed340363c44b7deff15e\
Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll

Trojaner-Meldung
(Source: Bleeping Computer)


Advertising

Also at Microsoft Answers there is this thread where a user reported sporadic false alerts from Windows Defender.

been getting this trojan message through windows 10 defender periodically today which gets quarantined by defender. malewarebytes, microsoft safety scanner and adwcleaner do not find anything, is Trojan:Win32/Bluteal.B!rfn a false positive by windows 10 defender

At reddit.com there is this thread just started a few day ago, dealing also with the false alarm that file Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll is a trojan. Microsoft created a page about Trojan:Win32/Bluteal.B!rfn on May 18, 2018 (seems the date, where the definition is added to Defender).

I'm assuming it's a false alarm. There is no official statement from Microsoft. However, Microsoft has confirmed a false alarm to Bleeping Computer. It is recommended to check for new Defender updates. Then the problem should be solved. Were any of you concerned?


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

One Response to Windows Defender reports Trojans as false positives

  1. Andrew Flagg says:

    they removed and corrected the false detection when i submitted through their file submission website.

    https://www.mountaincomputers.org/myBlog/myBlog.asp?mode=view&id=992

    this blog entry has my details and suggestions for developers… especially if your code is fine until you renew your code signing certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).