I am the author of SSE Setup (www.ssesetup.com), a program installer/uninstaller. Your software is flagging all created Setup files that aren't signed as "MachineLearning/Anomalous.100%"
I have attached a ZIP with 4 different samples (2 full self-extracting installs, and 2 of just the Setup.exe that's detected) that are falsely detected but you cannot just whitelist the individual files as created Setup's could have different file properties (name, version info, etc.).
I have read your sticky forum post on Anomaly detections and as someone that's been dealing with Antivirus vendors since 2005 and has been a software developer much longer, I would take issue with several of your statements in that post. First, it is NOT true that signing has been standard for "decades". The practice of digitally signing didn't even begin to pick up any serious steam until 2006. Until Vista came on the scene with UAC very very few software developers even thought of bothering with signing, and it didn't become true common practice until around 2009-2010 (I know, I didn't even begin signing my own software until 2011), and there are still PLENTY of legitimate software packages out there that are not signed. You might not think that's wise or that you wouldn't want to install such software yourself, but there's plenty of other people that don't have as strongly of those concerns when downloading from reputable sites etc. No AV software should automatically assume that a file without digital signature is malware. In addition to that, you imply that your anomaly engine also sees both old versions of VB as well as executable packers as a sign of malware. While it IS true that some malware uses old versions of VB (which we both know you mean VB6), it's also true that malware uses LOTS of other development tools too, and it's also true that there is a huge amount of legitimate software out there in the wild that uses VB6. It's not just malware that uses it, but literally thousands and thousands of programs. It may be old, but it's still a popular and versatile environment and despite what you might think, there's still legit software being developed in it. As for executable packers, again, that is something that MANY legitimate software packages use. SSE Setup installers use the common UPX packer which has been used for 20+ years by all sorts of legitimate software (and which SSE Setup has used since 2005) and which most all AV products know is legit and not a reason to count negatively when figuring out potential malware. Malware authors don't usually bother with legit packers that are easily unpacked by most all AV products - they rely on custom-tweaked packers or obfuscators. In short, just because a program has or uses VB6, UPX, and isn't signed, does not mean it is malware or even most likely malware, and for the record I don't know of any other AV products' AI scanning engines that currently apply the weight to those things that your AI engine is seemingly applying (I know of several that USED to improperly weight those items but they fixed that years ago). Just because some malware authors use a tool that legit software also uses doesn't mean you penalize the legit software to try and catch the malware...
In any event, those are my general thoughts, but back to the immediate issue at hand - detection of SSE Setup installers. I can provide further info on how your software can specifically identify SSE Setup created installers if that will be of use, but would rather not post that info publicly - you can email me for that if that would help. I don't really care what your scanner does or doesn't do with its AI "try to guess malware" scanner as long as it leaves SSE Setup installers alone. Happy to help however I can. Thank you, Chris Long, developer of SSE Setup, www.ssesetup.com