mpsigstub.exe

  • Post
    schrig67
    Participant
    none
    Keep getting this alert that VS blocked mpsigstub.exe …… for the last 4 days I’ve been allowing….how to tell VS the file is ok?
    0
    0
Viewing 13 replies - 1 through 13 (of 13 total)
  • Replies
    gorblimey
    Participant
    none
    If this file is located in the C:\Windows\System32 folder, it should be harmless.

    BUT…

    Every time VS pings it, take a good look at details, see especially if this is a Command Line, or a “funny” folder with random characters in the path — this is malware behaviour.  Also, let VS push the file or a hash up to the Cloud for detailed analysis.

    Remember that VS is “path-aware”: it expects the good files to remain in their places of residence, regardless of how it is invoked.  Anything with “no fixed address” is likely to be malware 🙂

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    0
    0
    Dan
    Keymaster
    US
    Hmmm, I’m not sure what is going on with mpsigstub.exe, can you please send me your DeveloperLog.log and DeveloperServiceLog.log (support at voodooshield.com) from the C:\ProgramData\VoodooShield directory?  Thank you guys!
    • This reply was modified 3 months, 1 week ago by Dan.
    0
    0
    schrig67
    Participant
    none
    Fixed….thanks Dan
    0
    0
    oldschool
    Participant
    none
    @Dan I had a silent block of WD signature updates and it blocked the internet connection for Brave Nightly v. 1.12.45 update to v. 1.12.48. I had to uninstall VS and both updated. It seems VS doesn’t like M$ changing things in WD or  Brave Nightly re: prevalence, age, etc.
    Stay safe, not paranoid!
    0
    0
    gorblimey
    Participant
    none
    Hi oldschool –

    How are WD and Brave doing their updates?  If they are creating a new path for the update to execute from, then VS will ping them, it’s just how it works.

    Zemana used to create a randomly numbered folder to drop the update into, and VS always picked it up, quite correctly.  I had to write to Zemana and point out how their behavior looked like malware…  That was their v2.x, but in the v3.x apparently they took notice of my comment.

    Also, I have VS lock down the Users\…\local\temp folder with a silent block.  There’s too much malware likes to install from there.

    Oddly enough, Flash has never given any issues with updating — very well behaved it is!

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    0
    0
    oldschool
    Participant
    none
    @Dan @gorblimey I forgot to add that my blocks were silent. No alert, nothing in whitelist, nothing in command-line. Nada. Not a good look for VS.
    Stay safe, not paranoid!
    0
    0
    Dan
    Keymaster
    US
    This is very odd OS… what VS settings do you change that are not default?  The reason I ask is because I have 2 desktops and 1 laptop, all with different versions of Windows 10, all running default settings, and none of them have this issue.  Also, out of all of our users, this is the first and only report of this issue.  So I am guessing that it is a VS settings that was changed that caused this issue, and if so, please let me know what settings you changed so I can troubleshoot the issue.  Or, it could be another software conflicting with VS.  Thank you!
    0
    0
    oldschool
    Participant
    none
    Only setting change is:

    Deny by Default = unchecked

    I usually have WLC disabled since it flags setup.exe files for Brave Nightly. When I have it enabled I have only “Create firewall rules for unsafe item” = unchecked.

    I reset the whitelist and that seemed to fix the WD update issue. I’m waiting on the next Brave Nightly update to check that. I miss the advanced snapshot feature.

     

    Stay safe, not paranoid!
    0
    0
    Dan
    Keymaster
    US

    oldschool: Only setting change is:

     

    Deny by Default = unchecked

    I usually have WLC disabled since it flags setup.exe files for Brave Nightly. When I have it enabled I have only “Create firewall rules for unsafe item” = unchecked.

    I reset the whitelist and that seemed to fix the WD update issue. I’m waiting on the next Brave Nightly update to check that. I miss the advanced snapshot feature.

     

    Thank you for letting me know, I will keep an eye on it.  I am certain if other users are experiencing this block, we will hear about it ;).

    0
    0
    oldschool
    Participant
    none
    @Dan I forgot to add – no other 3rd party apps installed.
    Stay safe, not paranoid!
    0
    0
    Dan
    Keymaster
    US
    Cool, thank you for letting me know!  There must be a reason, we will have to figure it out.  When you say “silent block”, do you mean it was not even in the DeveloperLog.log?  If an item is not in the DeveloperLog.log, then VS did not see or block it.  Time will tell… we will know if we started getting reports from other users.
    0
    0
    oldschool
    Participant
    none

    Dan: C When you say “silent block”, do you mean it was not even in the DeveloperLog.log?  If an item is not in the DeveloperLog.log, then VS did not see or block it.   

    Nothing in logs, no desktop alert, no command line. Brave Nightly alerted unable to reach web for update (I have no added firewall rules or FW app). BN & WD updated only after uninstalling VS.  Reinstalled, re-set whitelist and all OK now.

    Stay safe, not paranoid!
    0
    0
    gorblimey
    Participant
    none
    Hey oldschool – Is there anything in Windows Event Logs?  And yes, I know these are the devil’s own playground 🙁

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    0
    0
Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.