Jump to content

Probable false positive


merlyni
 Share

Recommended Posts

I ran into problems with Forum registration rejecting my email address which was fixed via a Support ticket.  I included the log file and tried to also attach the file that was detected as infected.  Multiple attempts failed and I only got fpreport.txt across.  I think I was running into the usual problem where email systems may check attachments for viruses: in the false positive situation, that tends to block such files from getting through.  I tried the workaround of sending the offending file as a password-protected zip, which usually works for me, but in this case seemed to encounter the same sort of thing.  The file has a 16/63 VirusTotal value, the zip has a 1/56 VirusTotal value and so if VirusTotal was used for screening by a hop, that might be enough to stop things either way.  Hopefully, the Forum post approach will succeed.  The password for the attached wmail32.zip is "malwarebytes".

When I tried running another scan, Malwarebytes no longer flagged the file; I conjecture that the fpreport.txt I sent before was used to whitelist.  However, a copy of the file I had put on my Windows Desktop, involved with the process of trying do attach the file, was still flagged, as well as a couple of temp files likely from my emailing attempts, and a recents link file to it.  Turning off the "Use expert system algortihms to identify malicious file" option did not change this, but also turning off the "Use artificial intelligence to detect threats" did remove detection.

The the Program Files directory for the Bullzip (bullzip.com) "PDF Printer" application is wmail32.exe's location.  I've used the Bullzip application successfully forever. I last updated it mid-March. It seems to me very likely a false positive situation.

Link to post
Share on other sites

  • Staff

Hi,

This is detected by our MachineLearning engine, which helps to protect even better against 0day threats. Unfortunately, as this is a heuristic engine, it's possible False Positives happen. Also see here for more explanation: https://forums.malwarebytes.com/topic/238670-machinelearninganomalous-detections-and-explanation/
Thanks for reporting these, as this helps to finetune the engine, so these won't be detected in the future anymore.

This should be fixed by now. Please give it some time (max 10 minutes) in order to have it populate, so detection won't happen anymore.

 

Link to post
Share on other sites

My retest gave the same results:

1. C:\PROGRAM FILES\BULLZIP\PDF PRINTER\WMAIL32.EXE is no longer detected, as before.  I guess this path has been whitelisted.

2. The copy on my Windows Desktop still is detected.  I guess the file itself has not been whitelisted.

3. The temporary files (further evidence is seen that they came from email processing), and the "recents" link, are still detected.

Erasing the copy, and the temporary files, gives a clean result.

I wonder if:

1. It would be better not to flag copies of the problem file.  It seems odd to call one of two identical copies of the same file malware, and one not.

2. Following up with Bullzip might be good.  Perhaps the file can be changed to not set off detection in the future.

There is a support ticket, 3576739, related to this issue (mostly from my problem with Forum registration rejecting my email initially.)  There's a chance some resulting confusion and wasted effort could be happening.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.