Jump to content

ThomasSchulzMS

Members
  • Posts

    18
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. For what it is worth I have not been able to trigger/see any warnings/errors in other online tools such as virustotal and other
  2. Hi, Company existed since 1978, been selling this specific product since 2005 microsystools.com/products/sitemap-generator/ "Malwarebytes: Website blocked due to riskware. We strongly recommend you do not continue. Riskware, or “risky software,” describes legitimate software programs that contain loopholes or vulnerabilities that can be exploited by hackers for malicious purposes." Obviously this warning does not contain anything about malicious software or malicious intent, but... I am trying to understand the reason for this warning. Brainstorming leaves these possibilites: 1) Many of my software tools are crawler based tools. If the user decides to user browser mode: On old Windows systems my software can use old Microsoft Internet Explorer control, but on never systems use Microsoft WebView2. I do not know if usage of internet explorer control can trigger this warning? 2) I have to provide old versions available for download for people who bought old versions many years ago. However these are only available under "all downloads", so people know they are downloading old versions. 3) Possible some vulnerability in some code library used? Is there any way to get this warning cleared? Or get more details? Does Malwarebytes offer an online service where one can see specifically what MalwareBytes does not like? (If indeed there is a potential vulnerability of a sorts, I would also appreciate knowing and fixing it. Albeit I have to keep up old versions available for download.) Under all circumstances, I think blocking a website with legitimate tools is maybe a tad too much. Maybe you could simply show a warning or block specific downloads....
  3. Problem appears fully solved. I even tried using Inno Setup 5.9 (unsigned) of one of my sibling tools - it works now - thank you!
  4. Hi, I appears solved. I had planned on testing more of my tools with the newest version of InnoSeup to be sure - but that process got delayed, but I am planning on hopefully getting around that today!
  5. Okay - attaching here I renamed the json files with .txt file extension in C:\ProgramData\Malwarebytes\MBAMService\ArwDetections since I am not allowed to attach json And also attached C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG 6e55580c-fdc4-11e6-b7db-00248c156224.json.txt 08f4df9a-fe1f-11e6-bde7-00248c156224.json.txt b85e84d6-fe1f-11e6-b28b-00248c156224.json.txt 0c104c72-fe20-11e6-8519-00248c156224.json.txt 72c90940-fe20-11e6-ab3d-00248c156224.json.txt MBAMSERVICE.LOG
  6. What happens near the end is that people can choose to open various sibling product pages. Default is that all check boxes are unchecked so nothing launched. Then, at the very end / last page, the installer defaults to - open/run the just installed program - open the "like" page in default browser It appears opening a browser from inside the installer triggers 03/01/17 " 03:10:05.158" 2613953 05f0 3e1c INFO AEControllerImpl mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification "AEControllerImplHelper.cpp" 2084 "App Injected (Google Chrome (and plug-ins))" 03/01/17 " 03:11:17.245" 2686031 05f0 3e1c INFO AEControllerImpl mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification "AEControllerImplHelper.cpp" 2084 "App Injected (Microsoft Edge (and add-ons))" It is worth nothing my installer uses some simple scripting for e.g. deciding which checkboxes to show and similar. Maybe somehow that is related to the problem. The false positive detection also seems to trigger for a another sibling tool as well, so it is probably save to say all or most of my software is affected by this problem.
  7. The problem is still there. Using 3.0.6 (Trial) with updates "Up to date" on Windows 10 Pro (fully updated) Download from http://www.microsystools.com/products/sitemap-generator/ Specificly Windows version: http://www.microsystools.com/products/sitemap-generator/sitemap-setup.exe Ran installer ... I have run multiple tests, and it seems not to always be at he same point it kicks ind - but it always kicks in at latest at the end / just after of the installation. ... Here is snippets from most various recent test (just now) from file C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG While I guess a white listing solution could suffice, most of my software is built around the same code, installer etc. so my guess is all my software will suffer from this issue. If i is an InnoSetup installer related issue, the problem must be much more widespread than simply limited to me. ... 03/01/17 " 02:40:33.213" 842000 05f0 1468 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate "ArwCleanupScheduler.cpp" 531 "Received a results callback from ARW SDK - ObjectPath = C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, RebootRequired = No" 03/01/17 " 02:40:33.947" 842734 05f0 1624 INFO ArwController CArwController::SendThreatFileToServerCallback "ArwController.cpp" 910 "Successfully sent the detected file and info to server." 03/01/17 " 02:40:34.989" 843781 05f0 1624 INFO ArwController CArwController::TelemetryDataCallback "ArwController.cpp" 1007 "Successfully sent the ransomware data to telemetry server." 03/01/17 " 02:40:36.945" 845734 05f0 1624 WARNING 7zWrapper mb::common::sevenzip::SevenZipWrapper::CreateZipArchive "7zWrapper.cpp" 1126 "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ARW\mbarwind.arw. Trying to make a copy of it..." 03/01/17 " 02:40:36.991" 845781 05f0 1624 WARNING 7zWrapper mb::common::sevenzip::SevenZipWrapper::CreateZipArchive "7zWrapper.cpp" 1126 "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\logs\MBAMSERVICE.log. Trying to make a copy of it..." 03/01/17 " 02:40:41.589" 850375 05f0 1624 INFO ArwController CArwController::SendThreatFileToServerCallback "ArwController.cpp" 910 "Successfully sent the detected file and info to server." 03/01/17 " 02:40:41.629" 850421 05f0 1624 INFO ArwController CArwController::SubmitToCleanNotification "ArwController.cpp" 871 "Successfully submitted detection results for cleaning." 03/01/17 " 02:40:41.644" 850437 05f0 13c0 INFO CleanControllerImpl Cleaner::Clean "Cleaner.cpp" 54 "Start of clean, client '', detection results 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\0c104c72-fe20-11e6-8519-00248c156224.json'" 03/01/17 " 02:40:42.966" 851750 05f0 13c0 ERROR CleanControllerImpl mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed "SignatureWhiteLister.cpp" 72 "No WHITESIGS found in Clean.mbdb" 03/01/17 " 02:40:50.906" 859687 05f0 13c0 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed "WhiteListManager.cpp" 163 "White list status (not cached): File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe' => None" 03/01/17 " 02:40:50.906" 859687 05f0 13c0 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManagerCache::IsObjectWhiteListed "WhiteListManagerCache.cpp" 55 "White list status from cache: File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe' => None" 03/01/17 " 02:40:50.906" 859687 05f0 13c0 INFO Actions ActionsManager::GetDetectedThreats "ActionsManager.cpp" 412 "Getting detected threats from actions" 03/01/17 " 02:41:14.320" 883109 05f0 13c0 INFO CleanControllerImpl DOREngine::PreCleanIsRebootRequired "DOREngine.cpp" 117 "Must reboot, special file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe" 03/01/17 " 02:41:14.320" 883109 05f0 13c0 INFO CleanControllerImpl QuarantineEngine::QuarantineFile "QuarantineEngine.cpp" 373 "Quarantining C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe" 03/01/17 " 02:41:14.400" 883187 05f0 13c0 INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "Cleaner.cpp" 307 "Starting cleaning of File C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe" 03/01/17 " 02:41:14.400" 883187 05f0 13c0 INFO CleanControllerImpl RemovalEngine::RemoveFile "RemovalEngine.cpp" 1151 "Cleaning file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe, anti-rootkit = false" 03/01/17 " 02:41:14.597" 883390 05f0 13c0 INFO CleanControllerImpl RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1338 "Deleting file 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe', resolved path = 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'" 03/01/17 " 02:41:15.617" 884406 05f0 13c0 INFO CleanControllerImpl RemovalEngine::LogCleanResult "RemovalEngine.cpp" 1511 "Succeeded cleaning file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe" 03/01/17 " 02:41:15.617" 884406 05f0 13c0 INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "QuarantineEngine.cpp" 134 "Copying quarantine metadata for C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe" 03/01/17 " 02:41:15.628" 884421 05f0 13c0 INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "QuarantineEngine.cpp" 617 "Succeeded quarantining File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'" 03/01/17 " 02:41:15.628" 884421 05f0 13c0 INFO CleanControllerImpl Cleaner::RebuildSystemRegistryValues "Cleaner.cpp" 436 "Rebuilding system registry values." 03/01/17 " 02:41:15.631" 884421 05f0 13c0 INFO CleanControllerImpl Cleaner::RebuildRegistryValueEx "Cleaner.cpp" 419 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, from 'scecli^^' to 'scecli'." 03/01/17 " 02:41:15.631" 884421 05f0 13c0 INFO CleanControllerImpl Cleaner::RebuildRegistryValueEx "Cleaner.cpp" 419 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, from 'kerberos^msv1_0^schannel^wdigest^tspkg^pku2u^livessp^^' to 'kerberos^msv1_0^schannel^wdigest^tspkg^pku2u^livessp'." 03/01/17 " 02:41:15.632" 884421 05f0 13c0 INFO CleanControllerImpl Cleaner::RebuildRegistryValueEx "Cleaner.cpp" 419 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages, from 'msv1_0^^' to 'msv1_0'." 03/01/17 " 02:41:16.045" 884828 05f0 13c0 INFO CleanControllerImpl mb::swissarmyclientutils::SwissArmySDKWrapper::ScheduleDeleteFile "SwissArmySDKWrapper.cpp" 181 "Scheduling delete file: 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'" 03/01/17 " 02:41:16.074" 884859 05f0 13c0 INFO CleanControllerImpl Cleaner::ExecutePostCleanupActions "Cleaner.cpp" 563 "Executing post-cleanup actions" 03/01/17 " 02:41:16.074" 884859 05f0 13c0 INFO Actions ActionsManager::ProcessThreatActions "ActionsManager.cpp" 630 "Executing post cleanup actions" 03/01/17 " 02:41:17.402" 886187 05f0 13c0 INFO CleanControllerImpl Cleaner::Clean "Cleaner.cpp" 254 "Completed clean from client , detection results C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\0c104c72-fe20-11e6-8519-00248c156224.json, status DORRequired" 03/01/17 " 02:41:19.093" 887875 05f0 136c ERROR HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 229 "HTTP request failed, status code: 500" 03/01/17 " 02:41:19.093" 887875 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::GetAuthenticatedURLForUpload "CloudControllerImplHelper.cpp" 1335 "Error code 500 returned in POST to Cosmos" 03/01/17 " 02:41:19.093" 887875 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::UploadARWData "CloudControllerImplHelper.cpp" 793 "Failed to obtain upload URL from Cosmos" 03/01/17 " 02:41:19.093" 887875 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::ProcessARWUploads "CloudControllerImplHelper.cpp" 675 "Failed to send detection data with UUID: 0cf1d692fe2011e688e200248c156224" 03/01/17 " 02:44:34.821" 1083609 05f0 1460 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 922 "Received threat detection callback from ARW SDK, ObjectPath=X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, Sha256Hash=14278f7f7d5ed510f51d59d914eca6fe2dde6a51b86fa649d1661372680830bf" 03/01/17 " 02:44:34.846" 1083640 05f0 1460 ERROR CleanControllerImpl mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed "SignatureWhiteLister.cpp" 72 "No WHITESIGS found in Clean.mbdb" 03/01/17 " 02:44:34.846" 1083640 05f0 1460 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed "WhiteListManager.cpp" 163 "White list status (not cached): File 'X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp' => Hubble/MEPS" 03/01/17 " 02:44:34.846" 1083640 05f0 1460 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 940 "The detected file is whitelisted, ignoring this detection! ObjectPath=X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, Type = 3" 03/01/17 " 02:44:37.557" 1086343 05f0 1468 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate "ArwCleanupScheduler.cpp" 531 "Received a results callback from ARW SDK - ObjectPath = X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, RegObjectPath = , ActionTaken=ARW_ACTION_ALLOW_NONE, Result = ARW_RESULT_SUCCESS, RebootRequired = No" 03/01/17 " 02:44:38.051" 1086843 05f0 1460 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 922 "Received threat detection callback from ARW SDK, ObjectPath=C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe, Sha256Hash=a683208a09a8ff6415a5530f09437d313c6fe749d0586818f57ae9e9e7110852" 03/01/17 " 02:44:38.118" 1086906 05f0 1460 ERROR CleanControllerImpl mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed "SignatureWhiteLister.cpp" 72 "No WHITESIGS found in Clean.mbdb" 03/01/17 " 02:44:38.660" 1087453 05f0 1624 INFO ArwController CArwController::TelemetryDataCallback "ArwController.cpp" 1007 "Successfully sent the ransomware data to telemetry server." 03/01/17 " 02:44:39.079" 1087875 05f0 1460 ERROR HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 229 "HTTP request failed, status code: 500" 03/01/17 " 02:44:39.079" 1087875 05f0 1460 ERROR CleanControllerImpl mb::cleanctlrimpl::whitelist::HubbleWhiteLister::IsFileWhiteListed "HubbleWhiteLister.cpp" 187 "Error code 500 returned in PUT to Hubble" 03/01/17 " 02:44:39.079" 1087875 05f0 1460 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed "WhiteListManager.cpp" 163 "White list status (not cached): File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe' => HubbleError" 03/01/17 " 02:44:39.079" 1087875 05f0 1460 INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 947 "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe, id=0x9" 03/01/17 " 02:44:39.263" 1088046 05f0 1624 WARNING 7zWrapper mb::common::sevenzip::SevenZipWrapper::CreateZipArchive "7zWrapper.cpp" 1126 "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ARW\mbarwind.arw. Trying to make a copy of it..." 03/01/17 " 02:44:39.313" 1088109 05f0 1624 WARNING 7zWrapper mb::common::sevenzip::SevenZipWrapper::CreateZipArchive "7zWrapper.cpp" 1126 "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\logs\MBAMSERVICE.log. Trying to make a copy of it..." 03/01/17 " 02:44:40.051" 1088843 05f0 052c WARNING ArwSDK "" 0 "{Thread: 0x00001464, Tick: 0x00109D4B} [KillProcess] The process {PID: 1096748626800} is already stopped." 03/01/17 " 02:44:44.200" 1092984 05f0 1624 INFO ArwController CArwController::SendThreatFileToServerCallback "ArwController.cpp" 910 "Successfully sent the detected file and info to server." 03/01/17 " 02:45:39.300" 1148093 05f0 136c ERROR HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 229 "HTTP request failed, status code: 500" 03/01/17 " 02:45:39.300" 1148093 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::GetAuthenticatedURLForUpload "CloudControllerImplHelper.cpp" 1335 "Error code 500 returned in POST to Cosmos" 03/01/17 " 02:45:39.300" 1148093 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::UploadARWData "CloudControllerImplHelper.cpp" 793 "Failed to obtain upload URL from Cosmos" 03/01/17 " 02:45:39.300" 1148093 05f0 136c ERROR CloudCtrlImpl CloudControllerImplHelper::ProcessARWUploads "CloudControllerImplHelper.cpp" 675 "Failed to send detection data with UUID: 1075169efe2011e6b8ad00248c156224"
  8. Thank you for looking into this. The problem only occurs during installation by the realtime scanner. I did repeat the problem earlier today (was trying to see if the most recent version of InnoSetup installer would solve the problem), but I will make sure i am using newest version of MalwareBytes, restart the computer and look for the log (!)
  9. Due to this post seemling being completely ignored I have now posted in File Detections
  10. Since my post in "False Positives - Ransomware" seemingly has been ignored for a full week now, I am posting here after suggestion from Mike Cingolani from Malware ... We found out from a customer that when installing the current version of A1 Sitemap Generator - one of the temporary files generated during installation is flagged and quarantined (sitemap-setup.tmp) Starting mbam.exe with /developer command line does not help much as the false positive is no reported when doing a right click scan. (And I have been unable to find any log by mbam after the quarantine during the installation.) You can download the tool from here http://www.microsystools.com/products/sitemap-generator/ You can find latest report by virus total report URL (0 / 64) https://www.virustotal.com/en/url/05bd8f7aa4017f809a984b73ea8cc83b0b8691088dcfdd6488ca76783c57a02d/analysis/1487695458/ Download (0 / 58) https://www.virustotal.com/en/file/a683208a09a8ff6415a5530f09437d313c6fe749d0586818f57ae9e9e7110852/analysis/1487695464/ For reference: The installer + all the executables are signed. Executables are created in Delphi 2007, Delphi 2010 to Delphi XE2 3 executables are included installed during installation. The "best" depending on OS and 32/64bit is then selected as default sitemap.exe during installation which the desktop shortcuts etc. use. Installer is InnoSetup. ... If you want - here is the original report by my customer: https://webhelpforums.net/sitemap-generator/malwarebytes-v3-0-6-quarantines-sitemap-setup-tmp-as-ransomeware/ My original post is here:
  11. Thank you My thoughts exactly. Then the Malwarebyte email responder must have been mistaken. Before I discovered I could report false positive for ransomware in the forums, I tried emailing them about the ransomware runtime detection during installation of my software. And the response I got was I should email their pup department for a PUP questionnaire I should fill. (Which I did, but never heard back) This seemed weird to me. Thank you for clarifying this for me - I will not pursue the PUP part further then - only the false positive for ransomware.
  12. Hi, If something is reported as ransomware - that is worse/different from PUP right? i.e. if something was just a PUP it would not be labeled ransomware - correct? And hence a PUP questionaire would not sense? I am asking because the only response I received after reporting ransomware false positive over email was I got emailed that I should email and request a PUP questionaire - which I have done twice without reply. Now, the software is not PUP by Malwares own published definition list (not even close to any of the points mentioned) - but I am just wondering if a PUP questionaire at all makes sense for a ransomware false positive report... But I do not know how Malwarebytes categories things. But with lack of any response on the matter - I am trying to assess where I should direct my focus in making sure the case is a least in queue for review. If somehow Malwarebytes is waiting for a PUP questionaire, but I never receive one... Then I can not email them one... For reference, the case is this:
  13. Hi, Thank you for your response. If it means the case is under review (even if you possibly have a large backlog) - I am satisfied and can wait. I have until now not actually received a response that indicated the topic reported was under review or in queue. The problem from my POV of course is that many people value Malwarebytes, so if they receive a warning something is ransomware then I have to make it a priority to ensure the situation is at least underway in being resolved.
  14. I have a problem with a program of my own While the installer (InnoSeup) runs I get a "ransomware" error. If i scan before, after or while running the installed executables nothing is reported. I have tried to start mbam with /developer switch, but I do not see any logs? What am I doing wrong? Or is it not possible to provide logs of runtime detections? Here's my false positive report I am hoping maybe a log would help someone to take a look...
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.