Jump to content

False Positive Issues


dro
 Share

Recommended Posts

Hi

I've been having recurring issues with new compiles of the key files for the software I'm developing (a winamp compatible replacement) which are getting flagged as either anomalous or a generic heuristic value when checked via virustotal. This has been happening since the start of 2021 but normally these detections clear themselves out after a few hours. However it's now been a few days since I made the provided compiles & despite having initially cleared like before, they now have come back & aren't going away which is why I'm now here.

 

The affected files are:

wacup.exe (wacup_exe.zip) - https://www.virustotal.com/gui/file/c0e95da3336bba9217eff5c51cadaedc0270bc7ece6b2dbbfac365b80957e63a/detection (MachineLearning/Anomalous.100%)

winamp.exe (winamp_exe.zip) - https://www.virustotal.com/gui/file/57a4b3e17221e2a4e6d8d0077f6bc1134111076e6e218f13742a532cee074ebf/detection (MachineLearning/Anomalous.100%)

winamp.dll (winamp_dll.zip) - https://www.virustotal.com/gui/file/af8eeda642384d61940060c905ac5cf4b1d02d93b3761f696e8194df3cf30fbb/detection (Malware.Heuristic.1001)

The 2 exe are just stubs to load the shared winamp.dll which does the work & is done like that to save on code duplication with the only functional difference being the icon & version information reported (the winamp.exe is used for compatibility purposes for installers & other 3rd party tools). Additionally the only change that is made to the exe with each update is the reported version in them & whatever the compiler (VS2017) decides its going to do (if that might help to know).

 

These false detections are also triggering issues with the installers with Malware.Heuristic.1001 the reason noted on their reports - https://www.virustotal.com/gui/file/2266ff0bdf2b82e301647154611a9084d28318ef3a6b1394403d2fdbbd0863a2/detection (normal) & https://www.virustotal.com/gui/file/7cd6ec506b592cfb8b195a08d2be330dafe50f0bf6e0d6b9a9889b92e6baba09/detection (portable). I can also attach them if needed or they're available from https://getwacup.com/preview/ - I just didn't want to post too many files in one go in case that causes more issues :)

Thanks,

-dro

wacup_exe.zip winamp_dll.zip winamp_exe.zip

Link to post
Share on other sites

  • Staff

Hi,

This is detected by our MachineLearning engine, which helps to protect even better against 0day threats. Unfortunately, as this is a heuristic engine, it's possible False Positives happen. Also see here for more explanation: https://forums.malwarebytes.com/topic/238670-machinelearninganomalous-detections-and-explanation/
Thanks for reporting these, as this helps to finetune the engine, so these won't be detected in the future anymore.

This should be fixed by now. Please give it some time (max 10 minutes) in order to have it populate, so detection won't happen anymore.

 

Link to post
Share on other sites

Unfortunately I'm still not seeing a change having just re-run the virustotal scans on the affected files :(

I get that heuristic's is a dark art & I did have a read of the noted thread before posting so I appreciate that this is something I've probably got to keep doing in flagging false positives. It's just frustrating when until the start of 2021 it hadn't been a constant recurring issue with any new compile.

-dro

Link to post
Share on other sites

  • Staff

Hi,

Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This file has been whitelisted for our commercial products and it is not detected anymore locally. This will resolve itself in Virustotal as well after a while.

Link to post
Share on other sites

Its over a day now & I'm still seeing the false positives on the virustotal reports. There have been a few times in checking when winamp.dll cleared but it's gone back to showing the generic heuristic reason again with no change on the other files :(

Is there a rough time scale I should be expecting ?

I've also found the following are also being incorrectly flagged as Malware.Heuristic.1001 :

in_wv.dll - https://www.virustotal.com/gui/file/569210cbd8d696915dd30ef39cb76f82ba695b79f316261c51a912171894dc05/detection (wavpack decoder)

ml_rg.dll - https://www.virustotal.com/gui/file/318986f257cc2e868b399ac0ffe148f4944fd75fec13494cba186295cc29d46c/detection (replaygain process)

Thanks,

-dro

in_wv_dll.zip ml_rg_dll.zip

Link to post
Share on other sites

  • Staff

The files aren't locally detected, which is the most important here.

As for Virustotal, this isn't something under our control. As I have explained, In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

  • Thanks 1
Link to post
Share on other sites

Quote

The files aren't locally detected, which is the most important here.

I'm going to have to disagree with that as the results from your service have a wider reach of impact than just local detections.

To a user looking at things, they see your service name on a VT report, see it flagged & then skip it or permanently assume the software is bad or question me about it as unfortunately some services we've all grown to rate higher than others when something is flagged which in hindsight is a mistake.

As they don't have any context of what's doing what nor should they but that doesn't help me so understandably I'm frustrated at this process especially when the files have been flagged through your VT / command-line solution for almost a week at this time.

-dro

Link to post
Share on other sites

5 days later - winamp.dll & in_wv.dll are still being incorrectly flagged on VT which is 12 days since they were compiled & provided to users. Am also seeing this with newer compiles of the 2 dlls from my development builds.

ml_rg.dll eventually cleared over the weekend on VT but there seems to be a flip-flop state when that eventually happens like there's different instances with out of sync definitions / whatever the voodoo magic being used is.

-dro

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.