LiquidTension

The latest version of RanSim is completely unrealistic and does not simulate the behaviour that real-world ransomware typically exhibits. More concretely, the latest version of RanSim only encrypts files in a non-standard working directory inside %LocalAppData% (i.e. C:\Users\XYZ\AppData\Local\RSimulator\TestFolder\Tests\XX-Tests) and does not encrypt files in directories where real-world users’ files are typically found (e.g. Desktop, Downloads, Documents, etc.). Therefore, RanSim does not simulate real ransomware behaviour and therefore does not trigger our behaviour-based Anti-Ransomware detection engine. See the attached image. We have tested Malwarebytes Anti-Ransomware against all ransomware families that RanSim attempts to simulate, and we can confirm that we do detect and block (relying on behaviour, not signatures) the encryption activity of those ransomware families. The only exception is RigSimulator (which simulates a Monero mining rig) which is not ransomware. However, we detect the RigSimulator malware family with our rule-based anti-malware engine.

Thank you for the information. From the provided logs, there's no indication Malwarebytes is causing this. If you're able to replicate the issue occurring on-demand (the transition from a functioning file to non-functioning), the Process Monitor instructions provided above should hopefully give us a better idea of the cause.

Hi @Ezraen, What type of files does this affect? Are you encountering this with random files or specific files? Can you provide an example of one of the file paths you're experiencing this with? The Ransomware Protection component in Malwarebytes has file blocking functionality that prevents the file from being launched, permissions adjusted, etc. This is performed (sometimes silently) when the program cannot definitively conclude a file should be quarantined, but for safety reasons does not want to allow the file to be launched again. However, this will only occur with executable files and is temporary (up until the next Windows session). Please carry out the instructions in post #2 and reply back with the generated file so we can take a closer look.

Hi @Tyrinne, Thank you for reporting the issue and letting us know it's now resolved. There are a couple of known issues currently that will sometimes impact an update from successfully completing. To help us better understand what happened here, please could you carry out the steps in post #2 and reply back with the generated file. This will help tell us if what you encountered is something we're already aware of.

Hi @nyxk, This is caused by an issue in Dell Backup and Recovery. See here for more information: https://www.dell.com/community/Productivity-Software/Backup-and-Recovery-causing-applications-using-Qt5-DLLs-to-crash/td-p/4590325 After uninstalling this program, you should find the crash no longer occurs.

Great, thanks for confirming. We'll be investigating this further in an effort to find a solution for the root cause of the issue.

Hi @hake, What version of RanSim are you using? Could you provide a screenshot of your results please?

Thank you for confirming. Investigation into the Web Protection issue is still on-going, so unfortunately we don't have a fix for this yet. Regarding the printer issue, could you provide some additional information please: How are you connecting the printer to the computer? Please run Farbar Recovery Scan Tool and attach the generated files: https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs Please export the System and Application event logs: https://social.technet.microsoft.com/wiki/contents/articles/52088.windows-10-how-to-save-a-copy-of-the-event-viewer-application-and-system-logs.aspx

Once we have a fix available in Malwarebytes version 4, we'll update the forum so you know when the exclusions can be removed.

Thank you for confirming. Could you add the following path as a folder exclusion in Malwarebytes and check if this mitigates the issue you're experiencing with SpectrumBuilder: C:\current data\radio\Pskov NDB\PskovNDB 2.0 See here for more information: https://support.malwarebytes.com/hc/en-us/articles/360038479234-Add-to-the-Allow-List-in-Malwarebytes-for-Windows-v4

Please carry out the instructions in post #2 and provide the generated file.

Thank you for the information. We have a defect filed for this issue. Can you try adding the installation folder for Avidemux and the other software as an exclusion in Malwarebytes? This was found to mitigate the issue.

Great, thank you for confirming. We hope to make this fix available in a future Malwarebytes version 4 update. In the meantime, users should continue to add the application's folder to the Allow List to mitigate the issue.

The "Repair System" feature in Malwarebytes Support Tool also has an option to resolve WMI-related issues. It can be found in the Advanced page of the tool.

Thank you for the report. We have a defect filed for this issue and hope to have a fix available in the future. Regarding workarounds, you also have the option of reverting to an earlier component package version, which will allow you to keep Web Protection enabled. You can download this from here: https://malwarebytes.box.com/s/z6cravnwptrzx5tyjw36jq6zt6c7apsx Once installed, you will need to disable the two update options found in Settings -> General -> Application updates to prevent the product from updating back to the affected version.

We hope to have a fix available in a future Malwarebytes update. Currently, the fix is available in the latest version of standalone Malwarebytes Anti-Ransomware: https://forums.malwarebytes.com/topic/211708-latest-version-mbarw-beta-v-0918807-build-278-released-feb-5-2020/

The exclusions/allowed items will remain in place and can be manually removed.

Hi Boby, Thanks for reporting the issue. Could you try the latest standalone version of Malwarebytes Anti-Ransomware and let us know if you still encounter an issue: https://forums.malwarebytes.com/topic/211708-latest-version-mbarw-beta-v-0918807-build-278-released-feb-5-2020/ Before installing, you will need to uninstall Malwarebytes version 4 if it is still installed.

Thank you for the data, @chuckstanley. We're reviewing it currently. Can you provide details on what you're typically doing when the BSOD occurs? Is there a particular set of actions that typically trigger it or is it random? Logs indicate you have BitDefender installed along with leftovers from Kaspersky. This may be a contributing factor. Please start by running the Kaspersky removal tool and rebooting the machine: https://support.kaspersky.com/common/uninstall/1464 Afterwards, could you try temporarily uninstalling BitDefender, rebooting and then checking if the BSODs persist with Web Protection enabled? ----- @EvilPeppard Thank you as well. Could you provide us with the full memory dump at C:\Windows\MEMORY.dmp as well please?

Thanks for the information. Can you provide the names of the software you're using along with the steps you're taking that result in the issue occurring?

Hi @TempLost, Is this machine in an IPv6-enabled environment? Could you run the following batch file as Administrator and provide the generated output (saved to the Desktop) please? ----- If your testing indicates that Web Protection is likely the culprit, it would be useful to generate some additional troubleshooting data. Open Malwarebytes > Settings > Enable the Event log data setting. Enable Web Protection. Wait for the issue to occur. Once the issue has occurred: Rerun the batch file from earlier and attach the file. Run the Malwarebytes Support Tool and gather logs. Make a note of any significant events/actions that took place prior to the issue occurring.

If you're having issues with the batch file, you could manually download and run Process Monitor instead: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon Further details on the current issue you're experiencing would be helpful. ----- We have a new Anti-Ransomware build that includes performance improvements which you could also try. See if there are any improvements with the issues caused by Ransomware Protection. Details (including a download link) can be found here: https://forums.malwarebytes.com/topic/211708-latest-version-mbarw-beta-v-0918807-build-278-released-feb-5-2020/ Before installing, you will need to temporarily uninstall Malwarebytes version 4 (which can then be reinstalled once Anti-Ransomware standalone is removed). Here is a download link for an earlier version of Malwarebytes version 4: https://malwarebytes.box.com/s/z6cravnwptrzx5tyjw36jq6zt6c7apsx

Thank you for the data. Your issue with Firefox and program updates is caused by a known issue with Web Protection in IPv6 environments. We have a defect filed for this. We have a new Anti-Ransomware build that includes performance improvements. Could you try this out and let us know if you see any improvement with the issues caused by Ransomware Protection. Details (including a download link) can be found here: https://forums.malwarebytes.com/topic/211708-latest-version-mbarw-beta-v-0918807-build-278-released-feb-5-2020/ Before installing, you will need to temporarily uninstall Malwarebytes version 4 (which can then be reinstalled once Anti-Ransomware standalone is removed).

Excellent, thanks for the feedback!

Hi @PhilBurton, Thank you for the feedback. We've released a fix for this issue in the latest Malwarebytes Anti-Ransomware standalone: https://forums.malwarebytes.com/topic/211708-latest-version-mbarw-beta-v-0918807-build-277-released-feb-4-2020/ We hope to make this available to other Malwarebytes products in upcoming releases.