Jump to content
thedrs

MachineLearning/Anomalous False Positive (i am a developer/MBAM premium))

Recommended Posts

Hi,

This is quite annoying.

Your ML algo. requires some tuning, i wrote a simple prog (1000 lines) in c# winforms that reads files, calculates stuff, writes report files - no internet connections and no low level file access.

MBAM shows :

MachineLearning/Anomalous94/95

I tried to sign it as you advised and still have the problem. I don't want to sign it though.

I uploaded it to virustotal and nothing was found by any AV prog (but my own purchased MBAM does detect this)

Please help, i don't want to go through this MBAM forum process each time i add a new feature and compile it.

Thanks

 

I

cryptoIRS.7z

Share this post


Link to post
Share on other sites

Greetings,

Until a member of Research responds, I'd recommend excluding the folder where your compiled binaries are stored just to prevent detections while you're creating your programs.  Exclusions are recursive so only the parent directory where the detected executables are stored needs to be excluded.  You'll find details on how to create an exclusion under the Exclude a File or Folder section of this support article.

Assuming they aren't able to whitelist your files automatically going forward for your releases, at least this will save you the trouble of having to deal with each build being detected once compiled and you can submit your files for whitelisting if necessary once you're ready to actually publish a new build that way it won't be detected for others who might download your application (though hopefully Research will be able to provide a more permanent solution for your files going forward).

With regards to why the files are being detected, I can only speculate, but I do know that if a file has common traits of malware such as being packed with certain packers or containing Microsoft version info for non-Microsoft files those are a couple of the criteria I believe the heuristics engine looks for (there are many others as well obviously, those are just some of the more common ones I see being reported for FPs from developers).

Anyway, I hope this helps, and hopefully they will be able to tune the engine not to detect your files going forward.

Share this post


Link to post
Share on other sites

I am not packing with any 3rd party, just visual studio compulation to exe. 

My program is already ready for publish but i am not publishing because of the false positive. 

I am going to add features daily and republish everyday. Will i have to contact your every day to whitelist my new compilation? 

 

Share this post


Link to post
Share on other sites

Hi,

Normally not, as the machinelearning engine learns from these files and will automatically use additional logic to not detect.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.