MACHINELEARNING/ANOMALOUS.100%

[notreally]

Hello,

When somebody reports a FP " MachineLearning / Anomalous 100%" , the typical answer is "This will be fixed in the next 10 minutes"

And it is fixed in the next 10 min.

My question is :

How is this fixed in "the next 10 min"????  I hope is not just added to a white list of signatures....

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[shadowwar]

The machinelearning uses our cloud base file information to determine detections. We fix it in the cloud instead of the database itself so the effect is quite under 10 mins. I can't get into specifics as there are a few proprietary systems involved. 

Edited December 10, 2018 by AdvancedSetup
typo correction

[notreally]

4 hours ago, shadowwar said:

We fix it in the cloud instead of the database itself so the effect is quite under 10 mins. I can't get into specifics as there are a few proprietary systems involved. 

The question was "we fix it in the cloud " by adding it to a white list or "we fix it in the cloud" by fine tuning our algorithm????

Based on time (less than 10 min) is very unlikely the fixing is by tuning the detection algorithm but rather by simply adding the hash to a white list.....

I was looking for a confirmation, one way or another.

[shadowwar]

Its both. Immediatly fixed in the cloud and then retraining for the next engine release.

We also have other options depending what is needed to fix for longer term then just hash.

 

Edited December 10, 2018 by shadowwar

[exile360]

Just to add to what shadowwar said above, this is one of the advantages of cloud protection for security products like Malwarebytes.  Because it is web based instead of dependent on locally stored databases/signatures, any changes (including detections for new threats, not just false positive corrections) can be rolled out much more quickly and just have to update on the Malwarebytes side/server side for the changes to take effect.

The only disadvantage is that if you are not connected to the web or if Malwarebytes is unable to reach its servers for some reason, it will be cut off from such updates (though this is not really any different from what would happen in the same situation with database updates since they too must be downloaded from the web).  With that said, Malwarebytes does store a sort of cache locally for the cloud components to help account for those types of scenarios as well as to help avoid the need for impacting your bandwidth too much by constantly checking in with the cloud (this is also a typical feature for cloud components in most products that use cloud functionality, so it's pretty standard stuff).

This cloud component was in the works for quite some time prior to going live and has continued to get better with time as it has been fed more data on good and bad files and behaviors to enhance its detection capabilities and reduce the number of FPs over time, however they obviously do still happen, especially with new/never before seen files, particularly if they have any resemblance to known bad files like using bad version info, lacking digital signatures, being packed with compression/packers known to be used by malware authors frequently etc. so it also all depends on why the detection was triggered to begin with.  If it happened because a developer followed poor practices and is putting out binaries that look like malware consistently, then future FPs are more likely, however if it's just a matter of something different that the engine hasn't seen before and therefore looks anomalous then it should only be a matter of time before the engine learns more about files of that type to classify them properly as safe/not malicious/not anomalous etc.