Jump to content

False positive detected


Recommended Posts

Hi,

I've had a false positive detected by your software via the VirusTotal website here: VirusTotal 

It's obfuscated and not digitally signed,  but I'm afraid as a freeware part time developer I can't afford to pay for a cert to sign my software and obfuscation is necessary from a .NET perspective as it's otherwise child's play to reverse engineer it.

Thanks for your help,

Link to post
Share on other sites

On 8/15/2021 at 12:24 AM, sUBs said:

I would say Yes, it's likely

Then apologies, can I submit this version. Last night I commented out some stuff in a bid to find out what it was before I realised it was the obfuscation. 

I forgot to uncomment it before submission! 

Thanks,  

 

Edited by AdvancedSetup
removed attachment per user request
Link to post
Share on other sites

  • Staff


Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This file is not detected by the consumer or commercial versions of Malwarebytes.

This will resolve itself in Virustotal  after a while.
 

  • Thanks 1
Link to post
Share on other sites

On 8/15/2021 at 12:45 AM, sUBs said:


Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This file is not detected by the consumer or commercial versions of Malwarebytes.

This will resolve itself in Virustotal  after a while.
 

Hi,

Sorry, back again.

My version of Malwarebytes installed on my laptop also detected this. See attached log.

Also, the site I want to upload it to, to share with the community, will not let me unless I can get it to run clean on VirusTotal. I've managed to clear all other false positives with other vendors, you're the last one now. Is there no way to examine and then whitelist this .EXE? I'm blocked from sharing with the community without your support.

Thanks again, 

 

Edited by AdvancedSetup
removed attachment per user request
Link to post
Share on other sites

2 minutes ago, Porthos said:

Looks like you scanned something in VMware.

I still get no detection on a live system.

image.png.7fd5ad670912196eba8837043b233832.png

 

Because it was copied into and then out of a VM, I think it's picked it up from the temporary location it stores it before copying it in. It's actually found it on a normal Windows 10 pro laptop. 

If I right click and scan it's clean as well, not sure why it picked it up on a normal C scan and not a context scan. 

However, the VirusTotal positive is the one given me the biggest headache unfortunately. It's stopped me dead in my tracks.

Link to post
Share on other sites

Just now, HighFlyer525 said:

the VirusTotal positive is the one given me the biggest headache unfortunately. It's stopped me dead in my tracks.

Virus total is having trouble reaching Malwarebytes CLOUD whitelisting server hence the ongoing detection.

I have seen this issue for months. It is VT's issue.

Link to post
Share on other sites

55 minutes ago, Porthos said:

Virus total is having trouble reaching Malwarebytes CLOUD whitelisting server hence the ongoing detection.

I have seen this issue for months. It is VT's issue.

I'm suspicious of this conclusion to be honest. It's providing the exact same false positive as the client version: MachineLearning/Anomalous.100%

That can't just be a coincidence. It seems to be in-line with the client desktop version. My understanding is, it's flagged because it doesn't match any known 'good files' however, if I can't get it into circulation, how will it ever. Isn't this a chicken and the egg scenario?

Link to post
Share on other sites

10 minutes ago, Porthos said:

Executable's in temp locations can trigger the AI.

Same issue with another obfuscated app I crated in the same log on the same scan: 

MachineLearning/Anomalous.100%, C:\USERS\{Username}\DOCUMENTS\PREPAR3D WEATHER APPLICATION.EXE

Not in a temp location.

Also failed VirusTotal for the same reason: VirusTotal

I'm not trying to actively find a fault with your advice sorry, but it needs to be systematically and logically excluded by a process of illumination. I've seen nothing yet to see VirusTotal is at fault. They're in agreement it seems.

Link to post
Share on other sites

3 minutes ago, HighFlyer525 said:

I just moved the original .EXE out of the temp location and it still picked it up on a scan. 

Are you connected to the internet during the entire scan process?

Edited by Porthos
Link to post
Share on other sites

1 minute ago, Porthos said:

That one is also detected as agent tesla by Microsoft.

Correct, the one we're talking about now (TOD_Calculator_and_Pause.exe) was detected by four other vendors. However, after I submitted it as a false positive, they examined it and added it to the whitelist. 

It's only Malwarebytes that's stopping it now....... 

Link to post
Share on other sites

11 minutes ago, HighFlyer525 said:

I'm not even sure what that means now..........

Just means the out of date version was the issue on the local file.

VT is still an issue that VT has to fix. MB is very cloud connected .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.