Malware Bytes Quarantine

Started by robbo56gbr, December 11, 2023, 04:30:58 PM

Previous topic - Next topic

robbo56gbr

Hi,

After telling IMatch to write metadata to files, Malware Bytes decided to quarantine the exiftool.

See screenshot.  I have no reason to think I picked up any malware - I wondered if anyone else has seen this issue? I have been running Malware Bytes continually and it never caused a detection on previous metadata writes.




Mario

False positives become more and more common these days.
Since the free Windows Defender became so good, anti-virus vendors struggle to justify the annual costs of their products.
I've had fun with Norton products a while ago, when some users could not install IMatch.

You can always upload the quarantined exiftool.exe to Google's Virus Total (https://www.virustotal.com/gui/home/upload) to let it check with 50+ anti-virus products. If this yields no result, you're good and exiftool.exe is clean. In that case it's just one of the many "behavioral" false positives. IMatch starts exiftool.exe and IMatchChromiumHelper.exe and some other executables in the IMatch program folder (and only from there!) during normal operation. This sometimes upsets 3rd party anti-virus products.


And tell Malware Bytes that it is a false positive so they can update their databases.

erichaas

Yes, I've had that problem with Malwarebytes. You need to add IMatch to Malwarebyte's Allow List. I think when you try to update a bunch of photos at once, Malwarebytes thinks it might be ransomware and blocks it.

Mario

Quote from: erichaas on December 14, 2023, 12:32:46 AMYes, I've had that problem with Malwarebytes. You need to add IMatch to Malwarebyte's Allow List. I think when you try to update a bunch of photos at once, Malwarebytes thinks it might be ransomware and blocks it.
Does Malwarebytes inform you that it blocked IMatch and why?

The problem often is that IMatch "fails" and it the end it turns out that the AV software silently blocked IMatch or ExifTool, leaving the used (and me) in the dark.

This becomes a problem more and more. The big software companies have departments which are in communication with all major AV vendors, providing up-front binaries so the AV vendors can add them to their white lists. These services are not available for small ISPs like me. Or only from a few of the AV vendors.

There is no central portal for providing AV vendors with up-front binaries. Or for contacting them in case of a false positive for IMatch. I would have to contact 50 or more AV vendors manually every time. BIG tech can afford the time and cost, I cannot.
This is a list: https://github.com/yaronelh/False-Positive-Center

I recently tried with Norton/Symantec. Their false positive sample upload web site only accepts uploads with 30MB max. IMatch has 350MB. Doh!
If you use the "provide download URL" they fail after a while, claiming they only accept 30 MB max.
And when you choose the "upload checksum" option, they refuse unless the hash has been already generated on Google's VirusTotal web site.

I always upload the trial version of IMatch to Virus Total. But I don't upload the licensed version, because by uploading you also agree to make the uploaded files available for the entire "research" community world-wide...

Antivirus software vendors have a hard time since Microsoft's free Windows Defender became so good.
In order to justify their annual cost, they come up with all kind of security stuff and snake oil, which often gets in the way and causes more problems than it solves. And they give small software vendors a real hard time.

mopperle

Quote from: Mario on December 14, 2023, 10:32:22 AMAnd they give small software vendors a real hard time.
Not only small vendors. Working for a 4 billion USD software company, I could tell you a lot of stories about AV software vendors.

Mario