shadowwar

This should no longer be detected. This was a behavioural detection so a normal scan will not pick it up. It has to run and perform behaviours similiar to ransomware to be detected. This shouldnt of been detected though anyways so we are a little puzzled. Would you mind zipping and attaching the mbamservice.log that is located here: C:\ProgramData\Malwarebytes\MBAMService\LOGS so we can see what may have happened?

Can you zip and attach the steam.exe here please.

I believe it was related to this ip block which has been fixed.

Thanks for reporting. This should no longer be detected.

This has been fixed earlier today. IT should no longer be detected.

can you please zip and attach the file here please? Also the scan log showing the detection. Thanks. See here if need more information.

Thanks i am discussing this with development. We can edit files actually and remove single lines. This def is that type and should only remove that single line. Let me know if you want to further test and verify. However i believe the entire file is supposed to be copied to quarantine to restore the single line in future if need be. Removing a line is simple. Trying to restore a single line in the correct place with correct formatting is another story. That said i am following up with dev why we cant exclude a single line. I wasn't aware of this and trying to see what is going on. Thanks for your very thorough report!

This is a per line detection. However ganging up urls on the same line will cause the whole line to be deleted. This is a non standard format to have multiple urls per line.

This is where exclusions come in. If you feel it should be blocked in your host then you are welcome to add it to the exclusions. We see too many malware blocking the avast update with blocking the avast domain in the hosts file. For that reason we have to leave it in.

There is a little more to the def but thats the main part. We also look for certain number ranges as a prefix.

We are not looking for avast. We are looking for this .avast.com If you remove the last one it should scan clean. Which should not normally be in a host file.

As avast shouldn't normally be blocked in the hosts file, you are running a non standard hosts file you so you will have to add this to the ignore list. Thanks.

What you don't see is our stats which i cant share unfortunately. The very high amount of malware this detects to the very low amount of False positives is overwhelming. And it detects them zero day without having to have a definition. We are keeping a close eye on this and the protection it offers far outweighs the amount of false positives we see. The false positives get less and less as the algorithm learns. You are only basing what you see in the forums. We have hard stats that tells us what is going on and if it was out of control we would do what we need to.

This is a fp and has been fixed already.

renamed. TY