• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
Guidelines
Are you having hardware issues? Click here for tips and tricks.
Check out our WINDOWS 11 Support Center info about: OPTIMIZATION, KNOWN ISSUES, FAQs, VIDEOS AND MORE.
Locked

‎11-05-2022 07:51 AM

HP Recommended
Operating System: Microsoft Windows 10 (64-bit)

Hello HP Pals,

 

Only for the last two weeks or so, HP Wolf Security has been flagging what appear to be 

incoming email messages via Thunderbird and Quarantining them.

 

The files are in this path:

C:\Users\Mark\AppData\Local\Temp

and they are designated like this in HP Wolf Security: C:\Users\Mark\AppData\Local\Temp\newmsg 

 

I've located the 4 Quarantined files in this path:

C:\ProgramData\Bromium\BEM\Quarantine

 

And uploaded each of the 4 under 15k files to VirusTotal.com -- All came back clean.

 

Not sure why this started doing this. Been using both Thunderbird and Wolf Security for at least a couple of years.

 

Anyone seeing this? Not sure how to stop it if they are false positives and not sure if they even ARE false positives.

 

Thanks so much!

 

- IntoTheLight

 

Some Related Wolf Security Log Info with the term "newmsg" is here:

 

data_collector.cpp<2092>:UpdateCloudResult(): Failed to add to database: C:\Users\Mark\AppData\Local\Temp\newmsg
2022-11-05 08:49:28.089-04:00[01:12.802] P06936T08304 BemSvc:monevents flt.cpp<868>:get_scan_result(): Cloud check result for scan id = 411, file C:\Users\Mark\AppData\Local\Temp\newmsg, cloud result = 0
2022-11-05 08:49:28.089-04:00[01:12.805] P06936T01712 BemSvc:monanalysis event_store_db.cpp<985>:StoreCloudResult(): StoreCloudResult: md5 hash: sha1 hash: sha256 hash: E5043B3F2C241B2D18A5174194F561006DFFA0FE68869F87B83CD454B6363E97 Cloud result: 0 Cloud name: Process Path ID: 3 Process ID 13884 Process name C:\Users\Mark\AppData\Local\Temp\newmsg
2022-11-05 08:49:28.089-04:00[01:12.806] P06936T01712 BemSvc:monanalysis event_monitor.cpp<354>:StoreEvent(): Alert required for circle: 207. Trigger Event ID: 3
2022-11-05 08:49:28.089-04:00[01:12.806] P06936T08304 BemSvc RemediationManager.cpp<788>:QuarantineFileHandle(): Quarantining 'C:\Users\Mark\AppData\Local\Temp\newmsg' to 'C:\ProgramData\Bromium\BEM\Quarantine\E5043B3F2C241B2D18A5174194F561006DFFA0FE68869F87B83CD454B6363E97_72cec20e'; scan_id = 411
2022-11-05 08:49:28.089-04:00[01:12.807] P06936T01712 BemSvc:monanalysis XevtsGraph.cpp<703>:FillFileProperties(): Query for Hash Data for PathID: 2 EndTime: 133121261622675423
2022-11-05 08:49:28.089-04:00[01:12.807] P06936T01712 BemSvc:monanalysis

 

 

 

Category:
1 person had the same question
1 REPLY 1

‎11-07-2022 06:29 AM

HP Recommended

Hello Again HP Pals!

 

I am now getting the Quarantined message warning

at least once a day for files called: 

 

C:\Users\Mark\AppData\Local\Temp\newmsg 

 

The files are very small files that appear to be email messages.

 

They've been uploaded to VirusTotal.com and are "clean", but HP Wolf Security

doesn't seem to agree. I don't recall any other instance of false positives, so I'm 

reluctant to ignore HP Wolf Security.

 

Problem is, HP Wolf Security doesn't give enough information to really know what is going on with the files!

 

Just tells you "Malware", the "Path" and a "Hash" of the file. 

 

What concerns me is not knowing if I'm actually missing important emails. 

 

There are now six of them in quarantine, but never any before.

 

Anyone have any sense of how to view these files safely?

 

Thanks so much!!

 

IntoTheLight

 

 

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.

Didn't find what you were looking for? Ask the community

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.