Darkdirk

Okay great, thanks for the reply. Unfortunately I start getting in my own head wondering things like “gee, of my many many clients that use MBW and MS Office, why has only one had this issue, and why can’t I trigger it again? Is this some sophisticated malware exploiting legit Word or Excel executables to conceal itself? Have I not slept since Monday? What day is it?” So thank you very much for the reassurance.

And just to verify, the fact that searching that MD5 on Virustotal verified that the file in question was the original, legit MS Excel file, is proof positive that the detection was absolutely a FP, right? I just want to make sure I understood that correctly before I hook this thing back up tonight.

Thank you sir for the compliment, and for that additional info. I found the json file and looked up the MD5 on VirusTotal, and as you suspected it was the legitimate excel.exe, not a ransomware. (I was not able to test my 0kB theory as I was unable to trigger a new detection, so I guess that particular mystery will go unsolved) Thanks again for all the help.

No biggie. Thank you for all the info. So in the meantime while you guys are working on the fix, can you enlighten us all a bit as to what triggers this to happen on only some machines, or is it just completely random? Because I have a lot of customers with MBW Premium and Excel, but no one else has had this issue except for one single computer (which also gave me paranoia that it might be a legit threat). Any thoughts why that is?

Hi Tetonbob, thanks for the quick reply. Haha, yes. Yes I do. I want to test my theory so I can definitively reproduce this issue and have 100% assurance that it was in fact a false positive. It was pretty easy to fix once I knew how, so I’m not concerned about it being an inconvenience. I’ve already taken the pc offline and am treating it as infected until I can prove otherwise, so I’ll be no worse for the wear. Thanks again!

Thank you very much for taking the time to explain. That was very informative. I have a theory on what might have happened: 11:10am - MWB detects EXCEL.EXE as ransomware 11:29am - The user then tries to reopen their Excel spreadsheet, which immediately triggers the MS Office installer to try to repair Excel, which I immediately cancel out of. And then for some reason in its attempt to repair Excel, it maybe manages to overwrite the EXCEL.EXE, but is unable to actually complete, leaving the file size at 0? Or maybe it’s because I aborted the repair operation? Obviously that last part is a wild guess, as I don’t know exactly how the “hold” on the file works. But I can definitely say this much; the modified time on the 0kB file was 11:29am, the exact minute that the Excel “repair” was run, (while the files was still on hold by MWB), whereas the ransomware detection occurred at 11:10am. So if nothing else, I am certain that the timestamp on the file can be changed during this hold. (I didn’t disable Ransomware Protection until about an hour later). I will be able to physically pick up the computer tonight and at that point I will try re-enabling Ransomware Protection. I’m assuming that when I do that, it will reapply the hold on that file, and then I can try repairing Excel again to see if it does in fact change the file size back to 0 whilst the file is on hold. Does that seem feasible to you based on your understanding of how it works?

OK, thank you for the clarification. When you said that it shouldn’t “permanently” affect the Excel file, I wasn’t sure if you meant that as in, Malwarebytes would *temporarily* do something to the file with the expectation that it would eventually be set back to its original state. Thank you.

So has Malwarebytes officially verified this to be a false positive when Excel is detected as Malware.Ransom.Agent.Generic?

I have a technical question about how the Ransomware Protection module works. Specifically, when it detects something and “blocks“ the file, how exactly does it do that? My suspicion, based on recent observations, is that it replaces the file in question with an empty file that cannot be moved, renamed, or deleted. And that when Ransomware Protection is eventually disabled, it releases the hold on that empty file and is supposed to restore it to it’s original state, but I would greatly appreciate if someone could verify that for me. After recently running into this issue myself and searching the MBAM support forums, I’ve come across quite a few posts where others seem to be having this exact same issue and possibly not even realizing it. I see a number of posts involving Word or Excel being detected as “malware.ransom.agent.generic”, the file being “blocked“, and the person then not being able to use the application in question. They can’t unquarantine the file because it was never actually quarantined in the first place. Instead, it just shows up as having been “blocked“, with no option to “unblock“ it. The advice that I typically see given at this point is to disable Ransomware Protection and reboot the computer, which seems to work for a few people. But for most that approach doesn’t seem to fix it, and they eventually just end up having to do a repair or reinstall of Microsoft Office. When I encountered this issue myself, I looked at the executable file (EXCEL.EXE in my case), and found that it was 0 kB in size and couldn’t be moved or modified in any way. After I disabled Ransomware Protection, the EXCEL.EXE file had still not been restored (it was still 0 kB), but at that point I was at least able to delete the file and repair office. Could someone with technical knowledge about this please confirm or disconfirm whether that’s how Ransomware Protection functions when it “blocks” something? Or perhaps the 0kB file was a result of Word trying to repair itself while Malwarebytes was still trying to block access to the file. Just to clarify, I’m not looking for an answer to what happened in my specific case, I just want to know if this is how Ransomware Protection functions in general when “blocking” something that hasn’t been quarantined. Thank you.

I apologize but I was not able to run the support tool on this machine as I had already remotely shut it off for paranoia that it might be an actual ransomware, and not just a false positive. Although based on the number of recent posts involving Excel being detected, I strongly suspect an FP. I very specifically want to know about that 0 kB file, and whether I should be concerned about it, or if that’s just the normal way Ransomware Protection was designed to function. I’m going to create a new post about it since I’m not sure if it qualifies as a different question and might be more helpful to others in a new post. Please read it when you have a chance and let me know your thoughts. Thank you.

Thank you for the reply, Porthos. I was able to repaired, and get excel working again. But I would still like if someone could explain to me what Malwarebytes did to my EXCEL.EXE file. Could someone please verify whether or not Malwarebytes turns it into a 0 kB file, and if so, why?

Like many others in the last few days apparently, I too have been slapped with Excel being detected as Malware.Random.Agent.Generic and swiftly blocked. Also like several others, my Excel program is now broken. Malwarebytes did not quarantine the file, so there was nothing for me to restore. When I went to the MS Office program location, EXCEL.EXE was where it belonged, only it was 0kB in size. I could not move or delete it. I suspect Malwarebytes was locking it up somehow. Following the advice I had seen on a few other recent posts, I rebooted the computer, disabled ransomware protection, And then rebooted again. Supposedly this should have fixed Excel, However it did not. The file was still 0 kB. Only this time I could move it to the recycle bin if I want, but I am kind of hesitant to do that since I don’t exactly know what’s happening. Could someone at Malwarebytes please respond and let me know exactly what Malwarebytes is doing with my files here? Did Malwarebytes intentionally modify or overwrite my EXCEL.EXE with an empty file as part of how the ransom protection module works? Also, could someone please verify that this is indeed a false positive. I’m assuming *probably*, since there have been so many similar recent reports, but that could also mean multiple people are all getting the same malware that’s affecting Excel. So please, let us all know for sure. I hope to hear back from someone very soon, because as of right now I’ve got the computer disconnected and shut down until I get verification that Malwarebytes is erroneously detecting perfectly healthy EXCEL executables. Thanks in advance.

^^^^THIS IS AN EXCELLENT POINT^^^^ I shudder to think how many hundreds of thousands of hours have been wasted by individual users such as ourselves chasing our tails and needlessly replacing hardware / reinstalling entire systems from scratch, and how many others STILL DON’T KNOW why their systems are freezing. And how much of everyone’s TIME AND MONEY could have been so easily saved by a simple email to so-called “premium” customers (something that they already do every few weeks anyway). You guys can keep claiming that it only affects a “very small percentage of users”, but I’m not buying it anymore. Of the fifteen MBAM Premium / Win7 users that I personally know of (because I recommended it to each of them), only one has remained unaffected by this. ONE. 14/15 is not a small percentage. My guess is that Malwarebytes is justifying calling it a “small percentage” based on total installations (not just Premium) and only counting those who have reported problems. My bet is they’re not sending out an email warning because it would probably verify what they should already suspect at this point, which is that this affects most, if not all, MBAM Premium/Win7 installations. You know how food companies sometimes do massive recalls of millions of pounds of tainted products, even though just a few people actually got sick? Imagine if an expensive food recall could be replaced by a simple email. I guess what I’m saying is, I hope Malwarebytes never gets into the food packing business.

Yessssss Dave!!!!!! This one thousand percent!!! But also... HOW ON EARTH IS THIS STILL GOING ON??? Seriously Malwarebytes, my trust in you guys is plummeting. Fast. I understand that sometimes these things happen with software. Somehow it slipped through beta testing, OK it happens. And then it gets reported to you and you can’t replicate the problem. A little harder to believe, but fine, I guess it’s possible. But here we are OVER FIVE WEEKS LATER and not only have you not fixed it, but you still barely acknowledge the existence of this bug, and your best fix for it is to have people manually uninstall and install an older version, via a link to BOX DOT COM??? Seriously, you can’t even host the file at Malwarebytes??? And mind you, the only people even privy to this rinky-dink workaround are the ones that were able to seek out this information themselves. UNBELIEVABLE!!!!!

I think disabling both will fix it. I haven’t had a single freeze up on any PC since doing that.