Chia-Plot-Status
Chia-Plot-Status copied to clipboard
grayfallstown
Security: History of false positives and their reportings
Malwarebytes reports ChiaPlotStatus as Anomalous based on a guess by a neural network: VirusTotal
Reported on Malwarebytes forum
Hi,
This is detected by our MachineLearning engine, which helps to protect even better against 0day threats. Unfortunately, as this is a heuristic engine, it's possible False Positives happen. Also see here for more explanation: https://forums.malwarebytes.com/topic/238670-machinelearninganomalous-detections-and-explanation/ Thanks for reporting these, as this helps to finetune the engine, so these won't be detected in the future anymore.
This should be fixed by now. Please give it some time (max 10 minutes) in order to have it populate, so detection won't happen anymore.
- miekiemoes (Malwarebytes employee) Posted 30 minutes ago
VirusTotal is not yet updated, still reports it
The attached file is not detected by the consumer or commercial versions of Malwarebytes.
The engine format and configuration in VirusTotal is different than the consumer and corporate products’ default configuration. In VirusTotal Malwarebytes uses a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.
This will eventually fix itself in Virustotal as well, as Malwarebytes has no control over this. Virus Total is having trouble reaching Malwarebytes cloud.
- Porthos (Malwarebytes employee)
New release 0.9.4 setup.exe no longer triggers false positives on VirusTotal.
Chrome Browser blocks both Setup and Zip file anyway.
This is getting annoying really fast.
Chrome Browser decided to stop blocking the Setup, but not the Zip file
No longer addind the zip file to the releases. It gets blocked on every release and the setup is not. VirusTotal got the malwarebytes update.
BlackBerry Cyber Security Cylance is reporting the Setup. Reported to [email protected]
Funny, no its microsoft, but only on VirusTotal again. Windows Defender locally did not care.
Submitted a repot...
Cylance is still on it.
Maybe I should do this false positives reporting business every time before I publish the release. Would mean I cannot react to users problems soon enough.
Submission ID: 3563a365-29a0-4b84-b223-e244acab0b22 Status: Completed Submitted: May 4, 2021 14:59:07 User Opinion: PuaFalse PositiveAnalyst comments:
We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.
- Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
- Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
- Run "MpCmdRun.exe -SignatureUpdate"
Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions
Thank you for contacting Microsoft.
New version got hit by malwarebytes again, reported: https://forums.malwarebytes.com/topic/274087-false-positive-on-chiaplotstatus-malwareheuristic1008/
This time ClamAV is also on it. Reported (did not get a link to the report) Same on Bitdefender Theta, Reported (did not get a link to the report)
setup.exe Submission ID: 08b519c3-cfe9-4353-b429-7bc8d774e41d Status: Completed Submitted: May 11, 2021 20:50:54 User Opinion: Incorrect detection Analyst comments:
We’ve reviewed your submission and we've confirmed that the submitted files are clean. Windows Defender Antivirus doesn't report them as malware.
The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system. Application reputation warnings are meant to inform end users when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown”. Please note that users can still proceed to download and run the application.
Chia Plot Status uses the Avalonia Library to build a Graphical User Interface that runs on Windows, Linux and Mac.
The Avalonia library got flagged as a Trojan by Windows Defender yesterday (version 0.10.3) and today (version 0.10.4).
Spoiler: it was safe and clean all along.
Multiple developers using Avalonia and the users of those developers apps got the scares.
It was manually checked by malwarebytes and microsofts analysts as part of the checks of Chia Plot Status Setup.exe before, got a clean mark, then got flagged as a Trojan yesterday, got submitted for manual analalysis by experts, got another clean mark, was no longer reported as Trojan, then got flagged again, then re-submitted for yet another analysis.
Only Windows Defender and no other Anti Virus flagged the file. The whole time VirusTotal showed the files as absolute clean with no warning what so ever.
Now Windows Defender is no longer reporting the files and sees them as clean again IF the PC has up to date Windows Defender Dynamic Signatures.
I had to add a notice to the download section explaining what happened and that it is an external library, not Chia Plot Status that is flagged.
Issues involved in this among duplicates: #50 #47
Users who had Chia Plot Status installed or tried to install it during that time were NOT in danger. The files were safe and falsely flagged as malicious.
Today the entire Avalonia Incident repeated itself, see #91 for details.
As of now, the files are deemed safe and are no longer reported by Windows Defender if virus signature database is up to date.
Users of Chia Plot Status were and still are safe the whole time.