pbust

How to report a False Positive

Recommended Posts

In order to report a false positive of Malwarebytes Anti-Ransomware please follow these steps:

Note: these steps have been updated to reflect new steps for Beta 9  -- please ensure you're running the latest beta version 0.9.18.797-1.1.86 before reporting a false positive.

  1. Finish the detection process and reboot if asked by Anti-Ransomware.
  2. After reboot disable the Anti-Ransomware protection.
  3. Restore the file from Quarantine and add it to the exclusions.
  4. Find the restored file which had been quarantined, right-click on it and click "Send To >> Compressed (Zipped) Folder". Attach this ZIP file also to your report.

Next, we need to gather additional information to assist with our analysis. arwlogs.exe is an information gathering tool that neither installs nor does it make system/registry hive changes.

  1. Download the trusted, Malwarebytes authored arwlogs.exe utility/tool and save only to a system Administrator's desktop of the system in question.
  2. Single right-click the j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe icon and select RunAsAdmin.jpg  Run as administrator from the Windows context menu.
  3. If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue.
  4. If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue.
  5. A Command window will appear and its contents may be mostly ignored.
  6. When "Press any key to continue . . . " appears at the bottom of the Command window, type any Enter key to close the window.
  7. A zipped archive HSPwQfy.png&key=8bea481e1c29518a4e1e2ca3 (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop.
  8. Attach the above-zipped archive to your next reply in this topic.
  9. Delete j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe from the Administrator desktop.

In summary, please provide:

  1. The archive containing the restored file
  2. The archive containing the arwlogs data - (yyyy-mm-dd-{COMPUTERNAME}.zip)
Edited by tetonbob
Updated steps to reflect changes in Beta 9; using arwlogs

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.