[Lots of Malware.Heuristic.1003 false positives on my programs.]

The whitelisting of digital signature should help me personally and I thank you, however, it still means that your heuristic is going to flag all other SSE Setup created installers (SSE Setup is a program installer other developers use too).  I understand to Porthos' point that this detection does not occur in default configuration, however it can be made to use this heuristic and thus do this false detection.  I suspect either this heuristic is incorrectly weighting VB6 executables or the 7-zip self extractor that SSE Setup created installs use.  In either case, neither of those should be causing an assumption of "guilt" for an executable, no matter how aggressive the heuristic is. I would humbly ask this be looked into by your development team.  Thank you. Chris Long, SSE Setup, www.ssesetup.com

[Lots of Malware.Heuristic.1003 false positives on my programs.]

Whatever this "Malware.Heuristic.1003" advanced heuristic is looking for, it has a major flaw because it is flagging pretty much all of my programs:

https://www.simpledatabackup.net/downloads/SimpleDataBackup10.exe

https://www.simpledatabackup.net/downloads/SimpleDataBackup10-3GA.exe

http://ssesetup.com/downloads/SSESetup10-4.exe

http://ssesetup.com/downloads/TextMorph34.exe

http://ssesetup.com/downloads/EZSignIt41.exe

While a whitelist is appreciated, you need to solve your wrong detection criteria that is causing this so this doesn't reappear when I next release new versions etc.

I suspect since it is flagging these, it is also specifically flagging all other SSE Setup created installers as well.

Chris Long, SSE Setup, www.ssesetup.com

[False positive on website]

Thank you.

[False positive on website]

The site is www.ssesetup.com.  I am the owner of this site and of the SSE Setup software product, a known installer product, both of which have been around with good reputation for over 15 years. This site does NOT have any malware on it and never has.  You previously blocked my site last year and I had to contact you and you have also incorrectly flagged my software in the past.  I don't know what it is with your detection mechanisms, but you need to overhaul them...   Thank you.  -Chris Long, SSE Setup, www.ssesetup.com

[Possible FP - ssesetup.com]

Hi, I've been alerted that my website www.ssesetup.com is being flagged by this extension.  There isn't now nor ever has been any malware on the site.  Appreciate this being looked into.  Thanks, Chris Long, SSE Setup

[False positive detection of SSE Setup created installs]

Thank you Mieke.  In my limited re-testing this afternoon with my latest SSE Setup release, it looks like the problem is solved.

[False positive detection of SSE Setup created installs]

I am the author of SSE Setup (www.ssesetup.com), a program installer/uninstaller.  Your software is flagging all created Setup files that aren't signed as "MachineLearning/Anomalous.100%"

I have attached a ZIP with 4 different samples (2 full self-extracting installs, and 2 of just the Setup.exe that's detected) that are falsely detected but you cannot just whitelist the individual files as created Setup's could have different file properties (name, version info, etc.).

I have read your sticky forum post on Anomaly detections and as someone that's been dealing with Antivirus vendors since 2005 and has been a software developer much longer, I would take issue with several of your statements in that post.  First, it is NOT true that signing has been standard for "decades".  The practice of digitally signing didn't even begin to pick up any serious steam until 2006. Until Vista came on the scene with UAC very very few software developers even thought of bothering with signing, and it didn't become true common practice until around 2009-2010 (I know, I didn't even begin signing my own software until 2011), and there are still PLENTY of legitimate software packages out there that are not signed.  You might not think that's wise or that you wouldn't want to install such software yourself, but there's plenty of other people that don't have as strongly of those concerns when downloading from reputable sites etc.  No AV software should automatically assume that a file without digital signature is malware.  In addition to that, you imply that your anomaly engine also sees both old versions of VB as well as executable packers as a sign of malware.  While it IS true that some malware uses old versions of VB (which we both know you mean VB6), it's also true that malware uses LOTS of other development tools too, and it's also true that there is a huge amount of legitimate software out there in the wild that uses VB6.  It's not just malware that uses it, but literally thousands and thousands of programs.  It may be old, but it's still a popular and versatile environment and despite what you might think, there's still legit software being developed in it. As for executable packers, again, that is something that MANY legitimate software packages use.  SSE Setup installers use the common UPX packer which has been used for 20+ years by all sorts of legitimate software (and which SSE Setup has used since 2005) and which most all AV products know is legit and not a reason to count negatively when figuring out potential malware.  Malware authors don't usually bother with legit packers that are easily unpacked by most all AV products - they rely on custom-tweaked packers or obfuscators.  In short, just because a program has or uses VB6, UPX, and isn't signed, does not mean it is malware or even most likely malware, and for the record I don't know of any other AV products' AI scanning engines that currently apply the weight to those things that your AI engine is seemingly applying (I know of several that USED to improperly weight those items but they fixed that years ago).  Just because some malware authors use a tool that legit software also uses doesn't mean you penalize the legit software to try and catch the malware...

In any event, those are my general thoughts, but back to the immediate issue at hand - detection of SSE Setup installers.  I can provide further info on how your software can specifically identify SSE Setup created installers if that will be of use, but would rather not post that info publicly - you can email me for that if that would help.  I don't really care what your scanner does or doesn't do with its AI "try to guess malware" scanner as long as it leaves SSE Setup installers alone.   Happy to help however I can.  Thank you, Chris Long, developer of SSE Setup, www.ssesetup.com

mb-fp.zip

[SSE Setup false positive]

The user that reported this to me (with a screenshot) reports that the latest database no longer detects.  It must have only occurred for a few days.  You can delete this topic. Thank you for your quick response.

 

Chris

[SSE Setup false positive]

Hi,

 

I'm the developer of SSE Setup (www.ssesetup.com) a free and low-cost program installer.  It has been reported to me that Malwarebytes is incorrectly detecting one component - a Setup install stub that is used in certain cases - as "Trojan.Shylock.XGen".  I have attached the exact file to this issue inside the .ZIP file (password to open ZIP is "fp" (minus quotes).  In addition, you can download SSE Setup 7.4 from my site and install it.  The file in question (Setup.exe) will be located in the Program Files\SSE Setup 7.4\Internal\RuntimeInstallStub folder.

 

Thank you.

 

Chris Long

SSE Setup developer

 

 

Setup.zip