Jump to content

False Positive on Custom In-House Program

Recommended Posts



The program in the attachment which is something that we use got flagged as ransomware. This is a program we use frequently. I have restored and created an exception for the file. However, I'm just hoping that it's not somehow infected. Ransomware can't infect legitimate programs and then conduct their encryption can they? Just want to make sure just in case.

False Positive.zip

Link to post
Share on other sites

Hello suspicious_bucket and :welcome:


At the date/time of the following analysis, the file in question appears to be harmless per https://www.virustotal.com/en/file/c9f00f7fd0cd2823b5a9393fe314d38f010d98be2394c77da093de07ff96bbe3/analysis/1457671934/.

However, it appears as if Malwarebytes Anti-Ransomware (MBARW) appears to be installed on a Microsoft Windows Server. The MBARW developers have not approved the use of MBARW on any Microsoft Windows Server. Additionally the use of MBARW in any commercial/enterprise/production environment is strongly discouraged at this time.


Ransomware can't infect legitimate programs and then conduct their encryption can they?


Although the expertise of an anti-malware professional is called for, in my non-authoritative opinion, malware can be injected into otherwise legitimate executables leading to any manner of infection.


I will request for you a professional opinion from an authoritative source regarding the above question.


Thank you.

Link to post
Share on other sites

The important thing here is that this is a Beta and a Beta should not be used on production computers as its use can lead to unexpected detriment.


As for MBARW it is falsely flagging an encyclopedic size list of executeables which is not good.


As for the file in question, a legitimate file can have malicious code prepended, appended or cavity injected.  This can be by a file infecting virus or by a trojan that patches or "trojanizes" a legitimate file.  In the case of a file infecting virus, it is indiscriminate in what legitimate files it wants to infect.  In the case of a trojan that patches or "trojanizes" a legitimate file, it targets specific files whose preponderance are those that are specifically a part of the Windows Operating System.


As for cryptographic malware ( Cryptovirology ), the vast majority are trojans and not viruses and to my knowledge none "trojanizes" legitimate files.  Therefore while it is possible for Ransomware to infect legitimate programs it is highly unlikely.

Link to post
Share on other sites

Thank you very much for your responses.


1. It makes a lot of sense that for "trojanizing" or appending malicious code to legitimate files would largely target common operating system files as these would be the most common files across a larger number of environments. Thank you for clearing that up for me.


2. I understand the risks of this software being used in a production environment, but the use of this software has saved my tail more than once in a production environment. The reason it's used in this type of environment is due to the fact that it is being used in a terminal server environment where the terminal server has office and people may download/run attachments with malicious files.


This has already happened once and has ended up corrupting a number of our files. Luckily we had a recent backup of our files that was unaffected.


Can you let me know what major risks I am running with running this software in a production environment?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.