Waves VST blocked by Windows security as trojan

[Sunraw]

I have been using the Waves VST synth Bass Fingers with no problem but it suddenly got quarantined by windows security. I tried to reinstall the VST instrument but it wont work. I'll wait for Waves to get back to me before releasing it from quarantine because it seem to be a serious threat. I was wondering if anyone else has seen this.

[Sunraw]

Waves said to remove it from quarantine. There was no clarification on why this suddenly happened.

[slartabartfast]

As a general rule antimalware applications use a "signature" to detect known malware. The signature is a small section of code that is known to be present in the malware, but there is no guarantee that a similar sequence of bytes will not also exist in other application code. That coincidental similarity accounts for much of the false positive reports/behavior in antimalware systems. Different antimalware applications often use a different signature to define the malware, so it is pretty common to find a legitimate application triggering as malware on one antivirus but not on another. You can compare the response of a variety of antivirus programs using an online tool like VirusTotal.  A rigorous response to a false positive would be for the developer to provide a reliable hash (SHA, MD5 etc.) for their legitimate file so that you can compare the file on your system with what they can confirm is an unaltered safe version. It is pretty unlikely that a bad actor would be able to embed malware in a random file on your system, so if the developer has had multiple reports of similar problems they can pretty safely just tell you that your version is OK without detailed analysis.

[Sunraw]

2 hours ago, slartabartfast said:

there is no guarantee that a similar sequence of bytes will not also exist in other application code.

Thanks that's what I figured. I assume a real trojan would not pop up so noticeably in an app that I installed. It's strange though because Waves did not respond to me asking if this was a known issue and it happened again after today's security update. This time it quarantined the same file calling it Trojan:Script/Conteban.A!ml.  So it seems Microsoft has broadened what they define as suspect.

[Glenn Stanton]

16 hours ago, slartabartfast said:

A rigorous response to a false positive would be for the developer to provide a reliable hash (SHA, MD5 etc.) for their legitimate file so that you can compare the file on your system with what they can confirm is an unaltered safe version. It is pretty unlikely that a bad actor would be able to embed malware in a random file on your system, so if the developer has had multiple reports of similar problems they can pretty safely just tell you that your version is OK without detailed analysis.

this is a good choice for obtaining a "safe" copy of the product from some location, but if the developer is infected (and there have been many of those) then the hash doesn't help, and of course if someone embeds crooked code (ahem, you game manufacturers know this...) then it's even worse when you have a bad insider...

[Byron Dickens]

These threads more than anything keep me from getting involved with Waves....

[bitflipper]

Anybody else see that pathname and think "what the heck is that?"?

Maybe it's a sample file but doesn't have a .wav extension for purposes of obfuscation. Wouldn't surprise me, it's Waves. Audio files are not going to contain any reliable malware signatures, but without an audio-related extension the antivirus software wouldn't know that's what it was.