Jump to content

Broken.OpenCommand


Recommended Posts

  • Staff

To avoid any confusion, since we already received a few mails about this...

 

We do not really detect this as malware, but as "Broken.OpenCommand", which means, any change that malware (and other programs) makes to an "executable - shell\open\command" valuedata which isn't set by default should be alerted to the user for safety sake. So this isn't a real false positive here, since we detect correctly as "Broken.OpenCommand".

If you're aware that one of the programs you installed *does* change this valuedata, then add it to your whitelist. If you're not aware of this, then have Malwarebytes fix this (as this will restore the default valuedata set by Windows again).

Link to post
Share on other sites

CryptoPrevent says it's a known issue with Malwarebytes Anti-Malware:

http://www.foolishit.com/vb6-projects/cryptoprevent/anti-virus-anti-malware-application-warning/

 

MBAM also gave me 2 "Broken.OpenCommand" warnings as posted by MikeW above.

 

I'm still confused after reading the other post, as well. Can someone tell me how to whitelist it?

(https://forums.malwarebytes.org/index.php?/topic/150785-brokenopen-command-cryptoprevent/?hl=%2Bcryptopreventfiltermod.exe)

Link to post
Share on other sites

  • Staff

As I explained - by default, we should warn users if the association handlers have been changed, no matter what program it does. This especially malware changes this often. When you tell Malwarebytes to quarantine this, it will restore the default valuedata again. We do not really list as malware, but as "Broken.OpenCommand", so we are detecting correctly here since the default association handlers have been changed.

 

In case of CryptoPrevent and any other few legit applications that modify these valuedatas, you can add to the whitelist in Malwarebytes.

In order to whitelist, if you use MBAM 2, rightclick the detection and where quarantine is listed, use the dropdown arrow and select "Add Exclusion" from the listing.

Link to post
Share on other sites

TableLamp:
 
Please reference: Please read before reporting a false positive
 


If you are not a member of Staff or Experts group please do not reply to other users posts in either the File or Web Blocking forums.

 
Thank you for understanding.

Link to post
Share on other sites

  • 1 month later...

So this isn't a real false positive here, since we detect correctly as "Broken.OpenCommand".

 

Hi, my name is Nick and I am the developer of CryptoPrevent.  

 

I had assumed that Malwarebytes would fix this issue by now, but I see it hasn't happened, so allow me to jump in here.  

 

Two reasons why this is a false positive:

 

1.  Please explain to me how is this detection "correct" because I fail to understand..  it is your detection, so it is only "correct" to you, but it is quite INCORRECT to me.  It implies that the open command is broken, although this is a false statement as well as it is not broken at all!  It is merely modified... but it still works, hence it is not "broken."  

 

Further, I did not realize that MBAM was a utility to scan for and repair registry "errors," rather I was under the assumption it was strictly an anti-malware utility...

 

At the VERY least, if you want to alert your users to non-standard registry settings that aren't malicious or "broken" then the least you could do is not disguise them as malware detections, and default your action to ignore or whitelist the detection, not remove it ... but the problem with alerting your users to begin with is that obviously the vast majority of your user base does not have any idea what those settings are or what program put them there, much less what to do about it -- so they take  your advice and "quarantine" them as it is the default action.  This is very bad form..

 

2.  Most importantly when you throw the technical "broken" excuse aside, CryptoPrevent's settings are indeed detected as malicious, see pic where it specifically says "Malware Detected" in a popup.  But there are other things that indicate it is treated as malicious by your software.  I have circled the false warnings displayed by your software, and how it defaults to "fix" the false issue and disrupt the functionality of other legitimate software.  This is causing a lot of confusion and outright panic among my customers.  

 

If it were any other company falsely detecting Malwarebytes software and affecting Malwarebytes business, then I am positive that Malwarebytes would seek immediate legal action as a recourse if the software vendor refused to acknowledge and resolve the problem in a timely fashion.  Realize that I do not have the financial backing to protect my own company and reputation, so I am relying on your decision makers to do the right thing.  

 

So I would really appreciate you passing this up the ranks to someone responsible for false detections.  

 

Thank you for your time and consideration, and also for an otherwise fine product you have.  

post-170566-0-18810900-1407171675_thumb.

Link to post
Share on other sites

  • Staff

Hi,

 

As you probably know, when something changes the "Open Command" for default fileassociations, it's in 90% caused by malware. If we set this as "optional" for the user, so it's not removed by default, then this will leave a lot of users affected with this, because they wouldn't know what to do with it. Hence why the decision was being made to change these all to treat as malware.

The main reason also for this is, not all our users are experts, so we decide for them in place what the best option is to keep them safe. We are aware of the fact that this might always give false positives. This is the same as your program also has some "guards" set by default that might cause occasional FPs as well.

 

This detection has been in our product for many years already and so far, we have not received any FP yet where legitimate software has altered this key. The only cases where we received reports about this is where the default valuedata for these was totally broken, not set by a legitimate program, but rather with a tool where it tried to fix the default associations for these and wrote incorrect valuedata to it. Malwarebytes then fixed this as well.

 

It's not that we do not want to fix this - in order to fix this, it requires an engine update (as this is a seperate implementation) and even then, we still need to decide how to properly handle this without affecting the valid detections of these "Open Command" associations which are set by malware.

 

Malwarebytes isn't only an Antimalware solution, it is a lot more - we fix a lot of things that might be broken, we alert of default settings that have been changed. It's all a matter of selecting what the best default action is for the average user - and in this case, I believe we can both agree that this "Open Command" is mostly changed (except for in your case) by malware.

 

I will be sending you a private message as well with some additional questions I have for you, so we can find the best solution in order to fix this.

 

Thanks for understanding

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.