Jump to content

False Positive EncrypIT


toborobot
 Share

Recommended Posts

EncrypIT.7zThis is an application I have put together in order to allow domain users to easily encrypt and decrypt files using EFS. After adding an ability for the users to define where they would like to save a backup of their EFS certificate key file and a prompt to define a password used in protecting the private key, Malwarebytes began believing the executable is malicious.
https://github.com/OsbornePro/EncrypIT
https://sourceforge.net/projects/encrypit/
https://osbornepro.com/encrypit

Link to post
Share on other sites

The attached file is not detected by the consumer or commercial versions of Malwarebytes.

The engine format and configuration in VirusTotal is different than the consumer and corporate products’ default configuration. In VirusTotal Malwarebytes uses a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This will eventually fix itself in Virustotal as well, as Malwarebytes has no control over this. Virus Total is having trouble reaching Malwarebytes cloud.

Link to post
Share on other sites

I have the paid version of Malwarebytes and the paid version detects this as malicious. As does the free version of Malwarebytes in Virus Total. If the paid version of Malwarebytes is detecting this, is it still going to auto-correct itself?

TRIED TO ISOLATE WHAT THE DETECTION WAS
In an attempt to try and discover what was causing the detection I commented out all button functionality in the application. I experimented with removing code signing as well. The app does not do anything other than load a window and Malwarebytes is still quarantining the file whenever I open it. I tried renaming the file and opening from different locations with the same results.

TOOK EXTREME MEASURES TO ISOLATE WHAT THE DETECTION WAS
To take it a step further I deleted all the commented out functionality and deleted all the code in the application in case word usage was a trigger. The version of the app that does nothing returns 4 different AV solutions in VirusTotal including Malwarebytes.

THERE IS NO LEGITIMATE REASON FOR THE DETECTION?
Malwarebytes returns https://blog.malwarebytes.com/detections/machinelearning-anomalous-100/

Will doing something like setting a cap or only allowing the application to encrypt one file at a time prevent it from being viewed as ransomware or whatever Malwarebytes is detecting?

NoSigning-NoFunctionality-EncrypIT.7z

Link to post
Share on other sites

After restarting the computer it no longer detects that file I attached as being malicious. I am not sure why that would be the case if the file hash and name are different. It must have been some type of cached value. I will have to restart each time I make a change it appears in order to isolate what is triggering AV.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.