Jump to content

validator.exe false positive


steve1717

Recommended Posts

A long time trusted program, validator.exe, which has never had any problems with malwarebytes over the past years was suddenly flagged as MachineLearning/Anomalous.94% on March 22, 2018 by Malwarebytes premium version 3.4.4.   Please stop this false detection.  The program is used by users of Paradox games like Europa Universalis 4 for modders the check the syntax of their game mods.   The quarantine report was:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/22/18
Protection Event Time: 5:20 PM
Log File: 2ea79652-2e1f-11e8-928d-001fbc09701f.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4452
License: Premium

-System Information-
OS: Windows 10 (Build 16299.309)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
MachineLearning/Anomalous.94%, I:\Paradox\Data\EU

 

Validator.rar

Link to post
Share on other sites

I just removed the exclusion and ran a custom scan.  The current version of the program is now ok but all the copies of the previous versions are still marked as having that same false positive error.   And users may be still using these old versions.  I will try to attach them.  Can we get them all marked clean?   There was never any problems with them and malwarebytes in the past.

Audax.Validator v1.20.0.zip

Audax.Validator v1.21.0.zip

Audax.Validator v1.21.3.zip

Audax.Validator v1.21.5.zip

Audax.Validator v1.22.0.zip

Audax.Validator v1.22.9.zip

Audax.Validator v1.23.0.zip

Audax.Validator v1.23.1 preview.zip

Link to post
Share on other sites

thanks for the response.   Items are still showing up and I am concerned that even if we get them all on a case by case basis the next version will just be flagged again.   How can we get a generic fix?   The author updates the program all the time.   

Note I ran an update just before the custom scan.   

At this point I have tried to spread the word for people to make an exclusion in malwarebytes but this program is widely used by people modding multiple games on multiple forums and I am only telling people in my forum.  Would be nice to get a generic fix.   

 

Edit:  Also my last post seems to have disappeared where I uploaded the most recent versions released in the last couple days.  Attached.malwarelog.txtmalwarelog.txtmalwarelog.txt

 

log attached

malwarelog.txt

Audax.Validator v1.25.1.zip

Audax.Validator v1.25.2.zip

Edited by steve1717
Link to post
Share on other sites

Hello. I've whitelisted these latest two in the meantime:

ed3511231089c327db4858504e75d261
ac50d662b8473ad4db91009642601fce

Sorry for the inconvenience.

@steve1717 Were you able to find the MBAMService.log file at C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMService.log? If you, can you please attach that one? I don't see it in your previous post.

Link to post
Share on other sites

I received an email telling me this has been solved.   It has not.  Please do not close this thread.   I just updated and ran a custom scan today and it is still detecting the false positives.  Was there something else that was supposed to be updated for the larger white list to work?  Or did the update not get pushed through?

Components Version: 1.0.322
Update Package Version: 1.0.4578
License: Premium

-System Information-
OS: Windows 10 (Build 16299.334)
CPU: x64
File System: NTFS
User: Steven-PC\Steven

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 178562
Threats Detected: 4
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
MachineLearning/Anomalous.96%, I:\PARADOX\DATA\EU4\VALIDATOR\AUDAX.VALIDATOR\APP\AUDAX.VALIDATOR.EXE, No Action By User, [0], [392687],1.0.4578
MachineLearning/Anomalous.96%, I:\PARADOX\DATA\EU4\VALIDATOR\AUDAX.VALIDATOR V1.21.5.ZIP, No Action By User, [0], [392687],1.0.4578
MachineLearning/Anomalous.96%, C:\USERS\STEVEN\APPDATA\ROAMING\Microsoft\Windows\Recent\Audax.Validator v1.25.2.zip.lnk, No Action By User, [0], [392687],1.0.4578
MachineLearning/Anomalous.96%, I:\PARADOX\DATA\EU4\VALIDATOR\AUDAX.VALIDATOR V1.25.2.ZIP, No Action By User, [0], [392687],1.0.4578

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

I just tested again after doing another database update.   We are making progress.   

The good news is:

1)  both the zipped and unzipped versions of the latest version of the validator.exe are not detected as malware.

2)  Almost all of the previous versions in their zipped state are not detected as malware.  I have not tested unzipped for the previous versions because I assume the detection would be the same?

The bad news is that one recent previous version in its downloaded zipped format is still detected.  This version is attached.   I notice about this detection is it is marked MachineLearning/Anomalous.96%  ( note the 96 rather than the normal 94 ).   Is 96 somehow different than 94% ?

-Log Details-
Scan Date: 4/2/18
Scan Time: 2:37 PM
Log File: 3d471b2e-36ad-11e8-9ab2-001fbc09701f.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4588
License: Premium

-System Information-
OS: Windows 10 (Build 16299.334)
CPU: x64
File System: NTFS
User: Steven-PC\Steven

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 178253
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
MachineLearning/Anomalous.96%, I:\PARADOX\DATA\EU4\VALIDATOR\AUDAX.VALIDATOR V1.21.5.ZIP, No Action By User, [0], [392687],1.0.4588

Physical Sector: 0
(No malicious items detected)


(end)

Audax.Validator v1.25.1.zip

mbae-default.log

MBAMSERVICE.LOG

Link to post
Share on other sites

  • Staff

This is really weird. Can you try this and see if it still hits?

Totally exit/shutdown Malwarebytes.

 

Go to here in explorer:

C:\ProgramData\Malwarebytes\MBAMService

and delete the following file only.

hubblecache

 

it has no extension.

 

Then you can restart mbam and the cache file will rebuild on the next scan.

Link to post
Share on other sites

I just ran another test today with a custom scan and a full threat scan including a new 1.25.3 version of validator with no false positives.    Thank you very much for all your help.   :D

Note I did this before I saw your post above about deleting the cache.

 

Edited by steve1717
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.