Jump to content

Search the Community

Showing results for tags 'deleted copied .exe'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 1 result

  1. MB3 Ransomware Protection corrupts ownership of deleted executed files PROBLEM ------- With Ransomware Protection enabled in Malwarebytes 3, if (1) an ".exe" file is copied, (2) the copy is executed, (3) the copy is deleted, then the deletion attempt sometimes fails to delete the file and leaves it with its ownership undisplayable. Any further attempts to access the file (read, execute, or delete it) result in an "Access is denied." message. GRUBBY DETAILS -------------- Typical "dir /Q" output for one such file (which always shows the owner as "...") is as follows: Volume in drive R is LYNX_R_RAM Volume Serial Number is D81B-10E0 Directory of R:\TEMP 2017-05-29 08:39 <DIR> LYNX\RoyUser . 2017-05-29 08:39 <DIR> LYNX\RoyUser .. 2017-05-22 10:54 41,486 ... argout_018.exe 1 File(s) 41,486 bytes 2 Dir(s) 34,803,712 bytes free Investigating the sick NTSF files via {File Explorer, Properties, Security, Advanced} (even as the magic "Administrator" user) shows "Unable to display current owner" and complains that the user does not have the permissions needed to change the owner or look at the effective permissions. BUT the (data intact) files revert to their normal ownership and permissions after a reboot or a "chkdsk /F /V /X" on the drive. I first noticed the problem with batch files which were aborting with the "Access is denied." message. Some frequently-used ".exe" files had been copied to a RAM disk directory placed early in the Windows execution path. Occasionally a batch file would clear that directory (without checking for errors). When the clearing failure occurred all subsequent attempts to invoke the copied program would get "Access is denied." from the partially-deleted copy on the RAM disk (rather than execute the original from the hard disk directory later in the execution path). I wrote a set of batch files to automate the process of making copies of a program (e.g., argout.exe) in a specified directory (e.g., argout_001.exe, argout_002.exe, ... argout_020.exe), executing all the copies multiple times, deleting all the copies (without checking for errors), and then checking the directory to make sure it was really empty. With Ransomware Protection enabled I would get a few (sometimes none, sometimes up to 4) partially-deleted files in each set of 20 files copied. (I had to reboot after each failure, of course). It did not matter whether the copies were in the RAM disk or on one of the hard drives. Both 32-bit and 64-bit ".exe" files failed. Both Windows ".exe" files (e.g., timeout.exe) and programs I had compiled myself (such as argout.exe) failed. The same tests run without the copies actually being executed before they were deleted never failed. The tests never failed if Ransomware Protection was disabled (regardless of other MB3 options) and always failed eventually if Ransomware Protection was enabled (regardles of other MB3 options). Windows Defender was off. I repeated the tests with the internet disconnected and my anti-virus protection (ESET Internet Security) uninstalled , but that made no difference. I have done many installations of various versions of MB3 on two different computers, running mb-clean twice before each installation. The relevant installation and checking files I used were FRST64.exe mb3-setup-consumer-3.1.2.1733-1.0.122-1.0.1976.exe mb-check-3.1.1.1003.exe mb-clean-3.1.0.1002.exe The LYNX computer is an ASUS UL80Jt Notebook running the 10.0.14393.1198 version of Windows 10 Professional. In order to simplify the environment I used the following procedure (with appropriate reboots adjusting Windows Defender on or off after each reboot) for the last test cycle: Updated Windows Defender Disconnected internet Uninstalled ESET Internet Security Disabled Windows Defender Uninstalled MB3 Ran mb-clean Installed MB3 Enabled Windows Defender Connected internet Activate MB3 Updated MB3 Turned on MB3 options Ransomware protection Signature-less anomaly detection, Start with Windows Self-protection with early start Ran an MB3 Hyper Scan Disconnected internet Rebooted Verified the Windows Defender was off Waited for MB3 and other activity to die out Turned on MB3 Event Log Data Ran my diagnostic batch files to the RAM disk with no failure Ran my diagnostic batch files to the RAM disk with the failure shown above Turned off MB3 Event Log Data Ran mb-check Ran FRST64 Reinstalled ESET I have attached the requested files as follows: MB3_bug.txt [plain ASCII copy of this text] mb-check-results.zip FRST.TXT Addition.txt CONCLUSION ---------- As a workaround I have turned off the environment variable which tells my batch files that they may use the RAM disk to improve speed. This slows things down (despite the normal caching of the hard disk), but I really want the Ransomware Protection. Yes, this is an obscure issue, but the underlying cause may be showing up in other problems which you are trying to solve. Thanks for providing a good product! Roy Earle RoyEarle@acm.org Addition.txt FRST.txt MB3_bug.txt mb-check-results.zip
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.