Jump to content

Why are my False Positives RANDOM?

Recommended Posts

First...  I am a software developer.  Using VC6, VS 2010, and VS2015.  I've been doing this for 30 years.  

I removed Malware Bytes a year ago when it suddenly decided to start declaring my compiled programs as malware (specifically MachineLearning/Anomalous.97% or some such thing).  Including exes which were compiled as much as a decade ago, and haven't been updated.

I just installed Malware bytes again... (free trial) and it immediately complained about two of my small applications (4 when you also count the desktop shortcut that points to it)

I re-ran it, and the next time, it only complained about one (actually 2 if you count the desktop shortcut that points to it).

Minus a few points for reliability...

So I decided it was only following my desktop shortcuts.  I tried to point a "custom" scan to my source code folder which has literally 300+ executable of test programs, production programs, special tools, etc...  (Perhaps a virus attached itself to one of my compilers).

BUT THE SCREEN CLOSES BEFORE I CAN RUN IT.  And there is no way from the main window to choose a "custom scan"...  When I click the menu on the left, if only lets me "Start Scan".  I can only select a custom scan from the COMPLETION window...

Minus several more points for usable UI...

And obviously, detection has gotten WORSE over the past year.  I ran a few other things, and none of them complained...

So... why should I buy a subscription for a product that will undermine my development and prevent me from actually getting work done??


Link to post
Share on other sites
  • Staff

The anomaly detection system is a self learning system. When it runs across a file it doesnt know if tests it and if it turns out not to be malware then it whitelists it. So FPS are less then in this instance and not a detection missed issue. The system has learned a lot in the past year along with other improvements code wise.

If you still have files that are fps please attach them here and we can analyze them and expedite the whitelisting as sometimes the system can take up to 24 hours to adjust.

So fps have gotten less over the past year is what you are running into thus less fp detections. Detection of malware has greatly improved.

We recommend always excluding your working directory. The reason being is non code ready files can look anomalous to the engine as they are not a complete file and would never been seen in the wild otherwise.

What version are you talking about for custom scans?

3 or mbam 4 beta?





Edited by shadowwar
Link to post
Share on other sites


Gee...  I tried to reply.  Several times.  And it won't let me.  Thanks.

*** We’re sorry but our system has detected wording in your post consistent with spam, It may be by accident, please try changing the wording and try to post again.
If you’re still unable to, then please contact our Helpdesk at the following link:

Link to post
Share on other sites

/*  Another Attempt...    Also submitted via some online support form on the web...  */

Define "fps" please...   (ignore that, I figured it out)  I am running is MBAM 3.8.3  Just installed today.

I was able to get the "scan" page to show me the three panels of options (Threat, Custom, Hyper).   Originally, it would take me directly to the Scan page and start running. 

I have an archive of code/objects.  There are 58 version folders in it (this was not my idea, I was given this project structure...), with dozens of exe's in each...  I told it to scan a few specific folders in that code directory (which have C++ text files, DLLs and EXEs plus all those intermediate files created when building).

I stopped the scan at 150 exe's identified.  All of them 4+ years old.  Do you really want all those??

I have re-run it several times, pointing it to another project source tree (not the one I mention above).  Now, it only complains about one of the files I mentioned in my original post, not both of them.  It's as though someone told it "Don't complain about xxx.exxe,  but you can continue to complain about yyy.exe". And that is a release, optimized compile, not a debug, non-optimized compile.

Plus, these are products.  I will not post our licensed programs on a public forum.

Link to post
Share on other sites
  • Staff

Well we recommend all devs exclude their working folder. Partial code and objects can trip up anomaly detection as its not common for a normal user to have those on their system. 



You can send me the mbamservice.log and i might be able to analyze it from there. Its located here:


If you would like you can zip up some of the files detected and private message me with them and i can look at what is going on.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.