Malwarebytes Team,
I'm a support engineer from Datto and we've released Datto Drive (https://dattodrive.com/) which is our FSS platform which includes a sync client that runs as an active process in the system tray. I was informed by one of our partners that he had run Datto Drive with Malwarebytes' Anti-Ransomware without issue while being on version 0.9.14.361. As soon as an update was performed to 0.9.15.416, it began targeting dattodrive.exe as per the log indicates:
06/08/16 " 08:45:59.867" 428935843 MbCommonSigVerify 08e0 1684 VerifyFile "FileVerify.cpp" 479 INFO "Opening C:\Program Files (x86)\dattodrive\dattodrive.exe for verification"
06/08/16 " 08:46:00.901" 428936875 MbCommonSigVerify 08e0 1684 GetCertFromImageHeader32 "FileVerify.cpp" 1073 INFO "Cert32 address is zero"
06/08/16 " 08:46:00.901" 428936875 MbCommonSigVerify 08e0 1684 VerifyBuffer "FileVerify.cpp" 883 INFO "The Certificate is not there!"
06/08/16 " 08:46:00.901" 428936875 MbCommonSigVerify 08e0 1684 VerifyFile "FileVerify.cpp" 526 INFO "C:\Program Files (x86)\dattodrive\dattodrive.exe verification status - c000007b - IsMbam = 242"
06/08/16 " 08:46:18.545" 428954531 CleanControllerImpl 08e0 15cc mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp" 211 DEBUG "MEPS WL request: {
""channel"" : ""release"",
""detections"" : [
{
""filepath"" : ""C:\\Program Files (x86)\\dattodrive\\dattodrive.exe"",
""filesize"" : 35917454,
""md5"" : ""0559351FBCC9E54291661EB2566699F6"",
""sha1"" : ""3C0612DA5ECEDD42F582F762DB8BD25264463ABA"",
""sha256"" : ""64B119EF61A877D2C66AFEF02B00C2A177BC9BE8908FFF6198D027BFBE803389""
}
],
""installation_token"" : ""ku4e4doGhi7pRCwVN1sw1459269036"",
""product_build"" : ""consumer"",
""product_code"" : ""MBRW-C"",
""product_version"" : ""0.9.15""
Running an exclusion would allow the executable to be restored but it has left us perplexed why the executable is picked up as ransomware. Any insight and fix would be appreciate! Feel free to e-mail me at
All the best,
Jeffrey
dattodrive.txt