Jump to content
Max_Pelletier

False Positive - Professional software Opto.Optosys.exe

Recommended Posts

Hi,

Since last week, our professionnal software is flagged as malware by Malwarebytes.

Our software is a management software for optometric clinics, developped since the 90' and constantly updated.  It manages patient reservations, inventory, eye exams, patient recall, and billing.

 

We're starting to receive calls, and in some cases, it is shutting down clinics as the executable is being quarantined costing us remote support.

This is affecting our company's image, and could cause damages to our members, and clients.

It is installed on over three thousands computers in Canada, and is now flagged as malware by your anti-malware solution.

I checked our executable on virustotal.com, and it's not detected as malware in anyway by anyone else.

 

With some researches, I found that we are not the only ones affected by your new version, and that a new "machine learning" feature was released on your end.  Can you teach this AI to whitelist our software please?

 

I have also attached revelant information.

I expect a prompt resolution of this issue.

 

Best regards,

Max Pelletier

System Administrator

Optometric Services Inc.

Falsepositivemalware.jpg

 

 

 

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Hi,

This is detected by our MachineLearning/heauristic engine, which helps to protect even better against 0day threats. Unfortunately, as this is a heuristic engine, it's possible False Positives happen. Thanks for reporting these, as this helps to finetune the engine, so these won't be detected in the future anymore.

This should be fixed by now. Please give it some time (max 10 minutes) in order to have it populate, so detection won't happen anymore.

Share this post


Link to post
Share on other sites

Things just got worse!

2 of our developpers re-scanned their environement, and now it's even affecting previous versions.

Do you need anything to circumvent this? I can possibly send you the binaries of every program detected, but is it necessary?

Regards,

Max.

 

Capture.PNG

 

malwareBites.png

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Hi,

Can you just send me the following files:

C:\DEV\CS\OPTOSYS2\CLIENT\DEVMANAGER\DIST\OPTO.OPTOSYS.DEVMANAGER.EXE

C:\DEV\CS\OPTOSYS2\CLIENT\OBJ\RELEASE\OPTO.OPTOSYS.CLIENTUPDATER.EXE

C:\DEV\CS\V2.0.35\TOOLS\SQL-DMO\DIST\SQL-DMO.EXE

C:\DEV\CS\V2.0.35\TOOLS\TSQL2CSHARP\BIN\TSQL2CSHARP.EXE

That way, I can compare them with eachother to finetune the whitelisting better.

Thanks!

Share this post


Link to post
Share on other sites

Thanks.

This certainly helps. Please note that this requires a database update in order to whitelist this broader. I've added this to the pending updates already, so next database update will help so this won't be detected anymore. Normally, next database update will be pushed in 2-3 hours. In an interim, I already whitelisted above 4 files as well (which doesn't require a database update)

Can you have your developers rescan tomorrow again and see what is still detected? This especially to verify this for the files you didn't submit. But learning from the files you did submit, I think our broader whitelist rule would/should have these covered as well.

Thanks for your help on this!

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Thanks.

I've finetuned this some more so above shouldn't be detected anymore. This will be via a database update as well.

The above 2 files are whitelisted already in a meanwhile (which doesn't require a database update)

Share this post


Link to post
Share on other sites

Our next update will be in 2-3 hours as we just updated already.

But you can actually try a testscan now already to verify - where at least the 2 ones you've attached won't be detected anymore (I just verified here locally and no detection occurs), and because of the machinelearning, there's a possibility the others one aren't either anymore, even without the database update.

Share this post


Link to post
Share on other sites

Thanks again for your time,

Our last scan shows no threat. This is very good.

What about future versions of our software? As mentionned previously, we release new versions quite often.

 

Max.

Share this post


Link to post
Share on other sites

That's good to hear.

As for future versions of your software, that's exactly what I worked on yesterday and earlier today (after you sent me your last files), as this additional finetuning where it requires a database update will solve this as well, so these won't be detected anymore.

Share this post


Link to post
Share on other sites

Thanks.

 

One last thing: can you please remove the attached files from this public tread as they are proprietary files.

Best regards,

Max.

 

Share this post


Link to post
Share on other sites

Done - Removed the attachements.

Note, only moderators/administrators and Researchers can download files from this subforum though.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.