Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Naming folder "False Positive" makes Malwarebytes ignore malicious files


Recommended Posts

Greetings,

Just found this on random. Don't know if it's a bug or intended.

Basically I've modified one of my EXE files for a game in order to get the proper title on Playnite (with tools like Resource Tuner 2.20 or Resource Hacker 5.1.8 where you can edit the ProductName metadata).

On that particular one, Malwarebytes doesn't like the change and starts to show up like that :

image.thumb.png.f5dffc6ed764b2175649bc6544a106b0.png


And this is the scan on Virtus Total : https://www.virustotal.com/gui/file/96779fcc37c3f211889548215c3679b138fb88697aa24e6188c0627ea977d977?nocache=1

However, I've put the game inside a folder called "False Positive" and suddenly Malwarebytes stops noticing it.

image.thumb.png.0f66f967667ea63aff1563c989bb0201.png

My "Allow List" is completely empty :

image.thumb.png.26d1c5d93284c731f81fd83869fb05ec.png

 

I've also tested this on another computer with brand new installation of Malwarebytes and as soon as the EXE is inside a folder called "False Positive" - it wont detect anything.

Is that supposed to happens ? What will prevent someone from creating the same naming for a folder ("False Positive") and put all kind of malicious things there, since MB will ignore them ?

Link to post
Share on other sites

Found out something else from another topic


Basically those files that I've modified are only shown as malicious when the expert system algorithms thing is active.

If i deactivate it - none of my modified files are triggered as malicious (or at least the ones with a type Heuristic)

The thing with the "False Positive" folder is still unclear.

I have several modified files that are Machine Learning / Anomalous 97% (first attachment)

They are also ignored if i put them inside a "False Positive" folder :D (second)

image.png

image.png

Link to post
Share on other sites

2 hours ago, Lerain said:

Basically those files that I've modified are only shown as malicious when the expert system algorithms thing is active.

If i deactivate it - none of my modified files are triggered as malicious (or at least the ones with a type Heuristic)

This is off by default and should not be turned on.

Link to post
Share on other sites

16 hours ago, Porthos said:

This is off by default and should not be turned on.

Why is the present in the options if "should not be turned on" ????

Sure, from a marketing point of view " Use expert system algorithms...." sounds terrific, but is that fair?????

Link to post
Share on other sites

13 minutes ago, claudiubo said:

Why is the present in the options if "should not be turned on" ????

Sure, from a marketing point of view " Use expert system algorithms...." sounds terrific, but is that fair?????

My point exactly..

But either way (with this feature on or off) putting EXEs inside a folder names "False Positive" - will not trigger any detection or at least - will not trigger any detection that is related to "Machine Learning" and "AI" as a type.

So what about that ? :D

I plan to find an actual virus and hide it inside such folder just to see if MB will recognize it after that. Time to go to some shady sites, i reckon. (O.o)

Link to post
Share on other sites

Found one from this website : https://www.eicar.org/?page_id=3950

Scanning the "eicar.com" will lead to :

image.thumb.png.6c66c2ee912f3d54c9c0b6bfc06dc336.png

And if i put that inside a "False Positive" folder = same detection. So MB wont care about the folder if its a specific type of virus (like "EICAR-AV-Test" in this example).

BUT

I've also tested the "Zemana Simulation Test Programs" from here (Number 5) : https://www.raymond.cc/blog/test-the-effectiveness-of-your-antivirus-firewall-and-hips-software/

That one is labeled "Malware.AI.##########"

image.thumb.png.ff1daadb802e50d3b6cb2809bda372a4.png

And if i put that one inside a "False Positive" - take a look

image.thumb.png.c4bea9fba8a5874caf813b61b6d81451.png

So at this point we can say for sure that
Malwarebytes AI scanning thing (for the lack of a better name) ignores everything that is inside a folder named "False Positive".

This is only for virus types that the AI predicts it might be harmful but not really sure. Just a guess, I dont know how this thing works.

It was not documented anywhere so i reckon it might be bug, but at this point i think it's more of a feature that was not explained publicly.

I rest my case tho - as the others "real type" viruses will be detected no mater the folder name and so on.

Link to post
Share on other sites

Again, they are not static detections.

"If it walks like a duck, and it squawks like a duck, then it must be a duck."

But if Mickey Mouse walks like a duck, and Mickey Mouse squawks like a duck, it does not make Mickey Mouse a duck.

At the same time if Donald Duck squeaks like Mickey Mouse, it doesn't make him a mouse.

But if you get the DNA or Fingerprints of Donald Duck you can say he's a duck.  The DNA or Fingerprints would be a static detection.

If one alters the characteristics of a file and its location without changing the physical file, it will change the Heuristic detections or lack thereof of a file.

This would all change if there was a static detection such as Trojan.IcedID

** If you have a Windows based malware sample that is not detected then please submit it inNewest Malware Threats following the below guidance...

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 1
Link to post
Share on other sites

3 hours ago, Lerain said:

putting EXEs inside a folder names "False Positive" - will not trigger any detection

Depending on the location of the folder. The default scan does not scan every folder and file on the computer. It is not designed to. It only scans locations where malware is known to hide.

Link to post
Share on other sites

8 minutes ago, Porthos said:

Depending on the location of the folder. The default scan does not scan every folder and file on the computer. It is not designed to. It only scans locations where malware is known to hide.

image.png.1d7312cd2d3b6624d246ebb50886bf1e.png

I don't use the default scan options. Why waste time and resource when I can target only a specific exe.
I thought this is clear from my pictures above showing only 1 files was scanned and not detected.

Link to post
Share on other sites

1 minute ago, Porthos said:

@Lerain

I ran your "false positive" folder test with actual malware. and it was detected.

image.thumb.png.606ac516265881881c7a45c9635ad551.png

 

Yes, but if you put one of those AI and Heuristic things - they wont be.

Example : https://www.raymond.cc/blog/test-the-effectiveness-of-your-antivirus-firewall-and-hips-software/

Option 5 - Zemana Simulation Test Programs

Scan the tree EXEs directly from the Zemana Simulation Test Programs - you will get the Maware.AI detection.

Then the put the on a "Fasle Positive" folder and everything will be fine.

Then get them out of there and scan again - Maware.AI detection.

Link to post
Share on other sites

1 minute ago, Lerain said:

Then the put the on a "Fasle Positive" folder and everything will be fine.

Then put them on a "False Positive" folder and everything will be fine. Nothing will be detected.

I don't know how you edit posts here - it seems impossible for me.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.