False Positive - My Own Code!

DrDESidran · August 13, 2018

I've been using MalwareBytes since the very beginning. But, recently, we're getting plagued by false positives for our own code!

I just did a build of our new game and MalwareBytes tagged it as Ransomeware probably because we use an online Wikia for documentation.

What gives? Is this the case? How can we stop this?

miekiemoes · August 13, 2018

Hi,

The antiransomware engine is behavior detection, so it was probably triggered by file-modification/injecting in different files etc etc.

Please zip and attach the actual file that is detected + the Mbamservice.log which is located in the following folder:

C:\ProgramData\Malwarebytes\MBAMService\LOGS

Thanks!

DrDESidran · August 13, 2018

Zip file of EXE and LOG attached. EXE won't run without lots of other supporting files.

FalsePositive.zip

miekiemoes · August 13, 2018

Thanks.

This helps to finetune the engine.

Let me know if this is still detected. If so, please make sure/verify it's the correct GSBPArmyEditor.exe you sent, this since the one you attached doesn't seem to have the same exact checksum as in the log you attached.

DrDESidran · August 13, 2018

I did a rebuild of the EXE because Malwarebytes locked the original. But the checksum should be the same.

Could the call process.start to open the Wikia web page https://general-staff-wargaming-system.wikia.com/wiki/General_Staff_Army_Editor cause the False Positive?

miekiemoes · August 13, 2018

Hi,

I can't tell for sure, but it's possible why this is triggered.

DrDESidran · August 13, 2018

1 minute ago, miekiemoes said:

Hi,

I can't tell for sure, but it's possible why this is triggered.

Well, try to confirm that process.start is the culprit and we'll use another call.

miekiemoes · August 13, 2018

Hi,

Yes, I asked someone from our Anti-ransomware team to give some more insight why the trigger happened.

DrDESidran · August 13, 2018

Just now, miekiemoes said:

Hi,

Yes, I asked someone from our Anti-ransomware team to give some more insight why the trigger happened.

Thanks.

miekiemoes · August 13, 2018

Hi,

We would love to get some additional files from you (the .arw captures)

Can you also zip the folder ARW present in the C:\ProgramData\Malwarebytes\MBAMService folder?

This file (zipped folder) might be too big to attach here, so can you upload it somewhere, so we can collect it easily?

Thanks!

DrDESidran · August 13, 2018

8 minutes ago, miekiemoes said:

Hi,

We would love to get some additional files from you (the .arw captures)

Can you also zip the folder ARW present in the C:\ProgramData\Malwarebytes\MBAMService folder?

This file (zipped folder) might be too big to attach here, so can you upload it somewhere, so we can collect it easily?

Thanks!

Attached.

MBARW.zip

miekiemoes · August 13, 2018

Thanks. Seems they compressed fine, so it was able to attach. Someone will look into this shortly

miekiemoes · August 14, 2018

Hi,

I've sent you a private message with the reasoning why this is triggered.

False Positive - My Own Code!

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information