MBARW Blocks CCleaner64.exe during a CCleaner cleaning run

[siliconman01]

On running a system clean up with CCleaner V5.14.5493, MBARW attempts to quarantine CCleaner64.exe and locks up CCleaner.

[siliconman01]

This is from my MS Surface Pro tablet and should contain blocking info for Norton Security and CCleaner.

Malwarebytes Anti-Ransomware.zip

[pbust]

Thanks for the ProgramData folder siliconman01.

 

Please add also the EXE that was blocked.

 

Full instructions for reporting FPs here:

https://forums.malwarebytes.org/index.php?/topic/177810-how-to-report-a-false-positive/

[Decrypterfixer]

Self Note: ARW Archived

[siliconman01]

Thanks for the ProgramData folder siliconman01.

 

Please add also the EXE that was blocked.

 

Full instructions for reporting FPs here:

https://forums.malwarebytes.org/index.php?/topic/177810-how-to-report-a-false-positive/

 

 

Attached are ns.exe,ccleaner.exe, and ccleaner64.exe

ns.zip

CCleaner64.zip

CCleaner.zip

[pbust]

Thanks!

 

We'll fix these ASAP!

[SavantM]

confirming same result: On running a system clean up with CCleaner V5.14.5493, MBARW attempts to quarantine CCleaner64.exe and locks up CCleaner.

[Decrypterfixer]

From what i can see this FP shouldnt be happening any longer. Savant, could you please upload the CCleaner files you are using so i may test this. Thanks!

[Decrypterfixer]

Malwarebytes Anti-Ransomware Beta 2 has been released, download or update now!

(If you have MBARW installed it should prompt to update)

Information:

Malwarebytes Anti-Ransomware (BETA) 0.9.5

Improvements:

• Improved rules to prevent false positives on legitimate software

Issues Fixed:

• Fixed issue that interfered with proper detection of latest CryptoWall 4 variant

[wyzard49]

Just installed and updated MBARW this evening 1/27/2016 and am confirming this False Positive Post

MBARW blocks CCleaner as FP.

Thanks

[pbust]

Can you please post all the files mentioned here:?

https://forums.malwarebytes.org/index.php?/topic/177810-how-to-report-a-false-positive/

[SirHugoATLANTA]

 MBARW blocked my running of CCleaner64.exe at 1-28-2016 2:30M Eastern Time.  I will download "again" the latest beta release but 

 I downloaded MBARW just 2 hours earlier.

 

 -Hugo

[exile360]

I received the same FP mentioned by others here, however I have discovered an additional issue. It appears that MBARW and CCleaner64.exe are at a stalemate at the moment as CCleaner64.exe remains in memory while MBARW's UI remains unresponsive as it is unable to quarantine the file. I have received no prompt for a reboot and the tray notification remains. Clicking on the 'Close' button at the bottom of the notification has no effect and the same is true for the white 'X' at the top of the notification. I am able to launch the main UI of MBARW, however the 'Stop Protection' button took several minutes to respond and disable protection, after which the tray notification still remains though I was then able to use the 'Close' button in the notification.

At this point CCleaner64.exe still remains in memory as it is unable to proceed with clearing my temp files. I attempted to cancel the cleaning by launching the CCleaner UI, however it appears to have no effect.

I imagine I will have to reboot to resolve this or at the very least manually kill CCleaner64.exe.

I'm running build 0.9.5.304 of MBARW BETA. I will provide the requested logs and files shortly once I've dealt with the hung CCleaner64.exe process and rebooted to determine the outcome of the detection event.

[exile360]

As promised, here is the data. A few more items of note. First, I do not know, but depending on how this application was whitelisted to prevent detection it might have failed because I am using the portable version of CCleaner which is stored in and runs from a custom location on my PC (not on my system drive, not in a program files directory).

Second, I was actually unable to zip copies of MBARW's files until exiting the application (to get its ProgramData folder) and then manually terminating its copy of MBAMService.exe via Task Manager (to get its logs folder as it did not terminate itself when I disabled protection and used the 'Exit' function in the tray).

Also, after reboot the file was not in quarantine (quarantine remained empty) and the file remained intact in its original location (X:\CCleaner). I suspect this is because of the issues I raised in my first post regarding the stalled state of the two applications and the actions I took in order to get past it (disabling protection etc.).

Please let me know if there is any further data, information or steps you require of me.

edit: One additional item of note. I checked and discovered that I'm actually running version 5.13 (the last version released prior to the latest) of CCleaner if that makes any difference (probably so since the binaries are different between releases).

CCleaner64.zip

Malwarebytes Anti-Ransomware.zip

logs.zip

[exile360]

I believe I figured out what happened to make MBARW behave differently than expected. I had a PUP installer sitting in one of my temp folders which was detected by ESET (the AV I use). Once I finally killed MBARW and allowed CCleaner to run to completion it triggered a detection in ESET for the PUP installer so it was likely ESET making this detection while CCleaner was trying to work and while MBARW was trying to kill and remove CCleaner64.exe that caused the stalemate event.