Jump to content

NVDA 2022.1 false positive (Malware.Heuristic.1001)


NVAccess

Recommended Posts

Please see the Virus Total result page at: https://www.virustotal.com/gui/file/dd2996ce99517af4578d079d618a4bb4061fc0e6493513917eecc2cdf3e88575

 

Which reports a false positive of "Malware.Heuristic.1001" for NVDA 2022.1

You can find a direct link to the file here: https://www.nvaccess.org/files/nvda/releases/2022.1/nvda_2022.1.exe

Which is from the release announcement here: https://www.nvaccess.org/post/nvda-2022-1/

 

I'm not impressed that I have to create an account to report something for which every other AV vendor has either a page or an email address to report to.  Please consider helping your users by making it easier to report.

 

Kind regards

 

Quentin.

Link to post
Share on other sites

@NVAccess

The file you refer to is not detected by the installed versions of Malwarebytes.

The engine format and configuration in VirusTotal is different than the consumer and corporate products’ default configuration. In VirusTotal Malwarebytes uses a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This will eventually fix itself in Virustotal as well, as Malwarebytes has no control over this. Virus Total is having trouble reaching Malwarebytes cloud.

Link to post
Share on other sites

  • 1 month later...

It's doing it again with the beta of our next version - 2022.2 Beta 3: https://www.virustotal.com/gui/file/0fef22794bf9d325de22651aae398ff49a4338fcd61c5910d1ed67725c665ed1?nocache=1

 

I'm not convinced it's really helpful to have a version of the product which detects more than your other products AND has the false detection protections removed, and then argue that it doesn't do it in the regular version, especially when the VirusTotal version never did "fix itself" last time I reported this.

Link to post
Share on other sites

  • 2 weeks later...

Hi there, this false positive is still happening, both with NVDA 2022.1, NVDA 2022.2 beta 3 previously advised and with the Release Candidate we put out today. If you aren't willing to fix a simple false positive, then we will have to start publicly advising people to avoid Malware Bytes.  It is not good enough to say it is VirusTotal's fault, it's your engine, and we will be very disappointed if this happens with the final stable build we release in a week or so (identical except for the version number, unless anyone reports any major issues with the release candidate).

 

VirusTotal report for NVDA 2022.2 RC1: https://www.virustotal.com/gui/file/68f155582acf38fb260eba39123b8979e32465ebc775fde8f183c109587715ff?nocache=1

Link to post
Share on other sites

Do you mean as in with MalwareBytes on my local machine?  I don't have MalwareBytes myself.  We test each build with VirusTotal as per the earlier messages - also as per that someone suggested that engine uses different settings, which is great, but still very problematic for us.  A lot of companies use VirusTotal and hesitate to install software (or in this case, our updates) when they see that you are flagging that software.

 

Kind regards

 

Quentin.

Link to post
Share on other sites

Ok, but it's been going on for at least the last two months.  It does make MalwareBytes look bad, especially since I'm going to have to tell people to ignore MalwareBytes as it is unreliable and prone to false positives.  I suspect I would be right in suggestion ours isn't the only program affected?

Link to post
Share on other sites

  • Staff

Hi,

This applies for any Antivirus where the aggressive heuristic detection-mode is enabled. It detects more 0day malware, but is indeed more prone to False Positives as well. This is why this detection mode is disabled by default in Malwarebytes, where users can select if they want to enable this or not, with the risk of False Positives which we however monitor and fix almost immediately.

Link to post
Share on other sites

Thanks, I figured it was along those lines - so if you set your local MalwareBytes to scan aggressively (I assume you can but it's not the default?) - it should pick up the same thing?

 

So, being aware of it, why can't you monitor and fix THIS false positive?  Even if you can't do set the consumer version like this, surely your engineers can replicate however VirusTotal are using it?  NVDA is even open source - you can see all our source code.  I really don't see what more I can do to try to bring this issue to your attention.

 

Sorry for my annoyance, but I'm sure you can understand that it is quite frustrating.  Can you give me a time frame or anything to work with here please?

 

Quentin.

Link to post
Share on other sites

  • Staff

To answer your question: "so if you set your local MalwareBytes to scan aggressively (I assume you can but it's not the default?) - it should pick up the same thing?"

Yes, but not anymore, because when we get FP reports on files, even with the heuristic engine, we fix this so this won't be detected anymore. This is also the reason why we don't detect it locally anymore. 

Link to post
Share on other sites

So, are Virus Total not updating their engines?  A year or so ago when we had a false positive like this in Virus Total (not with you), it was resolved within a week.  I will say that, as you can see from the scan of our files, we've had three detections in three engines, and we haven't been able to get the others fixed either (although you are the most responsive to messages, and I do appreciate that).

 

If you're saying the issue is on Virus Total's end, I'll happily leave you alone and go bug them instead :)  (You should have said so earlier!)

 

Is that correct?  MalwareBytes has been updated, but VirusTotal are using an old version?

 

Quentin.

Link to post
Share on other sites

  • Staff

Just putting in some more clarity to avoid any misunderstandings. Virustotal is updating the databases/engines whenever they are available. It's just that for some specific Malwarebytes detections that results aren't always being updated. It's inconsistently happening. The teams are working with Virustotal already in order to troubleshoot the cause of this so this can be resolved. 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.