Jump to content
oroechimaru

community game project false positive

Recommended Posts

This is a custom client built in C# by our community and contains a false positive from the "machine learning" detection of the scan.

I attached a file in question "razor-dev-preview (1).zip" which is the plugin tool that runs macros for the game client and other game client interactions. I also attached the main project itself (classicuo) for additional future consideration. Thanks a ton for helping our community (UOoutlands.com) . 

 

https://github.com/andreakarasho/ClassicUO

https://github.com/jaedan/razor

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/12/19
Scan Time: 2:17 AM
Log File: 2c971658-8ce2-11e9-902e-1c6f65901ad8.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.11008
License: Premium

-System Information-
OS: Windows 10 (Build 17763.475)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 433014
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 13 min, 17 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
MachineLearning/Anomalous.100%, C:\USERS\myusername\APPDATA\ROAMING\Microsoft\Windows\Recent\Razor-dev-preview (1).zip.lnk, No Action By User, [0], [392687],1.0.11008
MachineLearning/Anomalous.100%, C:\USERS\myusername\DOWNLOADS\RAZOR-DEV-PREVIEW (1).ZIP, No Action By User, [0], [392687],1.0.11008

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Razor-dev-preview (1).zip ClassicUO-dev-preview-release (5).zip

Share this post


Link to post
Share on other sites

The method of download I usually do is directly from github . However in this case I utilized a new powershell feature devs assist players with to get the latest alpha builds of the client (both classicuo and razor) via a powershell script.

 

a. shift right click your folder > launch powershell in this folder.

b. run the command below to obtain the latest files:

 

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/markdwags/Razor/master/InstallClassicUOAndRazor-NoDefaults.ps1'))

 

Share this post


Link to post
Share on other sites

Hi,

I can't reproduce detection anymore, so this might have been fixed already.

Can you rescan again and see if it's still detected? If still detected, can you zip and extract the contents of the archives and scan on them and let me know what exact file is being detected in the archive? This since even extracting these archive files don't yield any detections.

Thanks!

Share this post


Link to post
Share on other sites

goedemorgen lol


Thanks for the reply. This happened overnight with the passive / background scanner (not an active scan). I have most advance security settings checked (rootkits etc) but I forget off the top of my head (at work) if those are related to the background scanner. I will see if anyone can help test today and will try again tonight. Thanks for testing! 

 

Share this post


Link to post
Share on other sites

Yes, our detections also apply to the passive/background scanner, mainly when something is launched/executed.

But we typically fix false positives immediately, especially if they are related with our machinelearning detection (as minor FPs might always happen with machinelearning engines), so it could have been a one time detection for you only where it was fixed immediately afterwards. :)

Nevertheless, thanks for the heads-up!

Share this post


Link to post
Share on other sites

Thanks!

 

I had another user just test it out and had similar issues.

appologies not in  a clean format.. cooy/paste from discord on my android.

 

 Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/11/19
Protection Event Time: 7:58 PM
Log File: be60ade4-8ca4-11e9-a259-00ff67cfb27b.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.11004
License: Premium

-System Information-
OS: Windows 10 (Build 17134.765)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
MachineLearning/Anomalous.100%, C:\Users\RyGull\Desktop\ClassicUO\Data\Plugins\Assistant\Razor.exe, Delete-on-Reboot, [0], [392687],1.0.11004


(end)

Share this post


Link to post
Share on other sites

Thanks.

This might be a different version of razor.exe, than the previous one attached, but I will be able to collect some more razor.exe files for applying a better whitelist for these, in order to cover previous and future versions.

Thanks for reporting!

Share this post


Link to post
Share on other sites

Thanks.

ClassicUO (the ClassicUO.exe file itself) is never triggered by our machinelearning. It's mainly razor.exe.

But a next database update should fix this. :)

 

Share this post


Link to post
Share on other sites

awesome i will pass it on and test. forgot to add..the "history" section on appveyor has older zips. appreciate it

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.