Jump to content

Potential false positives


Alvin55

Recommended Posts

Malwarebytes recently found two new threats on my machine, marked as Malware.Heuristic.1001 and 1003 - to my knowledge, nothing about these files has changed and they have been on my machine for some time.

Interestingly they are both VST plugins used with audio production software and are both located in the Program Files x86 folder (I'm running Windows 10 x64).

Could someone from the MB team pls confirm whether or not these are false positives?

Thanks!

 

Vstplugins-potentialfalsepositives.rar

Link to post
Share on other sites

1 minute ago, Alvin55 said:

Maybe it's due to some of the heuristics settings I have activated?

Yes.

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This since this is normally disabled by default.

In either way, Staff will look into this and get this fixed.

Thanks for reporting!

It is to detect malformed files but sometimes legit files use protection that make them malformed. We are still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed you are able to tell the difference between a fp and a legit detection. 

And if you keep it on I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Link to post
Share on other sites

Thanks, yes I did enable the "Use expert system algorithms to identify malicious filessetting some time ago. I'm aware this has the potential to generate false positives, however I would like to think that it has the potential to detect a zero-day malware that doesn't have the signatures in MB yet. This is my layman's understanding of why someone would turn on this setting?

What I find incredibly strange is that I have a full daily scan running and yet these two files were only detected yesterday.

I haven't run any of the audio software for ages so these files must have been sitting there stagnant unless something changed them?

Link to post
Share on other sites

  • Staff

These files are whitelisted now. 

You pretty much nailed the reason for the algorithm. Its to detect malformed files. Something that is non standard from most programs. However some protection schemes and executable packers can cause a file to be malformed. We are still tweaking the algorithms so that is why we recommend leaving it off for now. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.