scbs29 wrote:
> Thank you for all of the replies.
> Unfortunately, though, I do not think they address my question.
> Why does Windows Security report malware in files that do not exist ?
>
> On Mon, 08 Nov 2021 15:08:09 +0000, scbs29 <scbs29@fred.talktalk.net> wrote:
>
>> At present I am using Windows Security and seem to have a problem.
>> After a virus scan I am informed that I have viruses in 4 files.
>> Two of these files do not exist on my pc. The other two I delete
>> and empty the recycle bin. I then do another scan and the same
>> four files are reported. This has occurred for weeks now, every scan
>> reporting on these non-existent files.
>> Can anyone advise ?
>> TIA
>
In most cases, Windows Security also provides the location of the file.
- certain the files are not hidden?

Have you considered clearing the WS Protection History cache, restarting
Windows and rerunning WS?
C:\ProgramData\Microsoft\Windows Defender\Scans\History
- navigate to above and delete the Service folder
- once done, before restarting Windows open WS/Virus and Threat
Protection/Manage Settings then toggle off then back on Real Time and
Cloud protection.

--
....w¡ñ§±¤ñ

....w¡ñ§±¤ñ wrote:

> In most cases, Windows Security also provides the location of the file.
>  - certain the files are not hidden?

I've noticed that if it detects a single threat twice before you've dealt with
it (remove or quarantine) then you can deal with one of the instances, but the
second instance even if you click to remove it, it remains as a threat, and you
can't get rid of it (I haven't tried super hard).

On Thu, 11 Nov 2021 17:33:16 +0000, Andy Burns <usenet@andyburns.uk>
wrote:

>...w¡ñ§±¤ñ wrote:
>
>> In most cases, Windows Security also provides the location of the file.
>>  - certain the files are not hidden?
>
>I've noticed that if it detects a single threat twice before you've dealt with
>it (remove or quarantine) then you can deal with one of the instances, but the
>second instance even if you click to remove it, it remains as a threat, and you
>can't get rid of it (I haven't tried super hard).

How about a leftover Registry setting ???

KenW

On 11/11/2021 5:27 PM, KenW wrote:
> On Thu, 11 Nov 2021 17:33:16 +0000, Andy Burns <usenet@andyburns.uk>
> wrote:
>
>> ...w¡ñ§±¤ñ wrote:
>>
>>> In most cases, Windows Security also provides the location of the file.
>>>  - certain the files are not hidden?
>>
>> I've noticed that if it detects a single threat twice before you've dealt with
>> it (remove or quarantine) then you can deal with one of the instances, but the
>> second instance even if you click to remove it, it remains as a threat, and you
>> can't get rid of it (I haven't tried super hard).
>
> How about a leftover Registry setting ???
>
>
> KenW
>

That is standard practice for AV programs.

They may quarantine a file, but the registry entry pointing
at the (now missing) file, is left sitting there.

Future AV scans, by other products, may trip over the
registry entry, scaring the individual sitting in front
of the computer. Usually an account like TrustedInstaller
owns the Registry setting, making removal... interesting.
I've removed one, but it's not a 30 second job. It
takes a few minutes. I have to dig into my supply of
inpersonation EXEs.

Summary: If you see a registry entry like that, don't panic.
Only dangerous if the file it is using, is still there.
Sometimes, the OS pops up a toast notice, when an
attempt is made to honor the registry setting.

If would be nice to remove the entry, but it isn't
always that easy. The malware, and Microsoft, easily
edit the registry. The user ? Not so much.

Paul

Andy Burns wrote:
> ...w¡ñ§±¤ñ wrote:
>
>> In most cases, Windows Security also provides the location of the file.
>>   - certain the files are not hidden?
>
> I've noticed that if it detects a single threat twice before you've
> dealt with it (remove or quarantine) then you can deal with one of the
> instances, but the second instance even if you click to remove it, it
> remains as a threat, and you can't get rid of it (I haven't tried super
> hard).
Clearing the cache folder as noted earlier removes the history for
detected items.

--
....w¡ñ§±¤ñ
msft mvp 2007-2020

Hello again
Last November I posted the following :
On Mon, 08 Nov 2021 15:08:09 +0000, scbs29 <scbs29@fred.talktalk.net> wrote:

>At present I am using Windows Security and seem to have a problem.
>After a virus scan I am informed that I have viruses in 4 files.
>Two of these files do not exist on my pc. The other two I delete
>and empty the recycle bin. I then do another scan and the same
>four files are reported. This has occurred for weeks now, every scan
>reporting on these non-existent files.
>Can anyone advise ?
>TIA

I received many and varied answers eg
Did you enable seeing hidden and system files in File Explorer? Do you
have permissions to read in whatever folders are the files?
Files reappearing means a process is running that creates them. The
folder or file names might indicate which process is creating them.
Yes I eanable seeing hidden and system file and I have full access to the folders.
The files that are reported are temp files and program installation files on another drive for installation of eg
auslogics defregger. Some of the files date back to last August and were deleted months ago.
I have tried telling Windows Defender to quarantine or delete these files but they keep reappearing. I am now up to
about 40 files reported.

Details of 2 of these are:
This app has been blocked
15/07/2021 09:29
Detected: PUA:WIn32/LoadMoney
Status: Failed
This threat or app might not be completely remediated;
Date:30/07/2021 16:48
Affected Items:
file E:\$RECYCLEBIN
\5-1-5-21-2993998609-23606054021-2666910699-1001\$RY4HZ46.exe
file:E:\used stuff\DesignPrintUK-3.0-.0.exe

Potentially unwanted app found
28/11/2021 11:13
Detected:PUA:Win32/Presnoker
Status: Active
Active threats that have not been remediated and are
running on your device.
Date: 29/11/2021 11:13
Details: This program has potentially unwanted behaviour.
Affected items
file: D:\tempz6fzFq2r.exe.part

Again, none of the reported files exist.
Can anyone tell me what is going on ?

--
remove fred before emailing

On Fri, 14 Jan 2022 at 11:32:33, scbs29 <scbs29@fred.talktalk.net> wrote
(my responses usually follow points raised):
[]
>Detected: PUA:WIn32/LoadMoney

That doesn't sound like a nice detection. And:
[]
>file: D:\tempz6fzFq2r.exe.part
>
>Again, none of the reported files exist.

They presumably did exist at the moment the scanner found them. The
suffix ",part" suggests it might have been part way through a download -
at a guess, of something that is downloaded, then when completely
downloaded, run and then deleted. Before you got round to looking at
what the scan found.

>Can anyone tell me what is going on ?
>
Just guessing for the latter one. I've no idea about the first one, but
anything with money in the name sounds like something I wouldn't want;
you can probably google it to find what it is. PUA suggests it might not
be something that runs automatically, but still I'd look into it.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

I intend to live forever. So far, my plan seems to be working.
- Steve Hague in UMRA, 2020-11-3

On Fri, 14 Jan 2022 12:03:08 +0000, "J. P. Gilliver (John)" <G6JPG@255soft.uk> wrote:

>On Fri, 14 Jan 2022 at 11:32:33, scbs29 <scbs29@fred.talktalk.net> wrote
>(my responses usually follow points raised):
>[]
snip
>suffix ",part" suggests it might have been part way through a download -
>at a guess, of something that is downloaded, then when completely
>downloaded, run and then deleted. Before you got round to looking at
>what the scan found.
>
>>Can anyone tell me what is going on ?
>>
>Just guessing for the latter one. I've no idea about the first one, but
>anything with money in the name sounds like something I wouldn't want;
>you can probably google it to find what it is. PUA suggests it might not
>be something that runs automatically, but still I'd look into it.

Thanks for the reply.
The reported files may have been detect3d when I scanned last August,
but why are they still being reported in a new scan 8 months after all of
the suspect files have been deleted ?

--
remove fred before emailing

On 1/15/2022 5:27 AM, scbs29 wrote:
> On Fri, 14 Jan 2022 12:03:08 +0000, "J. P. Gilliver (John)" <G6JPG@255soft.uk> wrote:
>
>> On Fri, 14 Jan 2022 at 11:32:33, scbs29 <scbs29@fred.talktalk.net> wrote
>> (my responses usually follow points raised):
>> []
> snip
>> suffix ",part" suggests it might have been part way through a download -
>> at a guess, of something that is downloaded, then when completely
>> downloaded, run and then deleted. Before you got round to looking at
>> what the scan found.
>>
>>> Can anyone tell me what is going on ?
>>>
>> Just guessing for the latter one. I've no idea about the first one, but
>> anything with money in the name sounds like something I wouldn't want;
>> you can probably google it to find what it is. PUA suggests it might not
>> be something that runs automatically, but still I'd look into it.
>
> Thanks for the reply.
> The reported files may have been detect3d when I scanned last August,
> but why are they still being reported in a new scan 8 months after all of
> the suspect files have been deleted ?
>

The NFI.exe utility, may be able to give you a better idea
what is on the disk drive. It still has some restrictions on
what it will print out, but it does a reasonably good job.

One of the reasons NFI can do that, is it reads the $MFT (master file table)
directly, and it is mostly careful not to stat() any files. The $MFT tells
you where the file clusters are stored, which gives you an approximate
idea of file size (the last cluster could be only partially full).

Whereas VoidTools "everything.exe" reads the $MFT, and because
the developer thought it would be nice to list file sizes, you
can't list file sizes unless you have permission. And it's quite
easy for the permissions to be set in a way that prevents stat() access.

Whereas an AV "has to be able to go everywhere", in its search for scum.
An AV program, should at least be able to do as well as NFI.exe
does. With the AV program also having 30+ unpackers, to burrow
into stuff protected with UPX or other packers.

Some AV scanners, will actually produce a file list, with a status
per file as to what they found. But not all tools are customer-centric
like that. There are lots of others that don't care whether you
know what is going on or not. You've probably seen the kind of
program that puts up a big red dialog and tells you "we found
8116 problems". Well, I love programs like that. Who does not ?

Using NFI.exe, I can see stuff right now that should not be in
my Recycle Bin. Apparently, if you "recover" a file from Recycle Bin,
it leaves at least one file of "residue" behind. Not a big deal, as
the file is 544 bytes and is metadata, not data clusters or anything.

I'm not aware of any free utility, that will display the four
unlabeled items in the NTFS file system. And when I compare utilities
that should be listing everything, there can be huge disparities
in the number of files in the list. You could have 100,000 files
difference between the best and worst programs.

Paul

scbs29 wrote:
> On Fri, 14 Jan 2022 12:03:08 +0000, "J. P. Gilliver (John)" <G6JPG@255soft.uk> wrote:
>
>> On Fri, 14 Jan 2022 at 11:32:33, scbs29 <scbs29@fred.talktalk.net> wrote
>> (my responses usually follow points raised):
>> []
> snip
>> suffix ",part" suggests it might have been part way through a download -
>> at a guess, of something that is downloaded, then when completely
>> downloaded, run and then deleted. Before you got round to looking at
>> what the scan found.
>>
>>> Can anyone tell me what is going on ?
>>>
>> Just guessing for the latter one. I've no idea about the first one, but
>> anything with money in the name sounds like something I wouldn't want;
>> you can probably google it to find what it is. PUA suggests it might not
>> be something that runs automatically, but still I'd look into it.
>
> Thanks for the reply.
> The reported files may have been detect3d when I scanned last August,
> but why are they still being reported in a new scan 8 months after all of
> the suspect files have been deleted ?
>
Have you tried resetting the Windows Security cache(nulling all
current/past results of Protection History) then rescanning ?

Event Viewer/Application and Security Logs/Microsoft/Windows/Windows Defender
=> Click on Operational, upper right 'Clear Log'
or
=> Right click Operation, 'Clear Log'

--
....w¡ñ§±¤n