machinelearning/anomalous

[Thronic]

I wonder why these are triggered at 100 and 96%. I recently renamed the project, but I've changed GUID and all the references I can think of. Granted it's not signed, but neither is any of my other C# applications and they're all good, similar size and algorithms. Please provide hints and tips of how I can avoid this detection in the future. Virustotal gives me 0 hits. I'm not sure why yours gives me 96-100%.

Thanks.

mbamreport.txt

Klar.zip

[miekiemoes]

Hi,

Thanks for reporting this to us. To clarify this some more, our machinelearning engine detects as "Anomalous", not really malware. So that means, it triggers on some anomaly design, unfinished builds, sections where the entropy is quite high (in your case, the .text section has a high entropy in combination with the rest of the file - might be because of the Compiler/Packer), etc etc...  

Reporting this helps the machinelearning engine to train on your files faster, so it won't be detected anymore (including future updates).

Thanks!!!

[Thronic]

Thank you, that was quick.

[Thronic]

It's back again.

Trying to clean up source, resources, etc. to avoid this .text entropy issue. Extremely annoying by now.

[Thronic]

I had changed some version details, changed them back and seems good again. 

As a weird sidenote. I stripped a lot of autogenerated text from the project files to see if the % would go down, but it actually increased from 96% to 97%. 

[miekiemoes]

Hi,

I have sent you a private message via this forum to give you some more insight

 

[pctechnologiesmd]

I have the same issue with this installer:

 

https://sim.djicdn.com/Launcher/Launcher2_1_0_0__2018_10.exe

[miekiemoes]

Hi,

This is different from above, but I'll look into this if verified as legitimate and add it to our machinelearning engine to train on, so it won't get detected anymore.

Thanks for reporting!

[pctechnologiesmd]

Yes, it is different.  Please get back to me when you have an answer.  Thank you.  I uninstalled the program and will wait for your feedback.

[miekiemoes]

It looked quite suspicious, but after extra analysis, it was non malicious

 

[pctechnologiesmd]

Thank you!!

[pctechnologiesmd]

When will the database be updated so the program can be run without adding to the exclusions list?

[miekiemoes]

It's effective right now already - as, once we add it to our engine for learning, changes are applied immediately

 

[pctechnologiesmd]

Hmmm...i will try to update again and see what happens.  Still being blocked

[pctechnologiesmd]

[miekiemoes]

Hmm, do you still have this detection after a reboot? (or after quitting mbam and restarting it again?)

Because it could be because it was still in memory.

 

Edited to add, it's probably a caching issue. I had others verify on the same file and they didn't get a detection, so it should be OK again afterwards.

 

Edited October 31, 2018 by miekiemoes

[pctechnologiesmd]

Yes, rebooted and still shows

[miekiemoes]

Ok, give it some time, as it might be a caching issue on your end.

If it still shows the same tomorrow, please do the following: 

Quit malwarebytes from the systemtray.
Then navigate to the following folder:

C:\ProgramData\Malwarebytes\MBAMService

In there, locate the file HubbleCache and delete it.

Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore.