Jump to content
lock

What is "MachineLearning/Anomalous"???

Recommended Posts

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

In addition to what dcollins states and links to above, the Machine Learning detections come from the Use signature-less anomaly detection for increased protection setting located under Settings>Protection in the Scan Options section.  It's a new piece of smart detection technology that uses machine learning (obviously) along with cloud file analysis and data as well as tuned detection algorithms to identify potential threats based on whether or not an unknown object looks like malware.  It's basically what many other vendors refer to as "AI" or "Artificial Intelligence" (though in fact technically speaking, there is no such thing as true AI at this point in time; it's just complex mathematical pattern recognition and what is known as "fuzzy logic" more than anything, not true "thinking" which is probably why Malwarebytes refrains from calling it such because that wouldn't be an honest statement).

So basically, as the cloud component gathers more data it becomes smarter so they feed it information constantly about new files, both safe and malicious, so that over time it increases its effectiveness in identifying new threats without the need for threat signatures or definitions.  It's been on for a while now, but false positives do still occur from time to time, especially when those who create files fail to use good programming practices (things like including Microsoft version/file info when in fact they aren't Microsoft or using packers to compress and encrypt their files that are also known to commonly be used by real malware).  When an FP occurs, the Research team can whitelist the item so that it is no longer detected without reducing the effectiveness of the Machine Learning component.

Share this post


Link to post
Share on other sites

One user reported a FP generated by Machine Learning / Anomalous 94%

I was surprised about 94%. If would have been 50% , that may be a FP , but 94% means totally wrong. So how trustworthy is this system???

39 minutes ago, exile360 said:

it's just complex mathematical pattern recognition and what is known as "fuzzy logic"

Another surprise came from the developer who answered that this would be fixed in 10 minutes an a new update was released with the "fix"

Clearly the "fix" was not done in the "complex mathematical pattern recognition" , impossible to do it in 10 min, but rather in a "white list" associated with this Machine Learning / Anomalous.

I do not see at this point any value being added by Machine Learning / Anomalous detection; maybe is a premature mechanism at this point.

Share this post


Link to post
Share on other sites

It depends on what triggered the FP.  If it was anything like the items I mentioned, then it only occurred because of poor practices on the part of whoever wrote the file that was detected.  I've seen many such FPs.  And if that was the case, then yes, the Dev would have simply whitelisted the file because the reason for the detection was legit.

If, on the other hand, the FP occurred because of an issue with the detection tech being too aggressive, then he could have easily tuned it down (and if it's the Developer who created this component, who I know personally, then I have no doubt he could have adjusted it in only 10 minutes because I worked with him on this project myself and conducted a lot of early testing with him and saw him frequently make such quick adjustments).

Share this post


Link to post
Share on other sites
13 minutes ago, exile360 said:

poor practices on the part of whoever wrote the file that was detected.  I've seen many such FPs.  And if that was the case, then yes, the Dev would have simply whitelisted the file because the reason for the detection was legit.

Whitelisting it doesn't solve the problem on long run; yes , that particular file will not be detected anymore , but any other similar one will be again detected with 94% which will decrease the user confidence in this Machine Learning technology.

 

16 minutes ago, exile360 said:

then he could have easily tuned it down

For a piece of software which may be downloaded in thousands of PC's no developer will modify something in 10 min and release it in the wild without extensive in house testing.

You do remember the incident from 2013 : "It saddens me to report that at around 3 PM PST yesterday, Malwarebytes released a definitions update that disabled thousands of computers worldwide."

Share this post


Link to post
Share on other sites
Just now, lock said:

Whitelisting it doesn't solve the problem on long run; yes , that particular file will not be detected anymore , but any other similar one will be again detected with 94% which will decrease the user confidence in this Machine Learning technology.

 

For a piece of software which may be downloaded in thousands of PC's no developer will modify something in 10 min and release it in the wild without extensive in house testing.

You do remember the incident from 2013 : "It saddens me to report that at around 3 PM PST yesterday, Malwarebytes released a definitions update that disabled thousands of computers worldwide."

Again, if the reason for the detection was legit, then my preference would be to whitelist it because other similar files are likely to be actual threats.

As for how long it takes to tweak, that's probably why it would take 10 minutes and not 2.  Every update that goes out must pass Malwarebytes' strict validation and testing process, which includes the measures that were taken following the incident you reference to ensure such issues do not occur again.

Share this post


Link to post
Share on other sites

When we whitelist a file, it's not a traditional whitelist where an MD5 is added to a database and that file doesn't get flagged. If you look in the False Positive section, whenever someone reports a false positive for Machine Learning, the researchers ask for the actual file so that this file can be "fed" to the engine and told that it's a good f ile. This allows the engine to learn about this file, understand it's good, and adjust it's behavior for files that may behave similarly to this one.

Share this post


Link to post
Share on other sites
8 hours ago, dcollins said:

This allows the engine to learn about this file, understand it's good, and adjust it's behavior for files that may behave similarly to this one.

Sounds a little bit SF....

...this file can be "fed" to the engine...the engine to learn about this file, understand it's good, and adjust it's behavior ...

Are you serious????

 

Share this post


Link to post
Share on other sites

The terminology makes it sound more like intelligence than it actually is.  In reality, when they add a new file to the set of data for the system and tell the system that the file is clean/safe (i.e. not malware, do not detect as a threat), the system analyzes the structure of the file and the various details about the file such as its version information, metadata and other aspects to determine what about the file makes it different from similar files that were positively identified as threats and then alters its detections based on that.  It basically comes down to sets of data, one for sets of files that are harmless, and one for sets of files that are malware and over time as it is trained, this system becomes more accurate at identifying each for new files it has never seen before.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.