Windows 10: Defender Found Trojan in USMT.ppkg - real or false positive?

I recently bought an MSI Raider GE431. I ran a full anti-virus scan using Windows Defender. It found the following:



Trojan:Win32/Generic!rfn

Affected items:

containerfile: C:\Recovery\Customizations\USMT.ppkg

file: C:\Recovery\Customizations\USMT.ppkg->\ICB\0\MachineSpecific\File\C$\Program Files x86\InstallShield Installation Information\{C65B26BC-5A6F-4135-9678-55A877655471}\setup.exe00



More info is found on Microsoft's site. I've tried to quarantine the file, but Windows Defender is unable to do so. This is a brand new laptop so I tend to think it's a false positive.



I've done a search and found a handful of related articles, but nothing definitive. Does anyone have any additional information or suggestions about how to proceed?



Thanks!

:)

 

database of malware producing false positives or false negatives

Many months ago I communicated with Malwarebytes about a trojan that was detected by Defender that was not detected by Malwarebytes. They indicated that Microsoft Defender is likely a false positive and to wait weeks or months for Microsoft to update their
database. To date the Defender continues to detect a trojan that is not detected by Malwarebytes.

Defender does not detect any malware on quick scans. However on full scans it detects this trojan that is not detected by Malwarebytes.

How does an end user determine whether one antivirus program is producing false positives or false negatives?

 

False Positive - Rundas!plick Trojan

We have a small "exe" that we use extensively at "Return to Misty Moorings" This is for our "Season Switcher". When the program is run, the software is quarantined as a Rundas!plick Trojan. There is no Trojan or any other problem with this software, Malwarebytes
and Spybot both show it does not have a problem. But every time our users try it with Defender, it is "quarantined". This is giving our site and our efforts for our fans a bad name from Microsoft's false positive. The program can be found at:

Return to Misty Moorings - NOTAMS

The "solution" from the Microsoft "help" chat was to "Turn off Windows Defender". That we can do and I can tell my thousands of followers on the site that this is Microsoft's suggestion (not a very good marketing idea). We need someone on the Defenders
team to get our software "CLEARED" so this does not keep showing up as a Rundas!plick Trojan.

Please tell us who to contact or what needs to be done next.

Doug Linn/RTMM

 

Windows defender false positive - forced to allow threat

Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.

Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component. My immediate problem is fixed but I would prefer to fix the false positive using the exclusions list.

I cleared the 'Allowed threats history' so I could use the exclusions list instead. I added C:\Windows\System32\mshta.exe to the file exclusions list and I checked that it had taken properly by checking the exclusions list both in the UI & in the Registry. But the exclusion made no difference, it continued to detect and block the exe.

I have repeated the attempt several times [by clearing the allowed threats list & exclusions list beforehand] and the results are the same every time
- allowing the threat works,
- using the exclusions list has no effect.

I studied the relevant tutorial but have not spotted an error in what I have been doing - Add or Remove Windows Defender Exclusions

Does anybody with experience of using the exclusions list to counter false positives have any suggestions for me?

Denis