Jump to content

swwright

Members
  • Content Count

    13
  • Joined

  • Last visited

Community Reputation

0 Neutral

About swwright

  • Rank
    New Member
  1. Here we go again. The Cygwin folks released version 2.876 of their installer a few weeks ago. I have been using it, disabling my older MBARW each time. Inconvenient, but hey, MBARW is still in beta-testing. A few days ago I installed MBARW BETA 8. By the way, thank you for adding the update alert. I found out about BETA 8 immediately (I learned that BETA 7 was released about a month after the release, and only because I came to this forum to see if anything was new). Anyway: today I ran the Cygwin installer to check for updates, found some, and started the installation of same.
  2. OK, I ran the installer past VirusTotal.com. VirusTotal uploaded the installer, and informed me it had already been analyzed, with a score of 0 / 56. It was first analyzed about ten hours before I typed this sentence (at 2016-08-31 15:36:16 UTC). So I instructed VirusTotal to analyze the file again. They ran the file I uploaded through 56 antimalware tools, and again reported a score of 0 positives from 56 different tools.
  3. I am presently using Malwarebytes Anti-Ransomware (BETA) 0.9.16.484. Cygwin have released a new version of their installer: version 2.875. I downloaded it, I ran it, and MBARW stomped on it. Again. Same as it did with version 2.874. Whatever you did to make it not stomp on 2.874, does not work with 2.875. Worse, MBARW stomped on the Cygwin installer while it was updating packages. Cygwin is presently unusable. MBARW not only falsely stopped a useful program, it BROKE the useful program. I'm going to go back to my former practice: when I update Cygwin packages (which is don
  4. Discovered this morning (29 June) that a new version of MBARW was released on 10 June. Updated MBARW. Tested it by updating Cygwin (there were about a dozen updated packages, plenty of opportunity to trigger a reaction). No reaction from MBARW. The Cygwin update proceeded without incident. I believe you have fixed the Cygwin updater false positive bug. Thank you!
  5. You are correct. I have consistently written "setup.exe" in this thread, but the filename is "setup-x86.exe". This may have caused confusion, and I apologize. There's nothing like incorrect data to help an investigation 8-(
  6. Sigh. OK, here are all the files: The gotten-out-of-jail "setup.exe", the logs, the Anti-Ransomware folder, and, just for kicks, the quarantine folder (done before getting setup.exe out of jail, and containing two quarantined files: setup.exe and a setup-2.874.exe which had been quarantined earlier and left there). The last item is a 7-Zip archive, the others are PK-ZIP format. The logs is called logsCopy.zip because I had to make a copy of the folder (the other choice being stop your service so that 7-Zip didn't think the current log was in use). I should note that after I broke setup
  7. Well, my last note was not final after all. This morning I ran the Cygwin installer to do an update. Again, there were numerous update including an update to the GCC compiler, which I use a lot. So I proceeded with the update. And while packages were being downloaded, Malwarebytes AntiRansomware grabbed "setup.exe" by the throat and tossed it in the jail (quarantine). This is getting annoying. OK, having ranted a bit, let's get to the point: I had noted in an earlier post that perhaps MBARW was picking on Cygwin because I had renamed the installer to include the current versi
  8. A final note: After several days of watching this topic, I gave up, downloaded a fresh copy of the Cygwin 32-bii installer, and ran it (as Administrator, per my usual practice). There were, as it happens, numerous updates waiting, and the run took over a half hour. Time for MBARW to intervene was plenteous. MBARW did nothing and the update proceeded without issue. This time I left the filename alone (foregoing my usual practice of revising the filename "setup.exe" to "setup-2.874.exe" or whatever the current version number is). I surmise that MBARW "knows" about Cygwin's "set
  9. Another oddity: although setup.exe was quarantined again (I see the two files in the Quarantine folder), the setup file was not removed from the Cygwin\install folder this time. Possible bug? Activity says quarantine it, presence in exclusion list says don't remove it. So it is "partially quarantined"?
  10. Addendum to "false positive" report: After adding the setup program to my exclusion list and re-enabling the Anti-Ransomware tool, I ran the Cygwin setup program again. The setup program checked the SHA sums of the packages it downloaded in the previous session, then started updating packages, and MBARW reported it has detected ransomware activity and quarantined the setup program again, even though the file is in my exclusion list. As soon as I post this message, I will reboot my system as requested by MBARW. I will not remove the Cygwin setup program from quarantine until I hear
  11. Anti-Ransomware BETA has flagged "setup.exe" as ransomware, and quarantined it. setup.exe is the Cygwin installer/updater; it connects to selected mirrors of the Cygwin package repository, downloads requested or updated packages, and installs them. At the time MBARW quarantined the file, I was updating my Cygwin installation (setup.exe was running). I am following your procedure for restoring the file and reporting a false positive. I scanned the file with MBAM and (for what it's worth) Symantec Endpoint Protection. Neither found anythying amiss with the setup.exe file. I therefo
  12. Thanks, Bob! I cleared the exclusion list, and will wait a couple of days and see if it triggers again. I presume my copy of the software was automatically updated. It would be nice to have some control, or at least visibility, concerning updates in the final product. Thanks again for the anti-ransomware product.
  13. Anti-Ransomware BETA has flagged "dash.exe" as ransomware and quarantined it. FYI, Dash is the Debian Almquist Shell, a minimalist alternative to Bash for those who use Unix, Linux, Cywin, or similar. At the time MBARW quarantined the file, Cygwin was not running. I am following your procedure for restoring the file and reporting a false positive. I also scanned the file with MBAM and (for what it's worth) Symantec Endpoint Protection. Neither found anythying amiss with the dash.exe file. I therefore conclude that this is a false positive. Per your procedure, two PK-ZIP arch
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.