Possible False Positive???

Detected with a full scan.
Real threat or FP?



EDIT: Might be connected to the latest Malwarebytes AntiMalware 1.41 install.
Can anyone confirm this?

 

I received the same detection today. I've submitted it to Prevx, malwarebytes, and avira. No word back yet.

 

Hello,
There are a lot of malicious files similar to the detection you're seeing in our database so I'm going to need some further information to research it. If you can follow these instructions here: https://www.wilderssecurity.com/showthread.php?t=245129 we will be able to correct the file detection

Thanks!

 

Thank you.
e-mail sent with log.

 

The file is indeed a false positive (primarily because of its worm-like behavior in that it copies itself with random filenames). I've fixed it now - thank you for the report!

 

Thank you.

 

FWIW, Hitman Pro (Prevx engine) is still hitting on it as of just now.

 

That's odd. Since the fix my prevx hasn't had a FP. I don't use hitman pro.

 

Correct, Prevx is not calling it malicious, but Hitman Pro with its older Prevx engine is. I sent Hitman Pro email. It's weird having a program use another program's engine, yet it is not as updated. Doesn't seem like an ideal situation to me, i.e. what does Prevx gain by allowing Hitman Pro to operate in this manner?

 

$$$$$$$$$$$$$$$$$$$$$$$$$


HKEY1952

 

Keep in mind that I asked, what does Prevx gain. You are of course correct that they receive $$$$$$$$$, but is it a gain?

Is Prevx's reputation dinged by a company like Hitman Pro using a subpar Prevx engine? Are users rushing out to purchase Prevx because they see Hitman Pro utilizing it?

Perhaps.

But it still seems like a less than ideal situation to me.

 

FYI, Hitman Pro uses the current Prevx engine and saying otherwise is just wrong. If you dont think so ask Marcos.

 

The diffference is the Prevx is real time scanning, Hitman is on demand. The same question Page, could be asked of the other vendors who allow, or are under contract with Hitman and how they agreed to have their product used.

 

I think I recall hearing that now. Please excuse my error if I misspoke. Why is Hitman Pro engine alerting on a false positive that Prevx fixed?

 

I agree. The same question could be asked of other vendors.

 

very good question. I guess there is a delay in this. I know Joe fixes very quickly so no question there, but Hitman is also really in the development side of what it is going to evolve into, which is really going to shock a few.

 

I believe Hitman Pro has a layer of caching on top of our detections which is why there is some discrepancy between the two.

 

Hitman Pro caches the results. Every 8 hours the file is rescanned. This procedure is repeated for 1-2 months. After that the file is no longer rescanned and holds the classification indefinitely, until enough users submit the file as false positive in the application.

So if the file was first classified as malicious more than 1-2 months ago, the file is not rescanned and the false positive remains. We reckon that vendors fix FPs within 2 months.

 

What's the best way to report FP's to you?

TIA,

TH

 

Each row in the view can be expanded by clicking on the arrow in front of the row. This way you can see which vendor classified the file as malware.

The end of each row lists the action that needs to be performed on the item.

The following screenshot lists a suspicious file (Dutch: Verdacht). This means no vendor knows the file yet but Hitman's behavioral scan found enough evidence for it to display it to the user.



When clicking on the arrow at the end of the row a popup menu appears where you can choose to Delete, Do not delete or Report that this file is safe. It is the preferred way to submit false positives through the application.

 

That's what I do Thanks Erik!

TH