Jump to content

Perspective tagged as (Malware.Ransom.Agent.Generic)

gdiObjects

By gdiObjects
in Ransomware

 Share

Recommended Posts

gdiObjects

gdiObjects

Posted
Posted

Hello,

A software product I develop (Perspective for Windows) has suddenly been tagged as Malware.Ransom.Agent.Generic.

I'm attaching the digitally signed installer, the exported report and the log file (C:\ProgramData\Malwarebytes\MBAMService\logs).

 

Additionally, here's a link to the virustotal scan results page:

https://www.virustotal.com/#/file/c89d08c4848f0e0cba194ea6d4a95aa6d6825025a2807d0063f750587dc991c9/detection

Thank you for your help.

 

MBAMSERVICE.LOG PWCInstall.zip False Positive - Perspective.txt

Link to post
Share on other sites
gdiObjects

gdiObjects

Posted
  • Author
Posted

What's interesting is that it never detected this until I created an updated build last night.  I was editing the help file (while Perspective was running in the background) and all of the sudden I saw the red malwarebyes box asking for a reboot.

I added it as an exclusion so I could keep developing.

What do you mean by "I remember we have fixed this earlier today already."  This is the first time I've posted here.

I also have another product "fotoXplorer" not yet released but also generates the same false positive because it uses available threads/cores to process (transform) images.  Can I upload it even if it hasn't been officially released (the help file is incomplete)?

Link to post
Share on other sites
gdiObjects

gdiObjects

Posted
  • Author
Posted

Do I need to do something to malwarebytes..clear a cache or simply remove the exclusions and all will be ok? Do you whitelist based on code-signing certificate or product release versions and do I need to resubmit when there is a new build?

Also, with regards to fotoXplorer.  Can I submit an unreleased software product?  Technically, I can't release it until the false positive is address.

Note: it's easier to recreate the problem with fotoXplorer because malwarebytes' signatureless (behavioral) detection sees it as ransomware because it can operate on multiple photos at the same time (multi-threaded processing).

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

As for FotoXplorer, before releasing it, yes please submit to us (you can post it in a private message to me if you don't want to post it public), so we can verify if detected and fix it.

And no, normally you don't need to clear a cache or anything, so you can remove your exclusions.

However, on the other hand, while you are developing, it's still a good idea to create an exclusion for the folder where your files are in. Then when you're about to release, you can verify if the new one is getting detected again and  submit it to us as well.

Thanks!

 

Link to post
Share on other sites
  • 10 months later...
gdiObjects

gdiObjects

Posted
  • Author
Posted

Hello,

 

I've updated my code signing certificate (2 year renewal) and hope you can check it and whitelist Perspective again.

Also, fotoXplorer is really almost done.  Some minor fixes and I need to complete (start) the help file.  Should I post the Installer for an unfinished product?  It really triggers the generic.ransomware issue because it processes multiple images at the same time (multithreaded).

Thanks!

PWCInstall.zip

Link to post
Share on other sites
  • 2 months later...
gdiObjects

gdiObjects

Posted
  • Author
Posted
On 5/5/2020 at 6:12 PM, Porthos said:

Off topic, you might want to update your Malwarebytes as well. Probably will not fix the detection though.

Under settings-general click check for updates.

Hello,

Thanks for the tip...but my MalwareBytes is always up to date (I code daily).  The problem is MB sees my app (Perspective) operating (rapidly) on Wallpaper images (for desktop transitions) and tags it a RansomWare...its not!

-Steve

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)
16 minutes ago, gdiObjects said:

Thanks for the tip...but my MalwareBytes is always up to date (I code daily)

The logs you posted showed it out of date (Components Version: 1.0.875 ) which is actually 2 releases behind. The component packages are metered outt so if you do not check for applications manually each day you can be out of date some times weeks.

Below is the current release version.

2020-05-08_13h57_49.png.acb1b0136c3e32b75a86c3a808f118b2.png

 

The company has program updates pushed through the normal updater (the one that checks for database updates) metered in such a way that it is throttled so not every user is offered the new build once it has been released, so it becomes a matter of probability and is somewhat random.  This means that you might be offered it early, or it might take a really long time before it is offered to you, it just all depends.  Basically a luck of the draw kind of deal.

If you wish to avoid the wait you may open Malwarebytes and navigate to Settings and click on the Install Application Updates button

Edited by Porthos
Link to post
Share on other sites
gdiObjects

gdiObjects

Posted
  • Author
Posted

Hello,

You need to have several thousand wallpaper photos queued (I test with over 30,000+ images) and set the Schedule to "Computer's Speed - No Delay" and let it run (possibly hours) to recreate the problem.  I let it run all day (and night) when testing.  If you watch the folder (D:\Documents\My Perspective\Temp) in real-time you will see how Perspective quickly preps the wallpaper images.  I don't think MB likes it.  Constant reading of source images and writing to a temp folder ...

I can't see how the log will help.  The ransomware tagging happened on Tuesday and I had to add the folder (C:\Program Files (x86)\Perspective) as an exclusion to test the release.

-Steve

MBAMSERVICE.LOG

Link to post
Share on other sites
  • Staff
tetonbob

tetonbob

Posted
  • Staff
Posted

Thanks, Steve. Unfortunately with debug logging enabled during a scan, the logging which could have shown this detection event is gone.

Let's try this another way. Can you send the entire C:\ProgramData\Malwarebytes\MBAMService\ArwDetections folder, please?

Thanks,
-Bob

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.