Jump to content

False positives with new MWB


Aldewacs

Recommended Posts

This is the second MWB report in 2 days.  Looks like false positives, but it's concerning because this appears to be due to the latest MWB version (4.5.25)  being installed.

Yesterday I downloaded the latest version of  PureBasic 6.01 and ran a test compile of a sample program that comes with PureBasic.

I got a MWB error in the middle of the compile, and MWB reported that its "Tamper Protection" was activated.  I reported that to the Forum, and received instructions to re-install MWB.  I did that this morning and ran a SCAN afterwards.

The scan gave me ONE "Malware blocked" on a program that was internally developed 15+ years ago, compiled in VB6, and has been in use since.  Never a problem.  I recompiled that program and ran SCAN again, and got the same 'Malware blocked'.

I then re-compiled the PureBasic test program, and again got the "Malware Blocked" issue.

Screen shots attached.

It appears that MWB is suddenly getting very touchy…? This is very concerning.

I contacted PureBasic and they suggested we contact MWB because it's their/ your bug.

Al De Wachter

 

MWB errors.png

Link to post
Share on other sites

Rich

I have attached the newly compiled (but not yet scanned) VB6 program.  It's ZIPPED.  (DateTime.zip)

As to the PureBasic file, I have no such file to send since the Malware Block happens WHILE the file is in the process of being compiled.

And the SCAN was done right after the program was re-installed, following un-install . using the MWB support tool. See attached PNG with version info shown.  I just re-scanned with that version to be sure, and the VB6 internal program is still blocked.

MWB version.png

DateTime.zip

Link to post
Share on other sites

I ran a full scan again AFTER re-compiling/ re-creating the DateTime.exe

It found 2 issues related to that file (the EXE and the desktop link to it)

I noticed your version is 4.5.23  (mine is 4.5.25) but maybe that doesn't matter.

See attached screen dump which includes the requested screen, plus MALWARE BLOCKED message after re-running the compiled EXE.

PS I pressed the "Check for Updates" and it returns "Malwarebytes is up to date".

ALSO, I run a scan every morning early, before I get to my PC.  It has not reported an error till now, but now it suddenly reports the 2 scan results  related to the DateTime.exe file as shown in the attached picture.

SOMETHING is setting MWB off...??

AL

MWB version 4-5-25.png

Link to post
Share on other sites

  • Root Admin

To begin, please do the following so that we may take a closer look

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Staff

This was automatically whitelisted earlier today. 

Lets flush your hubblecache and it should no longer be detected. 

First shut down malwarebytes completely. 

Go to here:

 

C:\ProgramData\Malwarebytes\MBAMService

delete the following file. 

hubblecache

 

Then start up malwarebytes again. 

It should no longer be detected. 

 

We also recommend developers set an exclusion for their build directory. Sometimes certain projects can look like malware to the heurisitic scanner. 

 

 

 

Link to post
Share on other sites

OK I followed those instructions...

Shut down MWB, erased Hubble file, restarted MWB.

Ran the DateTime program - it was killed by MWB.

Recreated the file, Shut down MWB, erased Hubble file, restarted MWB.  It found the file(s) and alerted Malware Shutdown anyway. 

Shut down MWB, erased Hubble file, and rebooted the PC.  Repeated the process - it still disabled the file and claimed Malware found.

I moved the 'offending' file to the desktop and tried to run it from there - MWB found it, shut it down, and now I HAVE TO reboot the PC to quarantine the file.

After reboot, I'll white-list the folder the file is in, to bypass MWB scanning.

But this has me concerned - WHAT FILE IS NEXT?? This seems error prone and annoying.

I'll let you know if that fails.

Link to post
Share on other sites

  • Staff

Hmm the file is whitelisted on our end. This machine has internet correct? Looking at the mbamservice.log again its showing that the whitelisting is disabled on your machine for some reason.

 

You can also set an exclusion for this specific file. scan again with malwarebytes. Uncheck the boxes next to the detections and follow the prompts for it to exclude it from further scans. 

You can also shutoff the heuristics if wanted. This isnt recommended but its an option.

its the setting under security/ use artifical intelligence to detect threats. 

 

 

 

Link to post
Share on other sites

Rich

I'm not sure what "whitelisted at our end" means.

Anyway, I whitelisted the folder for the offending DateTime.exe file.  It can now run again.

I also whitelisted the TEMP file where the PureBasic sends its compiled 'work in progress', and that works as well, now.

I will monitor this and see if this becomes problematic with MalwareBytes.

I'm still wondering why this SUDDENLY has become a problem... I'm gonna have to suggest something changed in MWB because nothing changed in this PC.

Furthermore, what will happen if I share my file DateTime.exe with another user who has MWB installed?  And and other files created on this PC?

AL

Link to post
Share on other sites

  • Staff

Well you shared it with me and it wasnt detected here. I even double checked with the same version of malwarebytes you have. 

You arent blocking any of the malwarebytes servers with a firewall maybe? This detection uses our hubble cloud to get the status of the file. If it cant reach the hubble server or is disabled for some reason like the mbamservice.log shows then it will detect. I have some people from support looking at your log to see if they have any ideas as to why. 

 

Link to post
Share on other sites

  • Staff

Ok can you try something?

Under settings/security/exploit protection/advanced settings/scroll over to the last tab to pentration testing. If thats on set it to off. This is a hyper paranoid mode that disables some whitelisting. Let me know if it was on or off. If set to on shut it off. 

 

image.png.61e32bf341414e6a9158eb78a154c149.png

Edited by shadowwar
Link to post
Share on other sites

  • Staff

Ok digging a bit deeper into this every time the file is created it has a different md5 so it is a little different. The way the machine learning works is upon first scan if suspicious that particular file  goes into a learning process to either whitelist itself or leave it as malware. This can take up to 24 hours to learn. After looking at the logs with another set of eyes we caught that the file is different each time you scanned so the learning process started upon each scan of the newly compile file. Both are whitelisted in hubble like they were supposed to. If you scan the one above  that you uploaded let me know if still detected. Is this the sample file or a app you are doing? We have more powerful ways of whitelisting against small changes like this file but i would need a few versions if this is your app. 

Link to post
Share on other sites

Because MWB erases the file when it finds it 'problematic' and reports the problem, I recompiled the DateTime.exe every time malware was reported on it.

So subsequent detections and copies sent to you were on a 'different' (recompiled) file.

The fact still remains: that file had not been re-compiled for literally years.  Suddenly MWB started objecting to it when I scanned with the new MWB version.  Strange.

To be sure: are you suggesting that I should UN-whitelist the folder that holds the latest compiled file, and then try to use the file, and/or do a PC_wide scan?

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.