False positive detected

[HighFlyer525]

Hi,

I've had a false positive detected by your software via the VirusTotal website here: VirusTotal 

It's obfuscated and not digitally signed,  but I'm afraid as a freeware part time developer I can't afford to pay for a cert to sign my software and obfuscation is necessary from a .NET perspective as it's otherwise child's play to reverse engineer it.

Thanks for your help,

[Porthos]

Could you zip and attach the file please.

[sUBs]

No need to upload. I found a copy of the file. It shall be fixed in the next 10 minutes

 

[HighFlyer525]

6 minutes ago, sUBs said:

No need to upload. I found a copy of the file. It shall be fixed in the next 10 minutes

 

Thank you, if I change something and a new revision comes out, do I have to do this every time? 
 

Thanks,

[sUBs]

I would say Yes, it's likely

[HighFlyer525]

On 8/15/2021 at 12:24 AM, sUBs said:

I would say Yes, it's likely

Then apologies, can I submit this version. Last night I commented out some stuff in a bid to find out what it was before I realised it was the obfuscation. 

I forgot to uncomment it before submission! 

Thanks,  

 

Edited August 19, 2021 by AdvancedSetup
removed attachment per user request

[HighFlyer525]

P.s. original false positive scan: VirusTotal

[sUBs]

Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This file is not detected by the consumer or commercial versions of Malwarebytes.

This will resolve itself in Virustotal  after a while.
 

[HighFlyer525]

On 8/15/2021 at 12:45 AM, sUBs said:

Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This file is not detected by the consumer or commercial versions of Malwarebytes.

This will resolve itself in Virustotal  after a while.
 

Hi,

Sorry, back again.

My version of Malwarebytes installed on my laptop also detected this. See attached log.

Also, the site I want to upload it to, to share with the community, will not let me unless I can get it to run clean on VirusTotal. I've managed to clear all other false positives with other vendors, you're the last one now. Is there no way to examine and then whitelist this .EXE? I'm blocked from sharing with the community without your support.

Thanks again, 

 

Edited August 19, 2021 by AdvancedSetup
removed attachment per user request

[Porthos]

10 minutes ago, HighFlyer525 said:

My version of Malwarebytes installed on my laptop also detected this. See attached log.

Looks like you scanned something in VMware.

I still get no detection on a live system.

 

[HighFlyer525]

2 minutes ago, Porthos said:

Looks like you scanned something in VMware.

I still get no detection on a live system.

 

Because it was copied into and then out of a VM, I think it's picked it up from the temporary location it stores it before copying it in. It's actually found it on a normal Windows 10 pro laptop. 

If I right click and scan it's clean as well, not sure why it picked it up on a normal C scan and not a context scan. 

However, the VirusTotal positive is the one given me the biggest headache unfortunately. It's stopped me dead in my tracks.

[Porthos]

Just now, HighFlyer525 said:

the VirusTotal positive is the one given me the biggest headache unfortunately. It's stopped me dead in my tracks.

Virus total is having trouble reaching Malwarebytes CLOUD whitelisting server hence the ongoing detection.

I have seen this issue for months. It is VT's issue.

[HighFlyer525]

55 minutes ago, Porthos said:

Virus total is having trouble reaching Malwarebytes CLOUD whitelisting server hence the ongoing detection.

I have seen this issue for months. It is VT's issue.

I'm suspicious of this conclusion to be honest. It's providing the exact same false positive as the client version: MachineLearning/Anomalous.100%

That can't just be a coincidence. It seems to be in-line with the client desktop version. My understanding is, it's flagged because it doesn't match any known 'good files' however, if I can't get it into circulation, how will it ever. Isn't this a chicken and the egg scenario?

[Porthos]

1 hour ago, HighFlyer525 said:

I think it's picked it up from the temporary location

Executable's in temp locations can trigger the AI.

[HighFlyer525]

10 minutes ago, Porthos said:

Executable's in temp locations can trigger the AI.

Same issue with another obfuscated app I crated in the same log on the same scan: 

MachineLearning/Anomalous.100%, C:\USERS\{Username}\DOCUMENTS\PREPAR3D WEATHER APPLICATION.EXE

Not in a temp location.

Also failed VirusTotal for the same reason: VirusTotal

I'm not trying to actively find a fault with your advice sorry, but it needs to be systematically and logically excluded by a process of illumination. I've seen nothing yet to see VirusTotal is at fault. They're in agreement it seems.

[HighFlyer525]

I just moved the original .EXE out of the temp location and it still picked it up on a scan. 

 

 

[Porthos]

2 minutes ago, HighFlyer525 said:

Also failed VirusTotal for the same reason: VirusTotal

That one is also detected as agent tesla by Microsoft.

[Porthos]

3 minutes ago, HighFlyer525 said:

I just moved the original .EXE out of the temp location and it still picked it up on a scan. 

Are you connected to the internet during the entire scan process?

Edited August 19, 2021 by Porthos

[HighFlyer525]

1 minute ago, Porthos said:

That one is also detected as agent tesla by Microsoft.

Correct, the one we're talking about now (TOD_Calculator_and_Pause.exe) was detected by four other vendors. However, after I submitted it as a false positive, they examined it and added it to the whitelist. 

It's only Malwarebytes that's stopping it now....... 

[HighFlyer525]

2 minutes ago, Porthos said:

Are you connected to the internet during the entire scan process?

Yes, I am.

[Porthos]

1 minute ago, HighFlyer525 said:

Yes, I am.

Is the file the same exact file you file submitted.

Also i suggest you update Malwarebytes.

 

[HighFlyer525]

OK, I've updated to the latest and copied across the latest .EXE again to the desktop and documents folder and this time it didn't pick it up.

I'm not even sure what that means now..........

[Porthos]

11 minutes ago, HighFlyer525 said:

I'm not even sure what that means now..........

Just means the out of date version was the issue on the local file.

VT is still an issue that VT has to fix. MB is very cloud connected .

[HighFlyer525]

14 hours ago, Porthos said:

Just means the out of date version was the issue on the local file.

VT is still an issue that VT has to fix. MB is very cloud connected .

OK, thanks for your help @Porthos