Jump to content

swwright

Members
  • Posts

    13
  • Joined

  • Last visited

Everything posted by swwright

  1. Here we go again. The Cygwin folks released version 2.876 of their installer a few weeks ago. I have been using it, disabling my older MBARW each time. Inconvenient, but hey, MBARW is still in beta-testing. A few days ago I installed MBARW BETA 8. By the way, thank you for adding the update alert. I found out about BETA 8 immediately (I learned that BETA 7 was released about a month after the release, and only because I came to this forum to see if anything was new). Anyway: today I ran the Cygwin installer to check for updates, found some, and started the installation of same. Whereupon MBARW rushed out of the shadows, blackjacked the Cygwin installer, and stuffed the body in a trash bin. Thank you for moving all the MBARW-related files to a single directory. Attached please find a ZIP archive containing all that stuff. Attached also please find the corpse of my poor Cygwin installer. Please, please, find out why MBARW continues to regard the installer's activities as ransomware. All it is doing is removing outdated Cygwin packages and installing updated or new packages. MalwarebytesARW.zip setup-x86-2.876.exe.zip
  2. OK, I ran the installer past VirusTotal.com. VirusTotal uploaded the installer, and informed me it had already been analyzed, with a score of 0 / 56. It was first analyzed about ten hours before I typed this sentence (at 2016-08-31 15:36:16 UTC). So I instructed VirusTotal to analyze the file again. They ran the file I uploaded through 56 antimalware tools, and again reported a score of 0 positives from 56 different tools.
  3. I am presently using Malwarebytes Anti-Ransomware (BETA) 0.9.16.484. Cygwin have released a new version of their installer: version 2.875. I downloaded it, I ran it, and MBARW stomped on it. Again. Same as it did with version 2.874. Whatever you did to make it not stomp on 2.874, does not work with 2.875. Worse, MBARW stomped on the Cygwin installer while it was updating packages. Cygwin is presently unusable. MBARW not only falsely stopped a useful program, it BROKE the useful program. I'm going to go back to my former practice: when I update Cygwin packages (which is done via their installer), I will disable MBARW first. Then enable it when I'm done. Attached please find the MBARW logs, taken after I rebooted my PC. Also please find the "Malwarebytes Anti-Ransomware" folder, both before the reboot and after. The two sets of files are different in number and in content, so I'm sending them both. Finally, please find a ZIP archive of the Cygwin installer, version 2.875. Which you people claim is dangerous. I disagree. At present, I must regard MBARW itself as more dangerous. logs.zip Malwarebytes Anti-Ransomware-BeforeReboot.zip Malwarebytes Anti-Ransomware.zip setup-x86-2.875.exe.zip
  4. Discovered this morning (29 June) that a new version of MBARW was released on 10 June. Updated MBARW. Tested it by updating Cygwin (there were about a dozen updated packages, plenty of opportunity to trigger a reaction). No reaction from MBARW. The Cygwin update proceeded without incident. I believe you have fixed the Cygwin updater false positive bug. Thank you!
  5. You are correct. I have consistently written "setup.exe" in this thread, but the filename is "setup-x86.exe". This may have caused confusion, and I apologize. There's nothing like incorrect data to help an investigation 8-(
  6. Sigh. OK, here are all the files: The gotten-out-of-jail "setup.exe", the logs, the Anti-Ransomware folder, and, just for kicks, the quarantine folder (done before getting setup.exe out of jail, and containing two quarantined files: setup.exe and a setup-2.874.exe which had been quarantined earlier and left there). The last item is a 7-Zip archive, the others are PK-ZIP format. The logs is called logsCopy.zip because I had to make a copy of the folder (the other choice being stop your service so that 7-Zip didn't think the current log was in use). I should note that after I broke setup.exe out of jail, I downloaded a fresh copy of the Cygwin installer and compared the two files (using WinMerge, which does a byte-by-byte compare). They are dentical. Whatever you guys thought is ransomware is precisely what Cygwin is currently distributing to all Cygwin users. The lack of any other complaints about the Cygwin installer is (loose logic though it be) evidence to me that Cygwin is not distributing malware. Malwarebytes Anti-Ransomware.zip setup-x86.zip logsCopy.zip Quarantine.7z
  7. Well, my last note was not final after all. This morning I ran the Cygwin installer to do an update. Again, there were numerous update including an update to the GCC compiler, which I use a lot. So I proceeded with the update. And while packages were being downloaded, Malwarebytes AntiRansomware grabbed "setup.exe" by the throat and tossed it in the jail (quarantine). This is getting annoying. OK, having ranted a bit, let's get to the point: I had noted in an earlier post that perhaps MBARW was picking on Cygwin because I had renamed the installer to include the current version (for purposes of keeping track of my own software). This turns out not to be the case. "E:\Cygwin\install\setup.exe" was quarantined even though I did not change the name this time. AND: SETUP.EXE WAS QUARANTINED IN SPITE OF THE FACT THAT IT IS IN MY EXCLUSION LIST! Anybody care to tell me what's going on here? I'm pretty sure that one of these two statements must be correct: (1) setup.exe is being falsely identified as ransomware; or (2) setup.exe does contain ransomware and was infected at Cygwin.com before I downloaded it. I'm betting on #1, because (a) the Cygwin folks are pretty careful about what they put up on their site, and (b) I appear to be one of only two people that has this problem (and ingber noted that it only happened on ONE of his machines, and the Cygwin installer was byte-for-byte indentical on both machines). It follows that MBARW is not consistent from machine to machine. And there is no way to know what updates were applied to which instance of MBARW, as far ask I know.
  8. A final note: After several days of watching this topic, I gave up, downloaded a fresh copy of the Cygwin 32-bii installer, and ran it (as Administrator, per my usual practice). There were, as it happens, numerous updates waiting, and the run took over a half hour. Time for MBARW to intervene was plenteous. MBARW did nothing and the update proceeded without issue. This time I left the filename alone (foregoing my usual practice of revising the filename "setup.exe" to "setup-2.874.exe" or whatever the current version number is). I surmise that MBARW "knows" about Cygwin's "setup.exe" but was "concerned" about something claiming to be Cygwin that had an unfamiliar name (setup-2.874.exe"). This may explain why I alone among all Cygwin users had this issue. I should note that "setup.exe" is in the MBARW exclusion list. However, last time "setup-2.874.exe" was in the exclusion list and it was STILL noticed and quarantined. I should note also that I have no way of knowing what updates, if any, were applied to my copy of MBARW in the last few days; therefore I know not whether the filename was a factor or if MBARW was "fixed". The application makes no information available about the currency of its database or algorithms or whatever. I would hope this will be addressed when the product goes live.
  9. Another oddity: although setup.exe was quarantined again (I see the two files in the Quarantine folder), the setup file was not removed from the Cygwin\install folder this time. Possible bug? Activity says quarantine it, presence in exclusion list says don't remove it. So it is "partially quarantined"?
  10. Addendum to "false positive" report: After adding the setup program to my exclusion list and re-enabling the Anti-Ransomware tool, I ran the Cygwin setup program again. The setup program checked the SHA sums of the packages it downloaded in the previous session, then started updating packages, and MBARW reported it has detected ransomware activity and quarantined the setup program again, even though the file is in my exclusion list. As soon as I post this message, I will reboot my system as requested by MBARW. I will not remove the Cygwin setup program from quarantine until I hear from you folks. Thanks!
  11. Anti-Ransomware BETA has flagged "setup.exe" as ransomware, and quarantined it. setup.exe is the Cygwin installer/updater; it connects to selected mirrors of the Cygwin package repository, downloads requested or updated packages, and installs them. At the time MBARW quarantined the file, I was updating my Cygwin installation (setup.exe was running). I am following your procedure for restoring the file and reporting a false positive. I scanned the file with MBAM and (for what it's worth) Symantec Endpoint Protection. Neither found anythying amiss with the setup.exe file. I therefore conclude that this is a false positive. Per your procedure, which I actually read this time ;-) , THREE PK-ZIP archives are attached to this post: * The setup.exe file. Please note, the actual filename is "setup-2.874.exe"; over the years I have gotten in the habit of appending the version number to the filename when I download an updated copy. * The Malwarebytes Anti-Ransomware directory and all its contents. * The MBAMService\logs directory and all its contents. Please note, in order to successfully archive the logs directory using 7-Zip, I had to first stop the "MB3Service" service. This should perhaps be added to the instructions. Thank you. setup-x86-2.874.exe.zip Malwarebytes Anti-Ransomware.zip logs.zip
  12. Thanks, Bob! I cleared the exclusion list, and will wait a couple of days and see if it triggers again. I presume my copy of the software was automatically updated. It would be nice to have some control, or at least visibility, concerning updates in the final product. Thanks again for the anti-ransomware product.
  13. Anti-Ransomware BETA has flagged "dash.exe" as ransomware and quarantined it. FYI, Dash is the Debian Almquist Shell, a minimalist alternative to Bash for those who use Unix, Linux, Cywin, or similar. At the time MBARW quarantined the file, Cygwin was not running. I am following your procedure for restoring the file and reporting a false positive. I also scanned the file with MBAM and (for what it's worth) Symantec Endpoint Protection. Neither found anythying amiss with the dash.exe file. I therefore conclude that this is a false positive. Per your procedure, two PK-ZIP archives are attached to this post, one containing a copy of the dash.exe file (48KB), and the other containing a copy of the MBARW log directory (182KB). Thank you. dash.zip logs.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.