Malwarebyte false detected my software as MachineLearning/Anomalous.100%

[annewilson]

Hi

I'm a software developer who writes software using a mixture of  ASM and PowerBasic to build software in native codes.

The last few days, I noticed that many of my exe and dll files are being detected and quarantined as being MachineLearning/Anomalous.100% malware.

These are decidedly NOT malware. Why is Malwarebyte doing these actions which is totally uncalled for.

I'm using a premium version of Malwarebytes and I will uninstall malwarebytes and purchase a better  antivirus software if malwarebytes keep on detecting my

software as malware.   See my attach file display of false positive.

Please response on how to overcome these False detection problems

 

False positive.docx

[annewilson]

I'm a software developer who develop my own software in ASM and Powerbasic.

Recently, Malwarebytes is detecting my software as MachineLearning/Anomalous.100% malware.

These are decidedly NOT malware. These are my own software products. 

Why is Malwarebytes doing this unnecessary so called Heuristic signatureless checking  which wrongfully detected my

software as Malware.  I'm using a premium version of Malwarebytes.  Time to do more research before you lose more customers.

Please respond otherwise I will write to every blog in the Internet on your erroneous Heuristic signatureless checking engine.

[blender]

Hello,

Sorry to hear you are having false detections with MBAM.

Can you provide some samples of these files? They will need to be zipped to attach. Also can you zip & attach the detection log as well please?
Open MBAM >> reports>> view the report that had the above detections>> export it as .txt

Please attach that in your next reply.

 

Thanks!

 

[annewilson]

Hi Blender

What would be your email address to send these files?   Or do I send them as an attachment to this forum here?

please advise

[blender]

You can zip them & attach here please.

Thank you,

[annewilson]

Here are the files

Please check and respond and I will turn off Signatureless detection on Malwarebytes

Thanks

Malware Rep.txt

Submit to MB.zip

[shadowwar]

Part of the reason you are having issues with the signatureless detection is because of the enigma packing and other tools you are running on your files to protect them from cracking. This is exactly what malware does to try to protect their files from being reversed. Just for example.

vmtest.exe

https://www.virustotal.com/en/file/4592f0a0590d3c9d79159e787bfdadc76b1ee9bf62cdecf617bf827268375003/analysis/1511892003/

vmtest_protected.exe

https://www.virustotal.com/en/file/76c0c5a903c48f72d68b01104e691cee34598d0bbc17d85f53b80baa265d3e3b/analysis/1511839347/

See the difference in the amount of detections?

Enigma isnt such a great packer to use on a legit piece of software because mostly malware uses it. It also adds a lot of anomalies to a file.

That being said any of the files you submitted above have been added to whitelist.

We also adjusted our model a bit for these type of files.

 

 

 

 

 

Edited November 28, 2017 by shadowwar

[annewilson]

Thanks Rich

However, the VMTest.exe is only one of the files which is protected by Enigma.

The rest are ordinary compile exe files which are NOT protected at all,  what about them ? 

Look here, there was NO such detection until 2 days ago after Nov 26 2017, when I ran the Malwarebyte

From Nov 27 2017 onwards these detections started to appear. These are all previous backup files dated from Feb 2017.

There must something to do with your Heuristic detection Engine, it had became overzealous in its detection??

Alternately, do I need to sign my files using Code signing certificates, so that Malwarebyte will start recognizing that these are legitimate files?

[shadowwar]

Not sure we are on the same page here. Pe_Compact is also mostly used by malware.

mangle.exe is not normal as its packed by pe compact.

https://www.virustotal.com/en/file/2827e821353ff1b20c33bfd9e5fee88cab3aa1b92ce4da59dfae821bc2528873/analysis/1511839651/

 Packers identified

F-PROT PECompact, PecBundle

PEiD PECompact 2.xx --> BitSum Technologies

 

test wipe__protected.exe is enigma packed

kp.exe is pe compact.

DDT nice.EXE is pe compact.

 

Your log though has more files though then what was submitted inside the zip.

PB SKYFRAME\GEN APPS\CREP FNV HASH CONVERTER\BMT.EXE
NOT SO GOOD PROGS\TRASH PE\TRASH PE.EXE

If you want to pm me the zip i can work on filtering these out also.

 

We have been adjusting our models over the past couple of weeks. We have made adjustments to detect more but with that of course requires some adjustments to filter out fps on rare occuring files.

Just to note we dont necessarily detect these as malware just more as its a anomalous file cause of its construction. This is what this detection name is:

MachineLearning/Anomalous.100%

 

Edited November 28, 2017 by shadowwar

[annewilson]

Okay Thanks Rich

mangle.exe  was supplied by another party.

Yeah, the Kp.exe was also pecompact by us.

So it looks like the pecompact is being targeted, we only have a few files being packed by PeCompact.

 

Well, let me repeat this question

Do I need to sign my files using Code signing certificates, so that Malwarebyte will start recognizing that these are legitimate files?

We are still doing some work on the files and executables in our system before being deployed.

We would think that whitelisting may not help as we are adding more and more files to our system it is currently very dynamic ?

as file sizes changes and filenames changes too -- WhiteListing them would be a difficult task

.What we want is that Malwarebyte to stop treating our files as malware (which we are truly NOT )

 

 

[shadowwar]

If you could pm me some of the files you are creating so i can see what is happening against our system it would be appreciated. We did over the past weekend adjust the model for what you were writing in.

A valid signature does help a decent amount but we do no blanket whitelist based on signature.

If you can get me a set of samples you are currently developing and they are still detected currently i can get this to the shuriken devs and see what needs to be done.

Thanks!

 

[alissa914]

I had this just happen too which is why it was odd.  It never threw up a detection before.  All I did after that was to switch to .NET 4.0 in Visual Studio, compile/run it to confirm there was no infection, and then switch back to .NET 3.5 like it was (some people there still use XP against my wishes).....

 

But it stopped prompting this as an error though.

[DrDESidran]

We are experiencing the exact same problem. One of our new programs is being flagged as a false positive, "MachineLearning/Anomalous.95%"

We've done some tests and discovered that even a short program using 7z will trip this false positive, too.

I have been a user of Malwarebytes for many years. But, as a computer scientist, I have to say that your heuristic is badly flawed. I urge you to remove this heuristic immediately until you are able to rewrite it and stop these false positives.

 

Edited April 20, 2018 by DrDESidran

[dcollins]

@DrDESidran can you please private message me a copy of your files that are triggering this issue? Thanks

[DrDESidran]

8 minutes ago, dcollins said:

@DrDESidran can you please private message me a copy of your files that are triggering this issue? Thanks

This is commercial software. We cannot and will not send source code.

[dcollins]

Not asking for source code, just the compiled executable that is being detected

[DrDESidran]

32 minutes ago, dcollins said:

Not asking for source code, just the compiled executable that is being detected

I would also have to include numerous dependent and proprietary files. I cannot do this.

[dcollins]

We don't need to run the files, just see the files that are getting flagged. We can try gathering just the reports, but I don't know if this will contain enough detail to help us identify why they're being flagged. Can you share the scan report of these files being detected? The easiest way to grab them is below:

1. Download and run the Malwarebytes Support Tool
2. Accept the EULA and click the Advanced Options link
3. Click Gather Logs, and once the process completes, attach mbst-grab-results.zip from your desktop to your reply (or you can private message me by clicking my name and choosing Message)

Edited April 20, 2018 by dcollins

[DavidBarber]

Add me to the list.

I scan weekly (Monday mornings) with MB Free, so this has come up in the last 7 days.

After over a year of zero detections I suddenly encountered these 2 issues this morning.

1: MB refused to run claiming that (as I recall) DNARootKit.dll refused to load and that I needed to reboot and try again, and that this might be indicative of a rootkit. Scary stuff. This happened immediately after my weekly reboot on Windows 7. Okay, rebooted again and this time MB ran but (continued to item #2).

2: After over a year of weekly clean scans, 41 items were flagged and quarantined. 30 registry entries that appear to be ...\TASKCACHE\... entries were quarantined. All of them flagged as MachineLearning/Anomalous.100%. Also 11 files, same reason. 10 of them \WINDOWS\SYSTEM32\TASKS\... with no indication why MB is suddenly unhappy with these. And the final file is an .EXE file used as a launcher for a VB6 program that DEFINITELY IS NOT a problem file. The problem here is that this file is used by a number of people in our company and MB quarantining it is a big problem. This file has been in use for years.

So I question if it has quarantined necessary and/or important task files and registry entries -- I don't know how to tell from the information presented.

I do know that it quarantined a necessary benign file.

Report attached.

.EXE file attached as a .ZIP file.

 

 

Malwarebytes Scan 01.txt

EXHIBITOR_REG.zip

[KarlKola]

I also suddenly got MachineLearning.Anomalous96% reported today (for the first time) when running an application we are building here at our company. It has never been a problem before but today it suddenly got quarantined when running it. The application has been developed for more than 10 years and is commercially available. I need to know why it is suddenly blocked by Malwarebyte.

Exe and report is attached.

MalwareBytesExploitBlocked.txt

PV.zip

[KenW]

I am getting an alert when installing an updated Windows Fire Control  version 5.3.1

detection.txt

[OldMainframeGuy]

Malwarebytes is flagging the latest version of Windows Firewall Control with MachineLearning.Anomalous100%.   

 

https://www.binisoft.org/wfc.php

 

Rob

[DrDESidran]

This is really a shame. For years I encouraged my students to use MalwareBytes. The heuristic you're using is badly flawed. This is an example of what my British friends call, "far too clever by half."

[KenW]

DrDESidran stop being so dramatic. The issues has been reported my me and others. Give them time to look at the problem.

[DrDESidran]

3 minutes ago, KenW said:

DrDESidran stop being so dramatic. The issues has been reported my me and others. Give them time to look at the problem.

Dramatic? Really? As a computer science professor I would not only give the author of this heuristic an 'F' I would seriously doubt their ability to be a commercial software developer. You simply cannot release a  commercial product that creates false positives like this. Think of the ramifications. Who is the user going to blame? Malwarebytes or my software? The economic consequences of a false positive could be disastrous. If Malwarebytes false positive is responsible for the loss of sales of commercial software are they legally responsible? What if Malwarebytes falsely flags mission critical or life saving software and the user then deleted the wrong program?

In grad school at a Research One university you are required to take computer ethics classes. This is a text book case of a company behaving irresponsibly. Malwarebytes should immediately discontinue incorporating this heuristic.