3.8.0.283 update prompts "Trojan:Script/Phonzy.A!ml" from Windows Defender

JonasFlight1

Opened ACT today and was greeted with an update. Downloaded and Windows Defender immediately blocked it saying it was a Trojan:Script/Phonzy.A!ml

maddie

I can confirm this happened to me also. Any idea what in the world is going on?

EvylRonin

Tried to download your update and my computer blocked this virus. 

EQAditu

Any detection that says !ml in it means Machine Learning... in other words, AI. The same buzzword that says to use Elmer's Glue to thicken pizza sauce and to consume rocks daily.

There's not a lot that I can do aside from create another(meaningless) update that will possibly give a different detection.

EQAditu

Just for reference, this is the last time this happened: https://forums.advancedcombattracker.com/discussion/338/new-update-pops-as-a-virus

Just remember you're increasingly at the mercy and whimsy of AI

Bakeinu

CrowdStrike Falcon

Win/grayware_confidence_60% (W)

Cylance

Unsafe

Cynet

Malicious (score: 100)

Elastic

Malicious (moderate Confidence)

Kingsoft

Malware.kb.a.765

Microsoft

Trojan:Win32/Phonzy.A!ml

SecureAge

Malicious

Trellix (HX)

Generic.mg.bc54d7cad66e1a7b

EQAditu

And?  Just a copy/paste of an automation tool?

Bakeinu

EQAditu said:

And?  Just a copy/paste of an automation tool?

No, this was a manual upload. To automate I would need to join their community and get an API key. Too much work! 

EQAditu

VirusTotal automates testing against many engines rather than you manually installing dozens and testing them.

Since I still don't understand your point... perhaps I will try to get one across.  I dare you to take a random updater from the following page and have it tell you the result...

https://advancedcombattracker.com/version.php

You'll hopefully understand how futile it is when nothing gets a 0% detection rate.  Or perhaps you'll learn which engines to just ignore.  I may care about a false positive from Microsoft... but those other ones, I don't care a bit.

EQAditu

Microsoft's tracker says a specific definition version will clear the detection...

Morgana_lfg

It's understandable that users maybe unnerved, since this is the first time an update has triggered this.

I do not think the passive-aggressive comments are helpful or professional. And if you cut through that, you're basically saying "just trust me bro."

It would be helpful to provide a little more information, considering you are the developer and have access to more technical knowledge than most of the users, as well as working knowledge of your own codebase, which if I'm not mistaken is closed-source.

EQAditu

It is not the first time this has happened.  My 2nd post has links proving that.  In both cases, only the update package is flagged rather than the actual software.

I had slept 3 hours the entire weekend dealing with this and other hotfixes and I get annoyed when people don't explain themselves.  It's worse than, "trust me bro".  It's, "look at what something else said and I'm parroting".  You are not everywhere that I am seeing dozens of people complaining about this for hours and hours.  They don't even bother to read the message above theirs before complaining.

Me giving statements is useless because as the source of the software, anything I say, is "trust me bro".  But I said "!ml" is machine learning and you should not trust in it.  I can't say anything else because I am not Microsoft.  I did not make the AI determination.

ethanol9

While i don't agree with how Aditu phrased things in this thread, they are not wrong. ML detections, while trained by a significant amount of data that MSFT has collected over decades, are prone to false positives. In this particular case, the detection of Phonzy for this update is a false positive signature that is resolved in the 31 July Defender signature updates (v1.415.423.0) - you can force the signature update in Windows Security. I confirmed this detection no longer occurs.

As a sidenote, Phonzy is just a generic signature - that coupled with ML detection is a pretty big flag of it being benign. Lot of armchair malware analysts here plugging shit into VT thinking that means anything.

EQAditu

What did I phrase wrong?  

I had a conflict with someone over the word automation.  I said automation referred to one thing, they said it referred to another.  It refers to both and I don't think my definition was wrong.

I had a conflict with someone over what I am qualified for explaining and I am responsible for explaining.  False positives are usually senseless where nothing I say about a specific detection can be substantiated.  Microsoft is responsible for properly explaining themselves, but they do not.  I will not pretend to be a PR person.  As a hobbyist who has never made a profit, I am not required to be "professional" as someone put it.  I don't owe explanations for someone else's mistakes.  ACT is not obfuscated in any way and its code is reviewed by many people for security or personal reasons.  People have even stolen ACT's decompiled source-code and released it as their own.  It's that easy.

EQAditu

As a side note:  ESET has started flagging the FFXIV parsing plugin this week.  

It is not a false positive such as this original topic, but a bad classification by ESET.  They are correctly identifying a component of the plugin, but should not be classifying it as a "threat".  

If you are affected, please join the Discord linked at the top for any mitigation.  It is possible, but difficult for a normal user to solve.