MalwareBytes Premium Reporting Possible False Positive With a File in the Acapela Colibri Voice Bundle


David Goldfield
 

Hello. Using Windows 10 Pro, 21 H1 with NVDA 2020.4. I’m also using the Acapela addon with several voices, including the Colibri bundle which is a collection of their lower quality voices. Recently, my instance of MalwareBytes Premium 4.3.0 detected a file in the Colibri package as malware. I reported this to Acapela but so far I’ve received no response. I attempted to report this on their File Detection forum which is where they ask for such reports. Their site has a few accessibility challenges but I’m more or less able to get around them but my message will not be accepted, for reasons which are not entirely clear to me as they have no accessible error handling. Writing to support@... generates an automated response advising me to submit support tickets online, which is what I just attempted to do prior to sending the email. Aside from removing MalwareBytes from my system, which is very tempting, I’d like some other suggestions as to how I can report this. I’m considering using Virustotal to see how many other red flags they report and that if few are found I can just add the offending file to MB’s allow list. However, this won’t really solve the problem of MB reporting this as malware if, in fact, it is not.

Here is the relevant extract from MB’s notification about this.

-Blocked Malware Details-

File: 1

Malware.Heuristic.1003, C:\Users\david\AppData\Roaming\nvda\addons\Acapela TTS Voices for NVDA - CO voices\bin\Colibri.dll,

The problematic Colibri bundle can be found here. However, the main Acapela driver must also be installed in order for the bundle to even work.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2019

Subscribe to the Tech-VI announcement list to receive emails regarding news and events in the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

 

www.DavidGoldfield.org

 

 

 


 

To be honest, I have excluded all blindness related programs from games to screen readers because of false positives like this.

I even went out of my way about 3 years back to get a duel drive laptop.

The second drive has all my portable games and audio as well as other data on it.

That drive is excluded from scanning by all antivirus and security apps.

There are many program files folders with games and blindness related software which are also excluded.

This is an utter shitty and crappy, non wize and unsecure solution but its either that or disable all antivirus and security software and pray to god that I don't get a virus.

Of any real importance is my downloads, and bar that I do clear my temperary files and othher junk files with ccleaner each session I do online to minimise things some what.

Even so, bar bgt it seems that a lot of accessibility software can have virus like activity.

After mozilla and their stance on firefoxx and the fact the accessibility features could be used for no good things with a solution to disable them if not in use, I switched to waterfox.

But while I like chrome it can have issues and I have heard those I may have to switch to firefox because waterfox is going nowhere fast, though I will be putting a separate topic in chat about this.



On 24/05/2021 1:45 pm, David Goldfield wrote:

Hello. Using Windows 10 Pro, 21 H1 with NVDA 2020.4. I’m also using the Acapela addon with several voices, including the Colibri bundle which is a collection of their lower quality voices. Recently, my instance of MalwareBytes Premium 4.3.0 detected a file in the Colibri package as malware. I reported this to Acapela but so far I’ve received no response. I attempted to report this on their File Detection forum which is where they ask for such reports. Their site has a few accessibility challenges but I’m more or less able to get around them but my message will not be accepted, for reasons which are not entirely clear to me as they have no accessible error handling. Writing to support@... generates an automated response advising me to submit support tickets online, which is what I just attempted to do prior to sending the email. Aside from removing MalwareBytes from my system, which is very tempting, I’d like some other suggestions as to how I can report this. I’m considering using Virustotal to see how many other red flags they report and that if few are found I can just add the offending file to MB’s allow list. However, this won’t really solve the problem of MB reporting this as malware if, in fact, it is not.

Here is the relevant extract from MB’s notification about this.

-Blocked Malware Details-

File: 1

Malware.Heuristic.1003, C:\Users\david\AppData\Roaming\nvda\addons\Acapela TTS Voices for NVDA - CO voices\bin\Colibri.dll,

The problematic Colibri bundle can be found here. However, the main Acapela driver must also be installed in order for the bundle to even work.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2019

Subscribe to the Tech-VI announcement list to receive emails regarding news and events in the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

 

www.DavidGoldfield.org

 

 

 


 

On Sun, May 23, 2021 at 11:10 PM, Shaun Everiss wrote:
I have excluded all blindness related programs from games to screen readers because of false positives like this.
-
Which really does nothing as far as getting false positives to go away for you, later, and everyone else.  It works, but that's not the point.

I don't have MalwareBytes on this machine, and can't check their reporting mechanism at the moment.  That being said, if you report a false positive to the software maker whose stuff is being flagged, they are generally very motivated to get in touch with the producer of the scanner that's generating that false positive and getting that resolved.  Sadly, sometimes without ever responding to the reporter who told them they've got a false positive coming up.

I've reported multiple false positives over the years and they've often been resolved in less than 24 hours and have remained that way.  That's my goal, so that no one else has to get that same false positive and wonder if it might be real.
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 


 

Hmmm well all bgt stuff is false and the dev doesn't care, becides its been abandond, virtual recorder does this, and well the dev of that is no more.

There are a few others, but malwarebytes has all this machine learning and well, put it this way, standard system with no accessible anything doesn't have that trouble so who knows.



On 24/05/2021 3:23 pm, Brian Vogel wrote:
On Sun, May 23, 2021 at 11:10 PM, Shaun Everiss wrote:
I have excluded all blindness related programs from games to screen readers because of false positives like this.
-
Which really does nothing as far as getting false positives to go away for you, later, and everyone else.  It works, but that's not the point.

I don't have MalwareBytes on this machine, and can't check their reporting mechanism at the moment.  That being said, if you report a false positive to the software maker whose stuff is being flagged, they are generally very motivated to get in touch with the producer of the scanner that's generating that false positive and getting that resolved.  Sadly, sometimes without ever responding to the reporter who told them they've got a false positive coming up.

I've reported multiple false positives over the years and they've often been resolved in less than 24 hours and have remained that way.  That's my goal, so that no one else has to get that same false positive and wonder if it might be real.
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 


Quentin Christensen
 

I just tweeted to Malware Bytes, and also CC'd Acapela.  Not sure if that will have more impact, but I tried :)

As with Brian, I've reported numerous false positives over the years, and AV manufacturers are generally reasonable about fixing their database - it's not in their best interest to have their software falsely flagging innocent files as viruses - although yes it's more annoying for users and for manufacturers of affected software.

Quentin.


On Mon, May 24, 2021 at 11:45 AM David Goldfield <david.goldfield@...> wrote:

Hello. Using Windows 10 Pro, 21 H1 with NVDA 2020.4. I’m also using the Acapela addon with several voices, including the Colibri bundle which is a collection of their lower quality voices. Recently, my instance of MalwareBytes Premium 4.3.0 detected a file in the Colibri package as malware. I reported this to Acapela but so far I’ve received no response. I attempted to report this on their File Detection forum which is where they ask for such reports. Their site has a few accessibility challenges but I’m more or less able to get around them but my message will not be accepted, for reasons which are not entirely clear to me as they have no accessible error handling. Writing to support@... generates an automated response advising me to submit support tickets online, which is what I just attempted to do prior to sending the email. Aside from removing MalwareBytes from my system, which is very tempting, I’d like some other suggestions as to how I can report this. I’m considering using Virustotal to see how many other red flags they report and that if few are found I can just add the offending file to MB’s allow list. However, this won’t really solve the problem of MB reporting this as malware if, in fact, it is not.

Here is the relevant extract from MB’s notification about this.

-Blocked Malware Details-

File: 1

Malware.Heuristic.1003, C:\Users\david\AppData\Roaming\nvda\addons\Acapela TTS Voices for NVDA - CO voices\bin\Colibri.dll,

The problematic Colibri bundle can be found here. However, the main Acapela driver must also be installed in order for the bundle to even work.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2019

Subscribe to the Tech-VI announcement list to receive emails regarding news and events in the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

 

www.DavidGoldfield.org

 

 

 



--
Quentin Christensen
Training and Support Manager


 

On Mon, May 24, 2021 at 12:22 AM, Shaun Everiss wrote:
its been abandond
-
Still doesn't matter, as the scanner makers are able to do their own analysis to determine whether the positive is real or false.  If they determine it's false, the definitions are updated not to flag that specific piece of software for anyone again.

I can't tell anyone that they must report  suspected false positives to the various scanner makers, but you're doing yourself a favor and a kindness for many, many others if you do this and they respond by making a change to stop the flagging.
 
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 


Quentin Christensen
 

The other point to make is that if you simply whitelist any program which gets a false positive, it also adds the possibility, however remote, of that program getting a real virus which goes unnoticed because you've told your AV to ignore it.

AV programs usually don't flag any given genuine program very often, and as Brian noted, they can usually rectify it within a few days.  I can think of maybe three or four times in the last six years where I've been notified that an AV program (usually different ones) have falsely flagged a build of NVDA, including alpha builds - and given most users run ONE AV program, that's one issue in six years IF you happened to use one of those specific programs and the particular NVDA build flagged.  I don't know how many AV programs there are, but for reference, VirusTotal tests against 88: https://www.virustotal.com/gui/

Kind regards

Quentin.

On Mon, May 24, 2021 at 2:48 PM Brian Vogel <britechguy@...> wrote:
On Mon, May 24, 2021 at 12:22 AM, Shaun Everiss wrote:
its been abandond
-
Still doesn't matter, as the scanner makers are able to do their own analysis to determine whether the positive is real or false.  If they determine it's false, the definitions are updated not to flag that specific piece of software for anyone again.

I can't tell anyone that they must report  suspected false positives to the various scanner makers, but you're doing yourself a favor and a kindness for many, many others if you do this and they respond by making a change to stop the flagging.
 
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 



--
Quentin Christensen
Training and Support Manager


 

Tell that to microsoft.

Microsoft has flagged so many things as a virus that I simply exclude a bunch of things by default.

On 24/05/2021 5:18 pm, Quentin Christensen wrote:
The other point to make is that if you simply whitelist any program which gets a false positive, it also adds the possibility, however remote, of that program getting a real virus which goes unnoticed because you've told your AV to ignore it.

AV programs usually don't flag any given genuine program very often, and as Brian noted, they can usually rectify it within a few days.  I can think of maybe three or four times in the last six years where I've been notified that an AV program (usually different ones) have falsely flagged a build of NVDA, including alpha builds - and given most users run ONE AV program, that's one issue in six years IF you happened to use one of those specific programs and the particular NVDA build flagged.  I don't know how many AV programs there are, but for reference, VirusTotal tests against 88: https://www.virustotal.com/gui/

Kind regards

Quentin.

On Mon, May 24, 2021 at 2:48 PM Brian Vogel <britechguy@...> wrote:
On Mon, May 24, 2021 at 12:22 AM, Shaun Everiss wrote:
its been abandond
-
Still doesn't matter, as the scanner makers are able to do their own analysis to determine whether the positive is real or false.  If they determine it's false, the definitions are updated not to flag that specific piece of software for anyone again.

I can't tell anyone that they must report  suspected false positives to the various scanner makers, but you're doing yourself a favor and a kindness for many, many others if you do this and they respond by making a change to stop the flagging.
 
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 



--
Quentin Christensen
Training and Support Manager


 

Hi,

Actually, I think it would be better to inform Acapela Group.

Cheers,

Joseph

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Shaun Everiss
Sent: Monday, May 24, 2021 1:53 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] MalwareBytes Premium Reporting Possible False Positive With a File in the Acapela Colibri Voice Bundle

 

Tell that to microsoft.

Microsoft has flagged so many things as a virus that I simply exclude a bunch of things by default.

On 24/05/2021 5:18 pm, Quentin Christensen wrote:

The other point to make is that if you simply whitelist any program which gets a false positive, it also adds the possibility, however remote, of that program getting a real virus which goes unnoticed because you've told your AV to ignore it.

 

AV programs usually don't flag any given genuine program very often, and as Brian noted, they can usually rectify it within a few days.  I can think of maybe three or four times in the last six years where I've been notified that an AV program (usually different ones) have falsely flagged a build of NVDA, including alpha builds - and given most users run ONE AV program, that's one issue in six years IF you happened to use one of those specific programs and the particular NVDA build flagged.  I don't know how many AV programs there are, but for reference, VirusTotal tests against 88: https://www.virustotal.com/gui/

 

Kind regards

 

Quentin.

 

On Mon, May 24, 2021 at 2:48 PM Brian Vogel <britechguy@...> wrote:

On Mon, May 24, 2021 at 12:22 AM, Shaun Everiss wrote:

its been abandond

-
Still doesn't matter, as the scanner makers are able to do their own analysis to determine whether the positive is real or false.  If they determine it's false, the definitions are updated not to flag that specific piece of software for anyone again.

I can't tell anyone that they must report  suspected false positives to the various scanner makers, but you're doing yourself a favor and a kindness for many, many others if you do this and they respond by making a change to stop the flagging.
 
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 

 

 

--

Quentin Christensen
Training and Support Manager

 


David Goldfield
 

Shaun, You might want to try VirusTotal which uses a variety of malware detection engines to see if the file or URL has been flagged.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2019

Subscribe to the Tech-VI announcement list to receive emails regarding news and events in the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

 

www.DavidGoldfield.org

 

 

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Shaun Everiss
Sent: Monday, May 24, 2021 4:53 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] MalwareBytes Premium Reporting Possible False Positive With a File in the Acapela Colibri Voice Bundle

 

Tell that to microsoft.

Microsoft has flagged so many things as a virus that I simply exclude a bunch of things by default.

On 24/05/2021 5:18 pm, Quentin Christensen wrote:

The other point to make is that if you simply whitelist any program which gets a false positive, it also adds the possibility, however remote, of that program getting a real virus which goes unnoticed because you've told your AV to ignore it.

 

AV programs usually don't flag any given genuine program very often, and as Brian noted, they can usually rectify it within a few days.  I can think of maybe three or four times in the last six years where I've been notified that an AV program (usually different ones) have falsely flagged a build of NVDA, including alpha builds - and given most users run ONE AV program, that's one issue in six years IF you happened to use one of those specific programs and the particular NVDA build flagged.  I don't know how many AV programs there are, but for reference, VirusTotal tests against 88: https://www.virustotal.com/gui/

 

Kind regards

 

Quentin.

 

On Mon, May 24, 2021 at 2:48 PM Brian Vogel <britechguy@...> wrote:

On Mon, May 24, 2021 at 12:22 AM, Shaun Everiss wrote:

its been abandond

-
Still doesn't matter, as the scanner makers are able to do their own analysis to determine whether the positive is real or false.  If they determine it's false, the definitions are updated not to flag that specific piece of software for anyone again.

I can't tell anyone that they must report  suspected false positives to the various scanner makers, but you're doing yourself a favor and a kindness for many, many others if you do this and they respond by making a change to stop the flagging.
 
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

 

      ~ Brian Vogel

 

 

 

--

Quentin Christensen
Training and Support Manager

 


 

On Mon, May 24, 2021 at 08:47 PM, David Goldfield wrote:
You might want to try VirusTotal which uses a variety of malware detection engines to see if the file or URL has been flagged.
-
Absolutely agreed.

This has been a go-to tool for those of us "in the biz" for years.  Samples are submitted for scanning by about 80 different engines (the number can vary by a couple over time).  If you submit something that 76 engines call as clean and 4 as dirty, you can be pretty darned sure that those 4 are false positives.

Real positives tend to be the flip-flop of the above as far as detection as clean versus dirty.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

      ~ Brian Vogel

 


David Goldfield
 

What was a bit odd about my latest Virustotal scan with this Acapela addon was that it reported that 2 out of 68 engines reported the file as being unsafe. However, Virustotal reported that MalwareBytes was one of the engines which did not flag this file as being unsafe even though my instance of MB was the one that quarantined the file. I’m not sure what to make of that but I felt reasonably safe with just two engines having an issue with what I submitted.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2019

Subscribe to the Tech-VI announcement list to receive emails regarding news and events in the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

 

www.DavidGoldfield.org

 

 

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Monday, May 24, 2021 9:48 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] MalwareBytes Premium Reporting Possible False Positive With a File in the Acapela Colibri Voice Bundle

 

On Mon, May 24, 2021 at 08:47 PM, David Goldfield wrote:

You might want to try VirusTotal which uses a variety of malware detection engines to see if the file or URL has been flagged.

-
Absolutely agreed.

This has been a go-to tool for those of us "in the biz" for years.  Samples are submitted for scanning by about 80 different engines (the number can vary by a couple over time).  If you submit something that 76 engines call as clean and 4 as dirty, you can be pretty darned sure that those 4 are false positives.

Real positives tend to be the flip-flop of the above as far as detection as clean versus dirty.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

      ~ Brian Vogel

 


 

David,

All these engines use definitions along with heuristics that can and do change with time.  It's very likely that what VirusTotal had from Malwarebytes was a set that was slightly (even ever so slightly) older and different from what the software itself, as installed on your computer, had.

Something worth reading in this arena is something written by security expert Quietman7, who remains very active on BleepingComputer:  Reflections on Antivirus/Antimalware Testing & Comparisons
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

I do not understand why some seek to separate a person from their actions.  The self is composed of an individual’s thoughts, actions, and expression, which are contained in and actuated by the body.  What you do and say is the clearest indicator of who you are.

      ~ Brian Vogel