Jump to content

SPFLite2 false positives


Recommended Posts

  • Staff

C:\PROGRAM FILES (X86)\SPFLITE2\CFGMAINT.EXE
C:\Program Files (x86)\SPFLite2\SPFLite2.exe

Hello, we need a closer look at the above files. Please zip and upload them in your next reply

Link to post
Share on other sites

9 minutes ago, BillH99999 said:

Here is another component of SPFLite which was flagged today.  

Quote

Malware.Heuristic.1003

Hi,

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

In either way, Staff will investigate this and get this fixed.

Thanks for reporting!

FYI. This setting is in the experimental stage.

That setting is to detect malformed files, but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you can tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Please turn off "Use expert system algorithms to identify malicious files” It is located in Settings > Security> Scan option to avoid these detection's

Link to post
Share on other sites

Posted (edited)

@Porthos

That setting was turned on.  I don't remember ever turning it on, but maybe I did and just don't remember.  I turned it off.

How about "Use artificial intelligence to detect threats"?  I don't remember turning that on either.  Is it on by default?  Should I leave it on?

Another question.  Why was this detected in a scheduled custom scan, but not in a scheduled threat scan or a user initiated threat scan?

Thanks,
Bill

Edited by BillH99999
Link to post
Share on other sites

1 hour ago, BillH99999 said:

How about "Use artificial intelligence to detect threats"?  I don't remember turning that on either.  Is it on by default?  Should I leave it on?

These are the default.

image.png.ba67a0c5ecf5ab3c654899eaeda6de99.png

Link to post
Share on other sites

I would have thought that C:\PROGRAM FILES (X86) and it's subdirectories would have been "malware related areas".  Is that not the case?  Is there a list somewhere of what areas the threat scan looks at?

I have seen on these boards many times that custom scans are not needed and that threat scan are sufficient.  This would seem to refute that idea.

Bill

Link to post
Share on other sites

  • Staff

There isnt a list but all load points are scanned and linked in additional to bunch of other commonly used malware locations. So if the file has no load point or in memory then on a threat scan it may not be picked up if its not in an area we normally look on a threat scan. But it would have to be not running or doesnt load into windows. IT would be picked up by protection module if it was ever called on to run though. 

 

Link to post
Share on other sites

Thank for the info. 

I have run the program that this is part of on numerous occasions without getting anything detected even though the custom scan detected it.  I guess this means the program didn't execute this particular .DLL.  I think I'll keep running my custom scan as it did detect it.

Thanks,

Bill

Link to post
Share on other sites

38 minutes ago, BillH99999 said:

I think I'll keep running my custom scan as it did detect it.

It is a FP. if you did not have "Use expert system algorithms to identify malicious files" enabled it would not have detected it no matter what kind of scan.

FYI. That setting is in the experimental stage. That is why it is off by default.

That setting is to detect malformed files, but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you can tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Please turn off "Use expert system algorithms to identify malicious files” It is located in Settings > Security> Scan option to avoid these detection's

As for custom scans,

Malwarebytes is not designed to function like normal AV scanners and uses a new kind of scan engine that relies mostly on heuristics detection techniques rather than traditional threat signatures.  Malwarebytes is also designed to look in all the locations where malware is known to install itself/hide, so a full or custom scan shouldn't be necessary, especially on any sort of frequent basis (like daily), especially since the default Threat Scan/Quick Scan checks all loading points/startup locations, the registry, all running processes and threads in memory, along with all system folders, program folders and data folders as well as any installed browsers, caches and temp locations.  This also means that if a threat were active from a non-standard location, because Malwarebytes checks all threads and processes in memory, it should still be detected.  The only threat it *might* miss would be a dormant/inactive threat that is not actively running/installed on a secondary drive, however if the threat were executed then Malwarebytes should detect it.  Additionally, whenever a new location is discovered to be used by malware the Malwarebytes Research team adds that location dynamically to the outgoing database updates so the locations that are checked by the default Threat/Quick Scan in Malwarebytes can be changed on the fly by Research without requiring any engine or program version updates/upgrades.

Link to post
Share on other sites

Posted (edited)
2 hours ago, Porthos said:

Malwarebytes is also designed to look in all the locations where malware is known to install itself/hide, so a full or custom scan shouldn't be necessary, especially on any sort of frequent basis (like daily), especially since the default Threat Scan/Quick Scan checks all loading points/startup locations, the registry, all running processes and threads in memory, along with all system folders, program folders and data folders as well as any installed browsers, caches and temp locations. 

I guess that was my question.  If it is supposed to check all program folders, then why didn't the threat scan detect it?  If was in a subfolder of Program Files (x86).  The custom scan did detect it.

Bill

Edited by BillH99999
Link to post
Share on other sites

2 hours ago, Porthos said:

It is a FP. if you did not have "Use expert system algorithms to identify malicious files" enabled it would not have detected it no matter what kind of scan.

FYI. That setting is in the experimental stage. That is why it is off by default.

 

Link to post
Share on other sites

Well... my scheduled threat scan which ran at 12:01 AM on 7/10 didn't detect it, but my scheduled custom scan which ran at 12:15 AM on 7/10 did detect it.  Hence my original question about why a custom scan would detect it, but a threat scan wouldn't.  The file was C:\PROGRAM FILES (X86)\SPFLITE2\LIB\THINBASIC_TRACE.DLL and it was there for both scans.

Bill

Threat Scan Results.txt Custom Scan Results.txt

Link to post
Share on other sites

I guess I still don't understand.  I thought it was only detected because I had "Use expert system algorithms to identify malicious files" enabled.  Why would the database version make any difference - or- does this option rely on the database for it's detections?

Bill

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.