Kaspersky
Question

False positive regarding MAME exe, please fix this.

  • 2 January 2021
  • 23 replies
  • 218 views

Kaspersky, please fix this. No other AV on virustotal is detecting this file as a virus. MAME has been a trusted arcade emulator for 20 years. The site (mamedev.org) is secure and has never had a malware problem. Please fix.


23 replies

Userlevel 7
Badge +9

Hello @voorhees_13

Welcome back!

  • Check the detected object using Kaspersky Open Threat portaland select the Submit to reanalyze option, add your email address & comments to send to Kaspersky experts for further analysis.
  • Log a case with Kaspersky Technical Support, fill in the template as in our image; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, images & or video: if they help explain the problem & the URL/link to this Community topic: Support may request Logs & or other system data, they will guide you if necessary:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in their MyKaspersky account.
  • Please share the outcome with the Community when it’s available? 

 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hello @voorhees_13

Welcome back!

  • Check the detected object using Kaspersky Open Threat portaland select the Submit to reanalyze option, add your email address & comments to send to Kaspersky experts for further analysis.
  • Log a case with Kaspersky Technical Support, fill in the template as in our image; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, images & or video: if they help explain the problem & the URL/link to this Community topic: Support may request Logs & or other system data, they will guide you if necessary:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in their MyKaspersky account.
  • Please share the outcome with the Community when it’s available? 

 

Thank you:pray_tone3:

Flood:whale:+:whale2:

 

I had already just deleted everything in the folder off my pc, is it possible to still go ahead with the case? Kaspersky will just auto quarantine the .exe and I won’t be able to upload it.

Userlevel 7
Badge +9

Hello @voorhees_13

Thank you for posting back:ok_hand_tone3:

The Kaspersky Virus Analysts need the exe to determine the issue. 

You may need to pause KTS while you collect & submit the data. 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hello @voorhees_13

Thank you for posting back:ok_hand_tone3:

The Kaspersky Virus Analysts need the exe to determine the issue. 

You may need to pause KTS while you collect & submit the data. 

Thank you:pray_tone3:

Flood:whale:+:whale2:

 

How would I go about pausing KTS?

Userlevel 7
Badge +9

Hello @voorhees_13

Thank you for posting back:ok_hand_tone3:

On the Windows Taskbar, rightclick the Kaspersky icon, select Pause protection

 

 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hello @voorhees_13

Thank you for posting back:ok_hand_tone3:

On the Windows Taskbar, rightclick the Kaspersky icon, select Pause protection

 

 

Thank you:pray_tone3:

Flood:whale:+:whale2:

 

The file was too large to be uploaded normally, and it detected as malware even through the .rar I uploaded it as, and every time I tried to send the object for re-validation, it throws me an error.

Userlevel 7
Badge +9

Hello @voorhees_13

Thank you for posting back:ok_hand_tone3:

Ok, upload the file to any cloud service, for example, Google Drive, One Drive, Mega Drive, Ice drive, create a share link, add the share link to your incident request. 

Thank you:pray_tone3:

Flood:whale:+:whale2:

@Flood and Flood's wife 

MAME’s latest official builds are always posted here: https://www.mamedev.org/release.html

Though this false positive also affects any alternate builds made by others, using the publicly available source (being an open-source project).

Userlevel 7
Badge +4

Hello,

Could you please search the detection information in File-AV, System Wather_report, upload a screenshot to those informaion, which is better to know the issue.

Regards.

Userlevel 7
Badge +9

@Flood and Flood's wife

MAME’s latest official builds are always posted here: https://www.mamedev.org/release.html

Though this false positive also affects any alternate builds made by others, using the publicly available source (being an open-source project).

Hello @ICEknight

Thank you. 

Kaspersky need the file @voorhees_13’s is working with. 

Flood:whale:+:whale2:

Userlevel 7
Badge +4

Hello @ICEknight 

In my test, There is no any detection event has been found in mame. Could you check this issue has gone in your side or there is a special step which could trigger detection. such as load a game package or other information. Please let us know.

Regards.

@Wesly.Zhang @Flood and Flood's wife 

I got that false positive today (with the exe getting automatically quarantined after just opening the folder it was in), with the “mame230_32bit.7z” build which can be downloaded from here:  https://drive.google.com/drive/folders/1eiNztWEpk0C7CiiZXz0SMDM_eJOmb0FO

It seems to have been randomly happening with certain builds for some time now, as can be read in this discussion from January, which also gives some hints on its possible reasons: https://forums.bannister.org/ubbthreads.php?ubb=showflat&Number=118317

 

Userlevel 7
Badge +4

@Wesly.Zhang @Flood and Flood's wife 

I got that false positive today (with the exe automatically quarantined after just opening the folder it was in), with the “mame230_32bit.7z” build which can be downloaded from here:  https://drive.google.com/drive/folders/1eiNztWEpk0C7CiiZXz0SMDM_eJOmb0FO

It seems to have been randomly happening with certain builds for some time now, as can be read in this discussion from January, which also gives some hints on its possible reasons: https://forums.bannister.org/ubbthreads.php?ubb=showflat&Number=118317

 


Hello,

Do you use a x86 OS?

Regards.

Userlevel 7
Badge +9

@Flood and Flood's wife

MAME’s latest official builds are always posted here: https://www.mamedev.org/release.html

Though this false positive also affects any alternate builds made by others, using the publicly available source (being an open-source project).

Hello @ICEknight

Apologies, we had no idea, from your original post, you were also affected by the issue:disappointed_relieved:
Thank you:pray_tone3:

Flood:whale:+:whale2:

 

Do you use a x86 OS?

 

Yes, though I don’t think the others who reported this do.

Userlevel 7
Badge +4

 

Do you use a x86 OS?

 

Yes, though I don’t think the others who reported this do.


Hello,

Could you give me a offical download source? I see the offical website, but I can not find a x86 build.

You have a x86 OS, maybe you can download a x86 version. Please give me the download url for 32 bit build. I cannot access google cloud because of national policy. Sorry

Regards.

 

Could you give me a offical download source? I see the offical website, but I can not find a x86 build.

You have a x86 OS, maybe you can download a x86 version. Please give me the download url for 32 bit build. I cannot access google cloud because of national policy. Sorry

 

There’s no official 32 bit builds anymore. I’ve reuploaded it here: https://file.io/xLdLyXjKerAp

@Wesly.Zhang 

You have all previous official releases in this link, including 64 and (old) 32 bit binaries: https://www.mamedev.org/oldrel.html

I’ve reuploaded the latest unofficial 32 bit binaries here, since the file.io link has expired and I can’t edit posts here: https://rapidshare.io/Ts5/mame230_32bit.7z

Userlevel 7
Badge +4

@Wesly.Zhang

You have all previous official releases in this link, including 64 and (old) 32 bit binaries: https://www.mamedev.org/oldrel.html


Hello,

I have received the sample you provided to me. As I think (maybe I may not have looked at all the assembly code, because this file is really big. ), this is a false positive. But This point needs to be confirmed by the KL virus lab. The relevant file has been submitted and are waiting for their confirmation. (INC000012750277)

If they reply any information, I will post here.

Regards.

Userlevel 7
Badge +4

Hello,

A new information : KL confirm it is a false positive. It will be fixed related to https://file.io/xLdLyXjKerAp sample.

Regards.

 

Hello,

A new information : KL confirm it is a false positive. It will be fixed related to https://file.io/xLdLyXjKerAp sample.

Regards.

 

Thanks, any word if they’ll fix it so that the false positive won’t happen with previous and newer (monthly) versions?

Userlevel 7
Badge +4

Hello,

A new information : KL confirm it is a false positive. It will be fixed related to https://file.io/xLdLyXjKerAp sample.

Regards.

 

Thanks, any word if they’ll fix it so that the false positive won’t happen with previous and newer (monthly) versions?


Hello,

I am not sure. If the newer version occur again, Please sent the detected object to KL support or sent a e-mail to china-support@kaspersky.com.

Regards.

Reply