Win.MxResIcn.Heur.Gen Detection Flags Legit Programs

The first public complaints about MaxSecure antivirus detecting safe programs as Win.MxResIcn.Heur.Gen appeared around June 14. A huge amount of similar reports followed up. Users say about quite a few programs of different types getting detected. Among them are Brave browser, Process Lasso tool, some mods for Roblox, and even GridinSoft Anti-Malware installer.

Users complain about the Win.MxResIcn.Heur.Gen false positive detection

Users complain about the Win.MxResIcn.Heur.Gen false positive detection

Users complain about the Win.MxResIcn.Heur.Gen false positive detection

Users complain about the Win.MxResIcn.Heur.Gen false positive detection

By design, Win.MxResIcn.Heur.Gen is a generic name for a detection made with heuristic detection system. That system is supposed to track the behavior of programs, seeking for the patterns typical for malicious programs. Considering the “true” detections, this specific name normally appears with spyware, backdoors, and remote-access trojans. I suppose it is about the networking activity patterns these malware types have in common.

However, despite how long heuristic detection systems have been around, they still require confirmation from other detection systems. These days, malware can intentionally mimic legitimate programs by using specific system calls, commands, and network requests, so it may be hard to distinguish between the two. Implementing a preventive rule (“whatever behaves like that is malicious”) may easily lead to a wave of false positives as we can see now.

What should I do?

If you see this detection on VirusTotal after uploading the file that you think is safe, you can just ignore it. It is doubtful that the heuristic engine of MaxSecure knows something that the other 70+ vendors don’t. Whether you feel like helping with fixing this up, consider reporting the issue to the antivirus support. Alternatively, you can report it to the developers of a detected program.

Things are different for the users who run MaxSecure in their systems. To get rid of the detection popping up constantly, one needs to add each of the detected apps to the whitelist. This may be tedious, especially when the program goes crazy and detects a good half of the software you have installed.

For that reason, disabling the security solution until the developers fix this issue may be a viable option. But to prevent leaving your system unprotected, I’d recommend installing GridinSoft Anti-Malware instead. This program will be a great substitute for the bugged antivirus, and with the free trial option, you will be able to test all the features of the program right from the start.

The post Win.MxResIcn.Heur.Gen appeared first on Gridinsoft Blog.

What is Trojan:Script/Ulthar.A!ml?

Trojan:Script/Ulthar.A!ml is a generic detection name assigned by Microsoft Defender to a malicious script. Such threats may belong to different malware families, but to simplify the designation, Microsoft groups them by characteristics.

The majority of known Ulthar A!ml cases are attributed to file archives, both of the .zip/.rar and .jar formats. This implies that the detection refers to a threat that uses code packing. Considering the features of archived files, including virtualization used to run Java archives, it is important to take this detection seriously.

Ulthar.A!ml Malware Analysis

During the analysis of Trojan:Script/Ulthar.A!ml, I’ve detected quite a lot of cases when it was assigned to benign files, i.e. was a false positive detection. Popular malware sandboxes and collections did not contain any fresh samples of the malware detected with this name. At the same time, there were some similar malware samples, which simplified my research.

The signature name gives a couple of clues to start with. Trojan:Script is a header attributed to malicious scripts; “Trojan” part means it may be of any purpose, from gaining initial access to collecting data and delivering other malware. The proper name, “Ulthar“, is not a reference to a Lovecraft book but an umbrella designation of malicious software that shares similar properties. And this is where other clues appear.

As I said, sandboxes do not keep any records regarding Trojan:Script/Ulthar.A!ml, i.e. this specific name. However, VirusTotal keeps the analysis of a malicious program detected as Trojan:Win32/Ulthar.A!ml – not completely the same thing. But the fact that it has the same name means it shares the same core functions with that one Ulthar we are interested in.

So, what is Ulthar trojan? According to the data from several sources, it is a backdoor, with quite a tricky detection and analysis evasion procedure. It in particular checks whether it is running on a VM or the debug environment, and then protects its file and directory it is located in. After doing all these checks and actions, Ulthar switches to collecting system information – most likely, to create a fingerprint and ease the distinction between this machine and others.

Typically for backdoors, Ulthar provides remote access to the system. However it looks like this access is not about a real-time connection, but about remote changes done to the system. Malware grants hackers a lengthy list of things they can do in the infected system. This functionality ranges from editing system registry and directories to launching specific files. The latter, actually, is the biggest potential danger, as it means Ulthar can deploy other malware.

Is Trojan:Script/Ulthar.A!ml False Positive?

As I’ve mentioned, Trojan:Script/Ulthar.A!ml name often appears as a false positive detection. In fact, the majority of online feedback points at this detection pointing at completely legit and safe files, particularly game mods kept in archives. And while malware can be stored in archives, the detections described by different users are related to the files that are quite hard to doubt.

One specific reason why this false detection appears is its origination from the AI detection system of Microsoft Defender. This is, exactly, what the “!ml” particle in the end stands for. The latter has its merits, but may create problems when failing to confirm the detection through other detection systems. But don’t think all the “!ml” detections are false – this would be a costly mistake!

To see whether the file affected by the Trojan:Script/Ulthar.A!ml detection is false positive or not, consider using our GridinSoft Online Virus Scanner. It is completely free, and will show you whether you should be concerned or not in a matter of seconds. Just upload the file, and wait for the verdict.

How to Remove the Trojan:Script/Ulthar.A!ml from PC?

It is not easy to see whether the detected file is malicious or not without special software. I recommend checking your system with reliable and effective software like GridinSoft Anti-Malware. It particularly has a function called Custom Scan, which enables scanning archives – the right thing you may need for this case. After doing so, you’ll be sure for sure if it’s a virus or not. Keep your Anti-Malware updated to the latest version and keep yourself safe when surfing the internet.

The post Trojan:Script/Ulthar.A!ml appeared first on Gridinsoft Blog.

Trojan:Win32/Randet.A!plock Microsoft Defender Detection

Recently, users have been actively discussing on thematic forums on the network about Windows Defender triggering on files that, according to the Defender, are Trojan:Win32/Randet.A!plock. According to users, the detected file may be a legitimate program, an anti-reader program, a game, or a file belonging to a legitimate program. A Reddit user is confused trying to figure out why TickTick, which he downloaded from the official site, Defender detects as Severe Trojan.

“Is anyone get the same issue as the image below? I tried installing TickTick many times but still got the same issue. Do you have any solution to fix this?” – Reddit user.

Roblox Studio users have encountered a similar problem.

While these are not the only cases, users online are wary of these Defender notifications. However, some admit that the Defender’s detects may be false.

What is Trojan:Win32/Randet.A!plock?

As for Trojan:Win32/Randet.A!plock, it is normally a malware. More specifically, it is a stealer, which is obviously unpleasant and justifies users’ fears. We have a separate article dedicated to this malware type. But in short, info stealers can steal your personal and sensitive data by infiltrating your system. Attackers use this data for fraud, theft, or blackmail. They can also access your social media and email accounts to spread malware.

Although, in this case, the Defender’s triggering is more of a false positive, some users note that after installing the latest Windows updates, the false positive problem disappears. However, some users report that they still have the problem even after the update. Antivirus software can produce false positives due to imperfect detection algorithms, database updates, and fuzzy heuristic algorithms. Users can check suspicious files with online antivirus scanners or reliable desktop antimalware solutions to address this issue and exclude safe files from scanning.

Make sure your system is clean.

Windows Defender is a good antivirus tool. Users can forgive it for some mistakes since it is free and part of the OS by default. However, attackers do not forgive mistakes. If you encounter a Trojan:Win32/Randet.A!plock detection notification, we recommend checking your system with a third-party anti-malware tool, such as GridinSoft Anti-Malware. This solution can work with Defender and provide advanced protection without overloading the system.

The post Trojan:Win32/Randet.A!plock – What is That Detection? appeared first on Gridinsoft Blog.

1. Gather Information: Before you report a false positive detection to Gridinsoft, you should gather some important information about the file that was flagged as malware. This includes the name and location of the file, as well as any other relevant details such as the size, date modified, and the software that the file is associated with.
2. Verify the False Positive Detection: It is important to verify that the detection is indeed a false positive before reporting it to Gridinsoft. You can do this by submitting the file to an online malware analysis tool or by scanning it with other antivirus software.
3. Contact Gridinsoft: Once you have confirmed that the detection is a false positive, you can contact Gridinsoft to report the issue. The easiest way to do this is by using their online contact form. In your message, be sure to include the following information:
   • The name of the detected file
   • The name and version of the Gridinsoft software you are using
   • The reason why you believe the detection is a false positive
   • Any other relevant details about the file and your system
4. Provide Supporting Evidence: To help Gridinsoft investigate the issue, you may also want to provide supporting evidence such as a screenshot of the detection or a log file generated by the antivirus software. This will help us to understand the issue better and determine the cause of the false positive detection.
5. Follow Up: After you have reported the false positive detection, it is important to follow up with Gridinsoft to ensure that the issue is resolved. They may ask for additional information or request that you submit the file for further analysis. Be sure to respond promptly to any requests and provide any additional information that may be needed.

In conclusion, if you believe that Gridinsoft has generated a false positive detection, it is important to report the issue to us. By following the steps outlined above, you can help to ensure that legitimate files are not incorrectly flagged as malware and that Gridinsoft remains accurate and effective.

The post How to Report a False Positive Detection? appeared first on Gridinsoft Blog.