Malwarebytes Flags as Malware

[jmbeekman]

Flagged as MachineLearning/Anomalous.100%

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/27/21
Protection Event Time: 4:19 PM
Log File: 3c01eaae-a79e-11eb-84e1-00d861055e78.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1273
Update Package Version: 1.0.39865
License: Premium

-System Information-
OS: Windows 10 (Build 19041.928)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
MachineLearning/Anomalous.100%, C:\Users\jmbzy\AppData\Local\Programs\AvalonMudClient\Avalon.dll, Quarantined, 0, 392687, 1.0.39865, , shuriken, , EB3B3655A14BF8A754F57094B4F18CF7, 5F6BBA5B661EBE5C2FA96585E0BD4B13D10F7796BC507D62AA97F40459E85F10

(end)

[blakepell]

That's interesting. I'm kind of surprised that Avalon.dll is reported (trying to think of what might be the cause of that). I do reference Argus.Core.dll via NuGet which is my general purpose utility library and that has a global OS key hook class in it that could be the cause. I'm not instantiating it anywhere in the mud client but it is referenced. I can see where it might set off a red flag (but also, it's a useful class, I'd remove it though if it were the cause). This is the API it PInvokes:

    [DllImport("user32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
    private static extern short GetAsyncKeyState(int vKey);

Does the .json log file it references offer any clues?

I may remove that class either way and then re-publish. I've re-written the scripting environment 5 or 6 times in the last 3 months and I -think- I'm finally close to something that is going to work and not eat memory (and also, will be able to offer Lua and JavaScript).

[blakepell]

I see you can report a false positive (or submit a case for them to investigate). I'll take a look at doing that once I'm done with the next release.

[jmbeekman]

I'll take a look for that log file. What I posted was a straight export from the UI.

[jmbeekman]

mwb_avalon_json.zip

[blakepell]

Thanks for sharing that. After reading the description on their site for"MachineLearning/Anomalous.100%" it says the file came back 100% different than the training set of files their AI used to train against. It's unsigned also, I assume that probably doesn't help but it's definitely not the sole cause. The thing that makes it hard to troubleshoot is that it just didn't match (at all) their training set of known good files. It's not like "hey, this thing PInvokes GetAsyncKeyState" or "it's calling some sketchy API" or "it's writing to known risky parts of the registry" or "it copies itself elsewhere and changes it's name" etc. Funny enough, I scanned the Argus.Core.dll which is what I thought -might- be it because it has one class that calls GetAsyncKeyState and it passed 100% of the checkers including malwarebytes.

I used virustotal.com a few minutes ago 67 passes and 2 failures (failures from Malwarebytes and Cylance), will share that screenshot below. The version I uploaded here was from my branch where I added replacement triggers, changed how Lua is called and added a memory pool for it (the hash will be different than the one you have). The reason I share that is because it means a version I built this morning had the same issue so it wasn't tampered with after the fact.

I also uploaded a one window totally stock .NET 5 WPF app and it passed malwarebytes but failed another, what I think I'm going to try is adding references

What I'll probably try to do is once I'm done with my cleanup for this next version is trial and error removing some pieces just to see if any make a difference. If it doesn't I'll see if I can submit it as a false positive case.

Thanks for sharing also, I'll report back when I have more info.

[jmbeekman]

Windows griped about it being unsigned of course, but Malwarebytes can be sketchily paranoid at times also. Just figured I'd bring it up to prevent any "you're installing malware" garbage as use grows.

[blakepell]

@jmbeekman I published the app to the Windows Store over the weekend and it's now available there as well. Microsoft handles the code signing of the app there then (it runs in a UWP container then, but because it's a desktop app still requires the full trust bit).

https://www.microsoft.com/en-us/p/avalon-mud-client/9pk5q5vtfz6z?activetab=pivot:overviewtab#

[jmbeekman]

That's awesome. I've been on a MUDcation for a while, so I'll definitely have to give her a go when I get back to it.

On Tue, Jul 5, 2022 at 8:20 AM Blake Pell @.***> wrote:

@jmbeekman https://github.com/jmbeekman I published the app to the Windows Store over the weekend and it's now available there as well. Microsoft handles the code signing of the app there then (it runs in a UWP container then, but because it's a desktop app still requires the full trust bit).

https://www.microsoft.com/en-us/p/avalon-mud-client/9pk5q5vtfz6z?activetab=pivot:overviewtab#

— Reply to this email directly, view it on GitHub https://github.com/blakepell/AvalonMudClient/issues/42#issuecomment-1175053160, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVIEXFGR6WFWCHEX2E26GDVSQZDNANCNFSM43VZTJOA . You are receiving this because you were mentioned.Message ID: @.***>

[blakepell]

Closing this issue as hopefully the digitally signed Windows Store build should take care of this. If it doesn't feel free to let me know.