DamienLR
-
Posts
11 -
Joined
-
Last visited
-
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
Hi, we'll check but won't take any risk, the false positive makes that update is being stopped abruptly, and it's not safe to do so. -
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
Hi, it seams that files vanished after using the MBAM support tool ! I should have not used the repair function I think... It deleted the logs without warnings... -
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
There you go mbst-grab-results.zip -
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
Yes, but it was not enough, because it uncompress others files, and even with parent in allow list, it didn't worked ! I had to stop Anti Ransomware protection 😢 -
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
450MB, so, no I can't Any others logs I can provide instead ? -
False positive on setup that modifies a lot of files with Perl
DamienLR replied to DamienLR's topic in Ransomware
FA8C9F02C7836D058FDBDE91A66DDCC38737F427DB0E4890B8225F04506A7E09 { "applicationVersion" : "4.1.0.56", "chromeSyncResetQueryRequested" : false, "chromeSyncResetQueryResult" : false, "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.955", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.25903", "detectionDateTime" : "2020-06-23T11:54:00Z", "fileSystem" : "NTFS", "id" : "3a1ea46e-b548-11ea-b9ba-0050560109fa", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : true, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows Server 2008 R2 Service Pack 1", "schemaVersion" : 16, "sourceDetails" : { "type" : "arw" }, "threats" : [ { "ddsSigFileVersion" : "", "linkedTraces" : [ { "archiveMember" : "", "archiveMemberMD5" : "", "cleanAction" : "quarantine", "cleanContext" : { "unloadData" : { "pid" : 4312 } }, "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2020-06-23T11:54:06Z", "generatedByPostCleanupAction" : false, "id" : "3cf70988-b548-11ea-9651-0050560109fa", "isPEFile" : false, "linkType" : "linkedTrace", "objectMD5" : "", "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe", "objectSha256" : "", "objectType" : "process", "resolvedPath" : "", "suggestedAction" : { "archiveDir" : false, "chromeExtensionOther" : false, "chromeExtensionPreferences" : false, "chromeExtensionSecurePreferences" : false, "chromeExtensionSyncData" : false, "chromeUrlOther" : false, "chromeUrlSecurePreferences" : false, "chromeUrlSyncData" : false, "chromeUrlWebData" : false, "disableHubbleWhiteListing" : false, "disableSignatureWhiteListing" : false, "fileDelete" : false, "fileReplace" : false, "fileTxtReplace" : false, "folderDelete" : false, "isChromeObject" : false, "isDDS" : false, "isDoppleganging" : false, "isExternalDetection" : false, "isPUP" : false, "isShuriken" : false, "isWMIEventConsumer" : false, "killProcess" : false, "minimalWhiteListing" : false, "moduleUnload" : false, "noLinking" : false, "physicalSectorReplace" : false, "priorityHigh" : false, "priorityNormal" : false, "priorityUrgent" : false, "processUnload" : true, "regKeyDelete" : false, "regValueDelete" : false, "regValueReplace" : false, "shortcutReplace" : false, "silentMode" : false, "singleDelete" : false, "treatAsRootkit" : false, "useDDA" : false, "verifyResolvedPath" : false, "whitelistCheckError" : false } }, { "archiveMember" : "", "archiveMemberMD5" : "", "cleanAction" : "quarantine", "cleanContext" : { "unloadData" : { "pid" : 4312 } }, "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2020-06-23T11:54:06Z", "generatedByPostCleanupAction" : false, "id" : "3cf70989-b548-11ea-97cf-0050560109fa", "isPEFile" : false, "linkType" : "linkedTrace", "objectMD5" : "", "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe", "objectSha256" : "", "objectType" : "module", "resolvedPath" : "", "suggestedAction" : { "archiveDir" : false, "chromeExtensionOther" : false, "chromeExtensionPreferences" : false, "chromeExtensionSecurePreferences" : false, "chromeExtensionSyncData" : false, "chromeUrlOther" : false, "chromeUrlSecurePreferences" : false, "chromeUrlSyncData" : false, "chromeUrlWebData" : false, "disableHubbleWhiteListing" : false, "disableSignatureWhiteListing" : false, "fileDelete" : false, "fileReplace" : false, "fileTxtReplace" : false, "folderDelete" : false, "isChromeObject" : false, "isDDS" : false, "isDoppleganging" : false, "isExternalDetection" : false, "isPUP" : false, "isShuriken" : false, "isWMIEventConsumer" : false, "killProcess" : false, "minimalWhiteListing" : false, "moduleUnload" : true, "noLinking" : false, "physicalSectorReplace" : false, "priorityHigh" : false, "priorityNormal" : false, "priorityUrgent" : false, "processUnload" : false, "regKeyDelete" : false, "regValueDelete" : false, "regValueReplace" : false, "shortcutReplace" : false, "silentMode" : false, "singleDelete" : false, "treatAsRootkit" : false, "useDDA" : false, "verifyResolvedPath" : false, "whitelistCheckError" : false } } ], "mainTrace" : { "archiveMember" : "", "archiveMemberMD5" : "", "cleanAction" : "quarantine", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2020-06-23T11:54:06Z", "generatedByPostCleanupAction" : false, "id" : "3aeb5ace-b548-11ea-b217-0050560109fa", "isPEFile" : false, "linkType" : "none", "objectMD5" : "80fe01936887b58ef539aab6ac714e44", "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe", "objectSha256" : "ad0b775dfc5eb115dccde1584de1f29a092a20c6be7b65023d14e3af6b834b51", "objectType" : "file", "resolvedPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe", "suggestedAction" : { "archiveDir" : false, "chromeExtensionOther" : false, "chromeExtensionPreferences" : false, "chromeExtensionSecurePreferences" : false, "chromeExtensionSyncData" : false, "chromeUrlOther" : false, "chromeUrlSecurePreferences" : false, "chromeUrlSyncData" : false, "chromeUrlWebData" : false, "disableHubbleWhiteListing" : false, "disableSignatureWhiteListing" : false, "fileDelete" : true, "fileReplace" : false, "fileTxtReplace" : false, "folderDelete" : false, "isChromeObject" : false, "isDDS" : false, "isDoppleganging" : false, "isExternalDetection" : false, "isPUP" : false, "isShuriken" : false, "isWMIEventConsumer" : false, "killProcess" : false, "minimalWhiteListing" : false, "moduleUnload" : false, "noLinking" : false, "physicalSectorReplace" : false, "priorityHigh" : false, "priorityNormal" : false, "priorityUrgent" : false, "processUnload" : false, "regKeyDelete" : false, "regValueDelete" : false, "regValueReplace" : false, "shortcutReplace" : false, "silentMode" : false, "singleDelete" : false, "treatAsRootkit" : false, "useDDA" : false, "verifyResolvedPath" : true, "whitelistCheckError" : false } }, "ruleID" : 392685, "ruleString" : "", "rulesVersion" : "0.0.0", "srcEngineComponent" : "unknown", "srcEngineThreatNames" : [ ], "threatID" : 0, "threatName" : "Malware.Ransom.Agent.Generic" } ], "threatsDetected" : 1 } -
False positive on setup that modifies a lot of files with Perl
DamienLR posted a topic in Ransomware
Hi, we use a self made setup to deploy applications for our clients. This setup may modify a lot of files with text replacement (templates files) with perl (Windows, old version of Strawberry) Our setup may be blocked by anti ransomware. Would it be less considered as ransomware with a recent version of Perl, of a signed version of our setup ?