Subscribe to this thread
Home - General / All posts - AntiVirus flag.
oeaulong

245 post(s)
#19-Jun-20 14:31

Woke up today to have Windows Defender flag Manifold 9 (32-bit) exe. Has anyone else seen this?

It was quarantined along with start menu links.

sending the .exe to VirusTotal for second opinion. This screen came back.

So is this an example of a false positive? Is this an example of a new vector of infection? Why would Defender only today flag it and not before?

*update* ran update with one security definition file updated. Also pending was feature update to winders10. Installing these, will check and report back.

Attachments:
Virus_Annotation 2020-06-19 082925.png

adamw


9,283 post(s)
#19-Jun-20 14:50

The SHA256 sum in the screen does correspond to the 32-bit MANIFOLD.EXE from 9.0.172.3.

Yes, this is a false positive.

It is telling that (a) the anti-virus tools flag the 32-bit EXE but not the 64-bit EXE even though the code in them is exactly the same, and that (b) the entire code being flagged is a call into EXT.DLL.

What's sad is that previously false positives like these were only appearing in third-party tools, but for the last year or so they started sneaking up into Windows Defender.

We'll submit the EXE as a safe one to the Windows Defender portal, but the reaction isn't going to be fast nor is the effect going to last - most likely they'll continue flagging similar EXEs in future builds (not all of them, but which ones nobody knows).

oeaulong

245 post(s)
#19-Jun-20 14:53

Thank you Adam.

jsperr78 post(s)
#19-Jun-20 18:32

Yes, same here after Windows 10 did a definition update. SHA256 checksums agreed, so I told windows to remove it from quarantine and put it back in service. No further problems.

oeaulong

245 post(s)
#19-Jun-20 20:45

followup:

A new definitions file, and feature update for winders.

quick Manifold folder rescan comes up with no threats. So I am guessing all is now well.

-Oeaulong

adamw


9,283 post(s)
#20-Jun-20 08:25

We got a response that the incorrect detection has been removed. The latest malware definitions no longer have it.

The latest definitions are available at:

https://www.microsoft.com/en-us/wdsi/definitions

Alternatively, one can update them from the command line:

  1. Open command prompt as administrator and change directory to C:\Program Files\Windows Defender
  2. Run: MpCmdRun.exe -removedefinitions -dynamicsignatures
  3. Run: MpCmdRun.exe -signatureupdate

Thanks a lot for the thread, oeaulong. The file was scanning cleanly at the time it was produced, it's the later updates to Windows Defender malware definitions that started flagging it due to detection heuristics unavoidably being imperfect.

Props to Microsoft for a fast reaction, too.

StanNWT
175 post(s)
#21-Jun-20 19:17

Ice been getting repeated quarantining of my 64-bit manifold viewer and manifold 9.0.172 fiull installations, not the edge builds. This is with McAfee Total protection. This got flagged with an earlier version on February 29, 2020 and June 20, 2020 with 9.0.172.0 both viewer and full manifold.

I remove them from quarantine but they get added again the next scan.

adamw


9,283 post(s)
#22-Jun-20 07:48

That's bad.

We cannot do much about this, unfortunately. It might be worth contacting tech support for McAfee, tell them that they keep flagging clean files and ask what you can do to at least exclude the files they keep misdiagnosing from their scans so that they don't get flagged, complained about and blocked. This is absolutely a recurring problem with such tools so they might have a solution.

Manifold User Community Use Agreement Copyright (C) 2007-2019 Manifold Software Limited. All rights reserved.