Jump to content

Allow Users to Add Program Exceptions by Explicit Name and by Wild Cards


clc
 Share

Recommended Posts

Please allow the user to add program exceptions by explicit name and use of wild cards as laid out by PrivateInternetAccess. 

 

In Malwarbytes, I could only create an exception by pointing to a file, as opposed to naming and there is not ability to wildcard, as needed by PrivateInternetAccess.

 

I noticed Malwarbytes was blocking Rubyw internet access, and didn't know why . . . so I did some research and here is what I found:

 

Rubyw.exe and variants thereof are created by PrivateInternetAccess.  I use PrivateInternetAccess.  Here is their explanation:

 

"To further follow-up on our last reply to you, what your program is detecting is called rubyw.exe. This is the process that executes all the ruby scripting in our application, that allows it to run. However, we designed it to install to a randomized temporary directory on each launch, along with a randomized filename, to ensure no one can locate it, and thus crack it (while it's running, it contains your login information and binds your local IP, which would be a major security risk if it became visible externally; thus why we randomize it's name and location, so it can't be found by automatic scripts/etc).

However, this randomization causes security software to be unable to recognize it. Security software operates off of a predefined list of allowed apps, called a definition file. If it sees anything that's not on that list (even custom apps like ours), it will state it's untrusted it, and immediately assumes it's not safe (since it doesn't know what it is). This is extremely common, and is why the app developers allow you a way to add your own exceptions for apps on your computer, to allow them to function when you know they're safe. To do this for our app, you need to add the following process exceptions to it's whitelist/allowed app list/etc, which should keep it from interfering with it's operation in the future:

rubyw.exe
ruby*.exe
ruby*.*
*/ruby*.*
*/*ruby*.*
../ruby*.*
../*ruby*.*

. . . .   https://www.privatei...tup-question/p1

 

Hence the need for this request.

 

Thank you,

Curtis

Link to post
Share on other sites

  • 2 weeks later...

+1 or else I will have to find a new antivirus. This should already be integrated, and is extremely frustrating to see the popup that it is being blocked, not even able to click to add as an exception per popup at the very least. You would think for a service you pay for that it would allow the user to type in the exceptions. Not to mention it is hanging my laptop every 10 seconds, since it consumes almost all of my resources. Malwarebytes could use an overhaul to keep up with the needs of users in 2013. Now I have to close my antivirus as the vpn seems to protect me more if it comes to choosing between the 2. This is really frustrating, btw did I mention that this is frustrating?

 

Thank you.

Link to post
Share on other sites

Actually one has to be very careful here.  Any file can be named anything.  One way to hide malicious activity is to use the name of a legitimate file name.  The most commonly used name is SVCHOST.EXE.  A search through a malware encyclopedia will show quite a large quantity of malware that uses that file name.  Therefore one has to tread softly in the area of file name exceptions.  Such exclusionary tactics are too easily exploited.  Another way is confusionary tactics by name variations such as SCVHOST.EXE.  This way malware can hide in plain site.  There is a legitimate location and there are illegitimate locations where SVCHOST.EXE can exist.  That's why wildcard exclusion/exceptions and simple naming can't be safely implemented. 

 

For example:

c:\windows\system32\svchost.exe  is legitimate

c:\windows\setup\svchost.exe  is NOT legitimate

 

Another way to hide in plain site is by font character closeness.  Take the two file names LSASS.EXE and Isass.exe.  They are NOT the same and its not because uppercase vs. lowercase characters ( under windows file names will be the same using upper, lower or mixed case characters).  They are not the same because the lowercase of "L" is "l" and the uppercase of "i" is "I" and look similar.    LSASS.EXE and Isass.exe are not the same because the first named file uses uppercase letter "L" and the second file name uses the capitol letter for "i" as "I".  They "look" the same.

 

One more thing to note is that Malwarebytes Anti-Malware (MBAM) is NOT an Anti Virus application and does not replace an Anti Virus application.  MBAM targets mostly non-viral malware in the form of trojans and is an adjunct, complimentary, application to a fully installed Anti Virus application.  By using MBAM in conjunction with a fully installed Anti Virus application, one broadens the spectrum of protection for their computing platform.

Link to post
Share on other sites

  • Root Admin

If you're having a popup over and over then you really should find out why and fix it and not try to ignore it by thinking you can simply add it to an ignore list.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thank you

Link to post
Share on other sites

It's ruby.exe...

Here's some information for that file / program.

I had a support ticket for this issue:

This is the reply from the user:

 

I put the software exe file in the Ignore List, and I haven't had

problems, so far. Contacted software provider and they sent the

following:

What your program is detecting is called rubyw.exe. This is the

process that executes all the ruby scripting in our application, that

allows it to run. However, we designed it to install to a randomized

temporary directory on each launch, along with a randomized filename,

to ensure no one can locate it, and thus crack it (while it's running,

it contains your login information and binds your local IP, which

would be a major security risk if it became visible externally; thus

why we randomize it's name and location, so it can't be found by

automatic scripts/etc). However, this randomization causes security

software to be unable to recognize it. Security software operates off

of a predefined list of allowed apps, called a definition file. If it

sees anything that's not on that list (even custom apps like ours), it

will state it's untrusted it, and immediately assumes it's not safe

(since it doesn't know what it is). This is extremely common, and is

why the app developers allow you a way to add your own exceptions for

apps on your computer, to allow them to function when you know they're

safe. To do this for our app, you need to add the following process

exceptions to it's whitelist/allowed app list/etc, which should keep

it from interfering with it's operation in the future:

rubyw.exe

ruby*.exe

ruby*.*

*/ruby*.*

*/*ruby*.*

../ruby*.*

../*ruby*.*

 

So if you want to continue using their software, you'll need to do that.

Link to post
Share on other sites

  • Root Admin

And I would disagree.  So all someone that writes malware has to do is name their program with that name and then your security software ignores it and it attacks your computer.

 

Very poor security design on their part as it could easily be scripted to find that file and extract anything from it you want.  They should find a better method and use a signed file so that it would not be detected.

Link to post
Share on other sites

For your reading pleasure:

https://www.privateinternetaccess.com/forum/index.php?p=/discussion/790/questions-regarding-the-backround-network-scans-of-rubyw-exe/p1

No.1

It would seem that privateinternetaccess is (for whatever reasons) allowing it's users to connect to questionable websites/domains

 

No.2

As a user of Ruby (renamed to xxxxxxxxxxxx) there should not be any rubyw.exe and most certaintly not showing up in Temp files after every execution.

Myself and the Team I work with have been using Our program for several years now. I can safely say Mbam and it have no conflict whatsoever

 

 

 

I'm infected and your software didn't protect me.

 

 

 

Yep, expect it

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.