i don't like my computer to be inspected from unknow peoples, anywhere here an extraction from log and a screenshot of configuration, seems that you check if whitelisted from your online database but don't work as internal exclusion list.
02/05/16 " 07:59:06.269" 34798097 AntiRansomwareControllerImpl 0d04 1914 mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 621 INFO "Received threat detection callback from ARW SDK, ObjectPath=C:\totalcmd\TOTALCMD64.EXE, MD5=00"
02/05/16 " 07:59:06.301" 34798144 MbCommonSigVerify 0d04 1914 VerifyFile "FileVerify.cpp" 479 INFO "Opening C:\totalcmd\TOTALCMD64.EXE for verification"
02/05/16 " 07:59:06.322" 34798160 MbCommonSigVerify 0d04 1914 ParseForIndirectData "FileVerify.cpp" 5597 ERROR "Certificate Indirect hash mismatch. 5597, ??"
02/05/16 " 07:59:06.322" 34798160 MbCommonSigVerify 0d04 1914 VerifyCertData "FileVerify.cpp" 3506 ERROR "Certificate indirect data error 3506, ??"
02/05/16 " 07:59:06.322" 34798160 MbCommonSigVerify 0d04 1914 VerifyFile "FileVerify.cpp" 526 INFO "C:\totalcmd\TOTALCMD64.EXE verification status - c000000d - IsMbam = 0"
02/05/16 " 07:59:06.413" 34798253 AntiRansomwareControllerImpl 0d04 1914 mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp" 211 DEBUG "MEPS WL request: {
""channel"" : """",
""detections"" : [
{
""filepath"" : ""C:\\totalcmd\\TOTALCMD64.EXE"",
""filesize"" : 8151936,
""md5"" : ""49F64C8C9B8D08CB517E01AD491C029F"",
""sha1"" : ""04D6298E1B78F1C5DC9E75384C3B6C3BC340AE17"",
""sha256"" : ""0C257845918798CA2D8C2AD9724A8CAAAC86D12EF872CC821BD6062357A9BE00""
}
],
""installation_token"" : ""GvDgs7Kx__DKjYaUMvx81454528565"",
""product_build"" : ""consumer"",
""product_code"" : ""MBRW-C"",
""product_version"" : ""0.9.9""
}"
02/05/16 " 07:59:07.186" 34799018 HttpConnection 0d04 1914 mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 169 DEBUG "HTTP request success"
02/05/16 " 07:59:07.186" 34799018 AntiRansomwareControllerImpl 0d04 1914 mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp" 221 DEBUG "HTTP status code: 200, response body: {""results"":[]}
"
02/05/16 " 07:59:07.186" 34799018 AntiRansomwareControllerImpl 0d04 1914 mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 661 DEBUG "The detected file is NOT whitelisted, sending an action request to the SDK to kill this process. ObjectPath=C:\totalcmd\TOTALCMD64.EXE."
02/05/16 " 07:59:08.909" 34800749 AntiRansomwareControllerImpl 0d04 1910 mb::arwcontrollerimpl::ArwCleanupScheduler::RemediateThreatObjects "ArwCleanupScheduler.cpp" 247 INFO "Received a results callback from ARW SDK - ObjectPath = C:\totalcmd\TOTALCMD64.EXE, ActionTaken=ARW_ACTION_KILL_THREAD, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
02/05/16 " 07:59:08.909" 34800749 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 320 DEBUG "Before call to GetLicenseConfig"
02/05/16 " 07:59:08.909" 34800749 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 324 DEBUG "After call to GetLicenseConfig"
02/05/16 " 07:59:08.909" 34800749 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 328 DEBUG "After call to GetRansomwareSamplesURL"
02/05/16 " 07:59:08.955" 34800796 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 340 DEBUG "After call to AddClientFieldsToARWDetectionData, URL = https://mbarw.mb-cosmos.com/samples"
02/05/16 " 07:59:08.955" 34800796 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 350 DEBUG "Created HTTP connection"
02/05/16 " 07:59:08.970" 34800812 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 358 DEBUG "About to write to temp file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\arw_f42c7ed2-cbd5-11e5-9b0c-f46d0439d4a7.tmp"
02/05/16 " 07:59:08.970" 34800812 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 364 DEBUG "Wrote JSON data to temp file"
02/05/16 " 07:59:08.970" 34800812 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 376 DEBUG "Before call to UploadFile"
02/05/16 " 08:00:02.882" 34854710 AntiRansomwareControllerImpl 0d04 10c0 mb::arwcontrollerimpl::ArwControllerImpl::AddExclusion "ArwControllerImplHelper.cpp" 342 INFO "Successfully added exclusion of type=0, path=C:\totalcmd\TOTALCMD64.EXE."
02/05/16 " 08:00:36.752" 34888594 AntiRansomwareControllerImpl 0d04 1914 mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 621 INFO "Received threat detection callback from ARW SDK, ObjectPath=C:\Windows\explorer.exe, MD5=00"
02/05/16 " 08:00:36.778" 34888609 AntiRansomwareControllerImpl 0d04 1914 mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 656 INFO "The detected file is whitelisted, ignoring this detection! ObjectPath=C:\Windows\explorer.exe."
02/05/16 " 08:00:38.916" 34890746 AntiRansomwareControllerImpl 0d04 1910 mb::arwcontrollerimpl::ArwCleanupScheduler::RemediateThreatObjects "ArwCleanupScheduler.cpp" 247 INFO "Received a results callback from ARW SDK - ObjectPath = C:\Windows\explorer.exe, ActionTaken=ARW_ACTION_ALLOW, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
02/05/16 " 08:00:47.510" 34899342 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 380 DEBUG "After call to UploadFile, status: 200"
02/05/16 " 08:00:47.511" 34899342 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 385 DEBUG "Deleted JSON temp file"
02/05/16 " 08:00:47.511" 34899342 ArwController 0d04 0bbc CArwController::SendThreatFileToServerCallback "ArwController.cpp" 550 INFO "Successfully sent the detected file and info to server."
02/05/16 " 08:00:47.511" 34899342 TelemCtrlImpl 0d04 0bbc TelemetryControllerImpl::SendRansomwareStreamData "TelemetryControllerImplHelper.cpp" 1108 DEBUG "Sending JSON data to BAMBI ransomware stream: {
""client"" : {
""architecture"" : ""x64"",
""build"" : ""consumer"",
""caller"" : {
""name"" : ""ARWController"",
""trigger"" : ""Detection""
},
""filesystem"" : ""ntfs"",
""os_version"" : ""Windows 7 Service Pack 1"",
""program"" : ""MBRW-C"",
""version"" : ""0.9.9.314""
},
""header"" : {
""request_id"" : ""2ee8c17acbd611e5ab8cf46d0439d4a7"",
""time"" : ""2016-02-05T07:00:47Z"",
""uuid"" : ""083a9fdacb8611e5adc4f46d0439d4a7""
},
""license"" : {
""license_state"" : ""licensed""
},
""ransomware"" : {
""detections"" : [
{
""disposition"" : ""ARW_ACTION_KILL_THREAD"",
""md5hash"" : ""00"",
""pid"" : 5716,
""proc_path"" : ""C:\\totalcmd\\TOTALCMD64.EXE""
}
]
}
}"
02/05/16 " 08:00:48.125" 34899966 ArwController 0d04 0bbc CArwController::TelemetryDataCallback "ArwController.cpp" 642 INFO "Successfully sent the ransomware data to telemetry server."
02/05/16 " 08:00:48.134" 34899966 ArwController 0d04 0bbc CArwController::SubmitToCleanNotification "ArwController.cpp" 511 INFO "Successfully submitted detection results for cleaning."
02/05/16 " 08:00:48.134" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 320 DEBUG "Before call to GetLicenseConfig"
02/05/16 " 08:00:48.134" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 324 DEBUG "After call to GetLicenseConfig"
02/05/16 " 08:00:48.134" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 328 DEBUG "After call to GetRansomwareSamplesURL"
02/05/16 " 08:00:48.134" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 340 DEBUG "After call to AddClientFieldsToARWDetectionData, URL = https://mbarw.mb-cosmos.com/samples"
02/05/16 " 08:00:48.134" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 350 DEBUG "Created HTTP connection"
02/05/16 " 08:00:48.135" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 358 DEBUG "About to write to temp file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\arw_2f47f9e2-cbd6-11e5-afef-f46d0439d4a7.tmp"
02/05/16 " 08:00:48.135" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 364 DEBUG "Wrote JSON data to temp file"
02/05/16 " 08:00:48.135" 34899966 CloudCtrlImpl 0d04 0bbc CloudControllerImplHelper::SubmitRansomwareDetection "CloudControllerImplHelper.cpp" 376 DEBUG "Before call to UploadFile"
02/05/16 " 08:00:48.167" 34899997 CleanControllerImpl 0d04 18f4 Cleaner::Clean "Cleaner.cpp" 49 INFO "Start clean of client , detection resultsC:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\2f469a48-cbd6-11e5-afef-f46d0439d4a7.json"
02/05/16 " 08:00:48.188" 34900028 CleanController 0d04 18ec CCleanController::FireCleanStateChanged "CleanController.cpp" 587 DEBUG "Firing clean state changed, results ID = C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\2f469a48-cbd6-11e5-afef-f46d0439d4a7.json, cleanState = 1"
02/05/16 " 08:00:50.845" 34902680 MbCommonSigVerify 0d04 18f4 VerifyFile "FileVerify.cpp" 479 INFO "Opening C:\totalcmd\TOTALCMD64.EXE for verification"
02/05/16 " 08:00:50.864" 34902696 MbCommonSigVerify 0d04 18f4 ParseForIndirectData "FileVerify.cpp" 5597 ERROR "Certificate Indirect hash mismatch. 5597, ??"
02/05/16 " 08:00:50.864" 34902696 MbCommonSigVerify 0d04 18f4 VerifyCertData "FileVerify.cpp" 3506 ERROR "Certificate indirect data error 3506, ??"
02/05/16 " 08:00:50.864" 34902696 MbCommonSigVerify 0d04 18f4 VerifyFile "FileVerify.cpp" 526 INFO "C:\totalcmd\TOTALCMD64.EXE verification status - c000000d - IsMbam = 0"
02/05/16 " 08:00:50.957" 34902790 CleanControllerImpl 0d04 18f4 mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp" 211 DEBUG "MEPS WL request: {
""channel"" : """",
""detections"" : [
{
""filepath"" : ""C:\\totalcmd\\TOTALCMD64.EXE"",
""filesize"" : 8151936,
""md5"" : ""49F64C8C9B8D08CB517E01AD491C029F"",
""sha1"" : ""04D6298E1B78F1C5DC9E75384C3B6C3BC340AE17"",
""sha256"" : ""0C257845918798CA2D8C2AD9724A8CAAAC86D12EF872CC821BD6062357A9BE00""
}
],
""installation_token"" : ""GvDgs7Kx__DKjYaUMvx81454528565"",
""product_build"" : ""consumer"",
""product_code"" : ""MBRW-C"",
""product_version"" : ""0.9.9""
}"
02/05/16 " 08:00:51.689" 34903523 HttpConnection 0d04 18f4 mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 169 DEBUG "HTTP request success"
02/05/16 " 08:00:51.689" 34903523 CleanControllerImpl 0d04 18f4 mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp" 221 DEBUG "HTTP status code: 200, response body: {""results"":[]}
"
02/05/16 " 08:00:56.397" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::AddAsLinkedTrace "LinkingEngine.cpp" 608 DEBUG "Added new linked trace C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.398" 34908234 CleanControllerImpl 0d04 18f4 LinkingEngine::GetLinkedTraces "LinkingEngine.cpp" 556 DEBUG "Getting linked traces for C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.409" 34908250 CleanControllerImpl 0d04 18f4 DOREngine::PreCleanIsRebootRequired "DOREngine.cpp" 87 INFO "Must reboot, special file C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.410" 34908250 CleanControllerImpl 0d04 18f4 QuarantineEngine::QuarantineFile "QuarantineEngine.cpp" 275 INFO "Quarantining C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.430" 34908265 CleanControllerImpl 0d04 18f4 RemovalEngine::RemoveFile "RemovalEngine.cpp" 1351 INFO "Cleaning file C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.655" 34908484 CleanControllerImpl 0d04 18f4 RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1453 INFO "Deleting file C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.996" 34908827 CleanControllerImpl 0d04 18f4 RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1531 ERROR "Verification of deleting file C:\totalcmd\TOTALCMD64.EXE failed!"
02/05/16 " 08:00:56.996" 34908827 CleanControllerImpl 0d04 18f4 RemovalEngine::RemoveFile "RemovalEngine.cpp" 1438 INFO "Scheduling DOR cleaning for file C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.996" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::QuarantineFile "QuarantineEngine.cpp" 323 INFO "Succeeded quarantining file C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.997" 34908827 CleanController 0d04 18ec CCleanController::FireQuarantineItemAdded "CleanController.cpp" 627 DEBUG "Firing quarantine item added, id=30e55c40-cbd6-11e5-b4b0-f46d0439d4a7, path=C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.997" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.997" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.997" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.997" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.998" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
02/05/16 " 08:00:56.998" 34908827 CleanControllerImpl 0d04 18f4 QuarantineEngine::Quarantine "QuarantineEngine.cpp" 238 DEBUG "Ignoring (no quarantine/removal) of process/modules C:\totalcmd\TOTALCMD64.EXE"
