Jump to content

False Positive


Recommended Posts

    We are Banyan Tree Technology Limited,the file submitted is a product we produce and publish. 


    We bundle the homepage with end users' explicit agreement (normally with checkboxes opt-in), 

it's completely legal 


and compliant with according laws and policies. 

    However, they have encountered a false positive problem with Malwarebytes recently. 

    The reported threat name is "PUP.Optional.Elex"

    We guarantee that all behaviors we do on the pc through the downloader are under the permission of end users.

    Please do have a check immediately, and clear the false alarm. 

    Thank you in advance.



    The zip file's password is "infected".



Link to post
Share on other sites

  • Staff



This is no false positive. Also see here: http://forums.malwarebytes.org/index.php?showtopic=130207


"How often do users intentionally install your software? <- This does not include default check marks in bundleware that we all know people don't read and usually assume are part of the intended application.

This installer doesn't present any eula or option to opt-out at all.

So what you claim here:


We bundle the homepage with end users' explicit agreement (normally with checkboxes opt-in),
it's completely legal

doesn't match here.

Also, checkboxes opt-in are deceptive, because I know from previous Elex installers that you use the wording "recommended" (other example here: http://forums.malwarebytes.org/index.php?showtopic=131441&hl=) - this fools the user into believing that they need to have this installed, while this isn't the case.


We do not force users to remove your software, just like you claim you do not force them to install it - this is also completely legal.


Do users typically refer to your software as malware/virus/other non-benign label?"


When installed, my search and startpage has been changed to dosearches and users don't seem to like this at all: https://www.google.com/search?name=f&hl=en&q=dosearches


On top, this one (dprotect) even installs itself as an appinit_dlls. These entries are loaded when the file user32.dll is loaded. Most Windows executables use user32.dll which means any entry in the AppInit_DLL value will be loaded as well. This certainly causes additional issues and this is also a lot harder to remove. Microsoft even recommends not to use this feature: http://support.microsoft.com/kb/197571 and http://blogs.msdn.com/b/oldnewthing/archive/2007/12/13/6648400.aspx

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.