False Positive Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/false-positive/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Sun, 24 Mar 2024 02:59:58 +0000 en-US hourly 1 https://wordpress.org/?v=71396 200474804 Trojan:Script/Ulthar.A!ml https://gridinsoft.com/blogs/trojanscript-ulthar-aml/ https://gridinsoft.com/blogs/trojanscript-ulthar-aml/#respond Thu, 29 Feb 2024 22:38:55 +0000 https://gridinsoft.com/blogs/?p=20049 Trojan:Script/Ulthar.A!ml is a detection of Windows Defender that identifies as a trojan. It specifically refers to a script-based malicious program. However, it can often turn out to be a false positive, and antivirus programs label harmless files as malicious. Let’s understand what this detection is and why it can be false. What is Trojan:Script/Ulthar.A!ml? Trojan:Script/Ulthar.A!ml… Continue reading Trojan:Script/Ulthar.A!ml

The post Trojan:Script/Ulthar.A!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Script/Ulthar.A!ml is a detection of Windows Defender that identifies as a trojan. It specifically refers to a script-based malicious program. However, it can often turn out to be a false positive, and antivirus programs label harmless files as malicious. Let’s understand what this detection is and why it can be false.

What is Trojan:Script/Ulthar.A!ml?

Trojan:Script/Ulthar.A!ml is a generic detection name assigned by Microsoft Defender to a malicious script. Such threats may belong to different malware families, but to simplify the designation, Microsoft groups them by characteristics.

Trojan:Script/Ulthar.A!ml detection Defender

The majority of known Ulthar A!ml cases are attributed to file archives, both of the .zip/.rar and .jar formats. This implies that the detection refers to a threat that uses code packing. Considering the features of archived files, including virtualization used to run Java archives, it is important to take this detection seriously.

Ulthar.A!ml Malware Analysis

During the analysis of Trojan:Script/Ulthar.A!ml, I’ve detected quite a lot of cases when it was assigned to benign files, i.e. was a false positive detection. Popular malware sandboxes and collections did not contain any fresh samples of the malware detected with this name. At the same time, there were some similar malware samples, which simplified my research.

The signature name gives a couple of clues to start with. Trojan:Script is a header attributed to malicious scripts; “Trojan” part means it may be of any purpose, from gaining initial access to collecting data and delivering other malware. The proper name, “Ulthar“, is not a reference to a Lovecraft book but an umbrella designation of malicious software that shares similar properties. And this is where other clues appear.

As I said, sandboxes do not keep any records regarding Trojan:Script/Ulthar.A!ml, i.e. this specific name. However, VirusTotal keeps the analysis of a malicious program detected as Trojan:Win32/Ulthar.A!ml – not completely the same thing. But the fact that it has the same name means it shares the same core functions with that one Ulthar we are interested in.

Defender detection explanation
Microsoft Defender detection explained

So, what is Ulthar trojan? According to the data from several sources, it is a backdoor, with quite a tricky detection and analysis evasion procedure. It in particular checks whether it is running on a VM or the debug environment, and then protects its file and directory it is located in. After doing all these checks and actions, Ulthar switches to collecting system information – most likely, to create a fingerprint and ease the distinction between this machine and others.

Ulthar.A!ml functions VT
Functions of Ulthar malware. Source: VirusTotal

Typically for backdoors, Ulthar provides remote access to the system. However it looks like this access is not about a real-time connection, but about remote changes done to the system. Malware grants hackers a lengthy list of things they can do in the infected system. This functionality ranges from editing system registry and directories to launching specific files. The latter, actually, is the biggest potential danger, as it means Ulthar can deploy other malware.

Is Trojan:Script/Ulthar.A!ml False Positive?

As I’ve mentioned, Trojan:Script/Ulthar.A!ml name often appears as a false positive detection. In fact, the majority of online feedback points at this detection pointing at completely legit and safe files, particularly game mods kept in archives. And while malware can be stored in archives, the detections described by different users are related to the files that are quite hard to doubt.

Trojan:Script/Ulthar.A!ml Reddit
Users’ complaints regarding the false detections

One specific reason why this false detection appears is its origination from the AI detection system of Microsoft Defender. This is, exactly, what the “!ml” particle in the end stands for. The latter has its merits, but may create problems when failing to confirm the detection through other detection systems. But don’t think all the “!ml” detections are false – this would be a costly mistake!

!ml detection false positive

To see whether the file affected by the Trojan:Script/Ulthar.A!ml detection is false positive or not, consider using our GridinSoft Online Virus Scanner. It is completely free, and will show you whether you should be concerned or not in a matter of seconds. Just upload the file, and wait for the verdict.

How to Remove the Trojan:Script/Ulthar.A!ml from PC?

It is not easy to see whether the detected file is malicious or not without special software. I recommend checking your system with reliable and effective software like GridinSoft Anti-Malware. It particularly has a function called Custom Scan, which enables scanning archives – the right thing you may need for this case. After doing so, you’ll be sure for sure if it’s a virus or not. Keep your Anti-Malware updated to the latest version and keep yourself safe when surfing the internet.

Trojan:Script/Ulthar.A!ml

The post Trojan:Script/Ulthar.A!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanscript-ulthar-aml/feed/ 0 20049
Trojan:Win32/Randet.A!plock – What is That Detection? https://gridinsoft.com/blogs/trojan-win32-randet-a-plock/ https://gridinsoft.com/blogs/trojan-win32-randet-a-plock/#respond Tue, 18 Jul 2023 16:01:18 +0000 https://gridinsoft.com/blogs/?p=16012 Windows Defender’s mass detections of Trojan:Win32/Randet.A!plock worries people. Are the user files complained about by Defender malicious? Trojan:Win32/Randet.A!plock Microsoft Defender Detection Recently, users have been actively discussing on thematic forums on the network about Windows Defender triggering on files that, according to the Defender, are Trojan:Win32/Randet.A!plock. According to users, the detected file may be a… Continue reading Trojan:Win32/Randet.A!plock – What is That Detection?

The post Trojan:Win32/Randet.A!plock – What is That Detection? appeared first on Gridinsoft Blog.

]]>
Windows Defender’s mass detections of Trojan:Win32/Randet.A!plock worries people. Are the user files complained about by Defender malicious?

Trojan:Win32/Randet.A!plock Microsoft Defender Detection

Recently, users have been actively discussing on thematic forums on the network about Windows Defender triggering on files that, according to the Defender, are Trojan:Win32/Randet.A!plock. According to users, the detected file may be a legitimate program, an anti-reader program, a game, or a file belonging to a legitimate program. A Reddit user is confused trying to figure out why TickTick, which he downloaded from the official site, Defender detects as Severe Trojan.

“Is anyone get the same issue as the image below? I tried installing TickTick many times but still got the same issue. Do you have any solution to fix this?” – Reddit user.

Microsoft Defender detect screenshot
Microsoft Defender detects TickTick as a Trojan.
Just logged into to look into this. Exact same thing. I installed for the first time yesterday. As I was setting up this morning, I saw a notification at the bottom saying there was an update. As the update was going ahead Windows Security said there was a severe threat. Same file as OP, I had to quarantine.”comments

Roblox Studio users have encountered a similar problem.

Like a hour ago my windows defender detected roblox studio as trojan ” Win32/Randet.A!plock”. I know that it detected roblox studio as trojan because when i clicked to delete trojan then my roblox studio closed and deleted it also happened when i downloaded it second time.user post
Error with starting the Roblox Studio screenshot
Roblox Studio user sharing error with starting the program.

While these are not the only cases, users online are wary of these Defender notifications. However, some admit that the Defender’s detects may be false.

this is happening all over. Also with steam games and other downloadable content. Something is messed up with windows security I assume. Or someone has managed to get a trojan virus in about ever downloadable content on the web.dissatisfied Reddit user

What is Trojan:Win32/Randet.A!plock?

As for Trojan:Win32/Randet.A!plock, it is normally a malware. More specifically, it is a stealer, which is obviously unpleasant and justifies users’ fears. We have a separate article dedicated to this malware type. But in short, info stealers can steal your personal and sensitive data by infiltrating your system. Attackers use this data for fraud, theft, or blackmail. They can also access your social media and email accounts to spread malware.

Although, in this case, the Defender’s triggering is more of a false positive, some users note that after installing the latest Windows updates, the false positive problem disappears. However, some users report that they still have the problem even after the update. Antivirus software can produce false positives due to imperfect detection algorithms, database updates, and fuzzy heuristic algorithms. Users can check suspicious files with online antivirus scanners or reliable desktop antimalware solutions to address this issue and exclude safe files from scanning.

VirusTotal scan results
The result of scanning the file on VirusTotal

Make sure your system is clean.

Windows Defender is a good antivirus tool. Users can forgive it for some mistakes since it is free and part of the OS by default. However, attackers do not forgive mistakes. If you encounter a Trojan:Win32/Randet.A!plock detection notification, we recommend checking your system with a third-party anti-malware tool, such as GridinSoft Anti-Malware. This solution can work with Defender and provide advanced protection without overloading the system.

Trojan:Win32/Randet.A!plock – What is That Detection?

The post Trojan:Win32/Randet.A!plock – What is That Detection? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-randet-a-plock/feed/ 0 16012
How to Report a False Positive Detection? https://gridinsoft.com/blogs/how-to-report-the-false-detection/ https://gridinsoft.com/blogs/how-to-report-the-false-detection/#respond Tue, 12 Jul 2022 12:18:25 +0000 https://blog.gridinsoft.com/?p=3118 Gridinsoft is an antivirus software company that provides powerful solutions for detecting and removing malware from computers. However, sometimes our software may generate false positive detections, which can frustrate users. If you believe we have wrongly detected a legitimate file as malware, you can report the false positive detection to us. Here are the steps… Continue reading How to Report a False Positive Detection?

The post How to Report a False Positive Detection? appeared first on Gridinsoft Blog.

]]>
Gridinsoft is an antivirus software company that provides powerful solutions for detecting and removing malware from computers. However, sometimes our software may generate false positive detections, which can frustrate users. If you believe we have wrongly detected a legitimate file as malware, you can report the false positive detection to us. Here are the steps to follow:

🚩 Automatical False Positive Submission

Before the removal process, if you select the action “Ignore Always” for the file we are receiving a notation on this issue, and count it as False Detection.

  1. Gather Information: Before you report a false positive detection to Gridinsoft, you should gather some important information about the file that was flagged as malware. This includes the name and location of the file, as well as any other relevant details such as the size, date modified, and the software that the file is associated with.
  2. Verify the False Positive Detection: It is important to verify that the detection is indeed a false positive before reporting it to Gridinsoft. You can do this by submitting the file to an online malware analysis tool or by scanning it with other antivirus software.
  3. Contact Gridinsoft: Once you have confirmed that the detection is a false positive, you can contact Gridinsoft to report the issue. The easiest way to do this is by using their online contact form. In your message, be sure to include the following information:
    • The name of the detected file
    • The name and version of the Gridinsoft software you are using
    • The reason why you believe the detection is a false positive
    • Any other relevant details about the file and your system
  4. Provide Supporting Evidence: To help Gridinsoft investigate the issue, you may also want to provide supporting evidence such as a screenshot of the detection or a log file generated by the antivirus software. This will help us to understand the issue better and determine the cause of the false positive detection.
  5. Follow Up: After you have reported the false positive detection, it is important to follow up with Gridinsoft to ensure that the issue is resolved. They may ask for additional information or request that you submit the file for further analysis. Be sure to respond promptly to any requests and provide any additional information that may be needed.

In conclusion, if you believe that Gridinsoft has generated a false positive detection, it is important to report the issue to us. By following the steps outlined above, you can help to ensure that legitimate files are not incorrectly flagged as malware and that Gridinsoft remains accurate and effective.

The post How to Report a False Positive Detection? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/how-to-report-the-false-detection/feed/ 0 3118