Jump to content
bignose956

Malwarebytes is removing my program

Recommended Posts

I wrote a simple Java program program controlled by a local file which switches my default audio device. The program is quite simple (I wrote it in five minutes), and is not dangerous in any way:

 

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;

public class Main {

	public static void main(String[] args) throws IOException {
		File file = new File("C:\\Users\\Peter Orlowski\\switch.txt");
		FileInputStream in = new FileInputStream(file);
		byte[] buffer = new byte[in.available()];
		in.read(buffer);
		in.close();
		String s = new String(buffer);
		Process process;
		if (s.equalsIgnoreCase("hp")) {
			FileOutputStream out = new FileOutputStream(file, false);
			out.write("tv".getBytes());
			out.flush();
			out.close();
			process = Runtime.getRuntime().exec("nircmd setdefaultsounddevice SCEPTRE-TV 1");
		} else {
			FileOutputStream out = new FileOutputStream(file, false);
			out.write("hp".getBytes());
			out.flush();
			out.close();
			process = Runtime.getRuntime().exec("nircmd setdefaultsounddevice Speaker/HP 1");
		}
		System.out.println("----- PROCESS-OUTPUT -----");
		InputStream in1 = process.getInputStream(), err = process.getErrorStream();
		while (process.isAlive()) {
			while (in1.available() > 0) {
				byte[] b = new byte[in1.available()];
				System.out.println(new String(b));
			}
			while (err.available() > 0) {
				byte[] b = new byte[err.available()];
				System.err.println(new String(b));
			}
		}
	}

}

I used Launch4J to wrap the program in an executable (exe) file so I could set a custom file icon. Whenever I try this my program, however, Malwarebytes quarantines it as malware. Here is the report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/28/19
Protection Event Time: 9:06 PM
Log File: d832e3e4-124c-11ea-8a3d-d0bf9c1cf11c.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.629
Update Package Version: 1.0.13583
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
MachineLearning/Anomalous.95%, C:\Users\Cardinal System\Desktop\AudioSwitch.exe, Quarantined, [0], [392687],1.0.13583


(end)

Is there any way I can stop Malwarebytes from quarantining this? Perhaps there's a whitelist? Maybe I can change something in my code? I have two other Java programs I wrote which are wrapped in executable, and Malwarebytes does not bother them at all...

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Share this post


Link to post
Share on other sites
16 hours ago, bignose956 said:

Hmm, the issues seems to have just fixed itself...

Wait, I was wrong. It is still detecting my program as malware... 

Capture.PNG

Share this post


Link to post
Share on other sites
39 minutes ago, bignose956 said:

Wait, I was wrong. It is still detecting my program as malware... 

False positives

False positives are a reality in the anti-malware industry, and our anomaly detection models are no exception.  We do our best to try to keep them to a minimum.  Malwarebytes anomaly detection engine scans more than 3 million unique files per day and we receive false positive reports on 0.0001% of them.  If your software is one of the unlucky few, we apologize for the inconvenience.

Detections by our anomaly detection engine are identified as "anomalous" files, not as "malware".  Typically a false positive arises when a piece of legitimate software has never been seen before across our entire userbase of tens of millions of users, and was written using techniques or tools commonly used by malware, such as very old versions of Visual Basic, executable packers or obfuscators, or the lack of a valid digital signature.  It is not surprising that our models often consider such files to look anomalous.

We would encourage all software developers to avoid packing or obfuscating their code after compilation, use consistent Version Information and to digitally sign their code to guarantee its integrity.  Signing in particular has been a best-practice in the software industry for decades, and offers users a guarantee that an app has not been tampered with.  There are high-profile examples of apps that have been tampered-with to add or incorporate malware.  We would not want unsigned software on our machines in 2018, and we suspect most of our users wouldn’t either.

As a last resort, if you are unable or unwilling to take these steps, please ATTACH examples of the files being detected as anomalous, and we will add them to our database of known good apps.

Also, If you are a developer, while building your application,  I suggest you exclude the working/building directory from detection via the exclusion settings in Malwarebytes. This since our Anomaly detection might possibly detect some of the files you are building.
Once the application/project is final and ready to be shared with others, in most cases it won't be detected anymore since it won't be triggered as "anomalous" anymore either.

In case a "final project" is still detected, please let us know (include the sample), so we can add it to our database of known good apps as well to prevent this in the future.

Share this post


Link to post
Share on other sites
8 hours ago, Porthos said:

False positives

False positives are a reality in the anti-malware industry, and our anomaly detection models are no exception.  We do our best to try to keep them to a minimum.  Malwarebytes anomaly detection engine scans more than 3 million unique files per day and we receive false positive reports on 0.0001% of them.  If your software is one of the unlucky few, we apologize for the inconvenience.

Detections by our anomaly detection engine are identified as "anomalous" files, not as "malware".  Typically a false positive arises when a piece of legitimate software has never been seen before across our entire userbase of tens of millions of users, and was written using techniques or tools commonly used by malware, such as very old versions of Visual Basic, executable packers or obfuscators, or the lack of a valid digital signature.  It is not surprising that our models often consider such files to look anomalous.

We would encourage all software developers to avoid packing or obfuscating their code after compilation, use consistent Version Information and to digitally sign their code to guarantee its integrity.  Signing in particular has been a best-practice in the software industry for decades, and offers users a guarantee that an app has not been tampered with.  There are high-profile examples of apps that have been tampered-with to add or incorporate malware.  We would not want unsigned software on our machines in 2018, and we suspect most of our users wouldn’t either.

As a last resort, if you are unable or unwilling to take these steps, please ATTACH examples of the files being detected as anomalous, and we will add them to our database of known good apps.

Also, If you are a developer, while building your application,  I suggest you exclude the working/building directory from detection via the exclusion settings in Malwarebytes. This since our Anomaly detection might possibly detect some of the files you are building.
Once the application/project is final and ready to be shared with others, in most cases it won't be detected anymore since it won't be triggered as "anomalous" anymore either.

In case a "final project" is still detected, please let us know (include the sample), so we can add it to our database of known good apps as well to prevent this in the future.

Thank you, this is very informative! I did not know that Malwarebytes had file system exclusions. Because this specific program is solely for personal use, I will place it in a special directory and exclude it.

 

Thanks again!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.