False Positive on Custom In-House Program

[suspicious_bucket]

Greetings,

 

The program in the attachment which is something that we use got flagged as ransomware. This is a program we use frequently. I have restored and created an exception for the file. However, I'm just hoping that it's not somehow infected. Ransomware can't infect legitimate programs and then conduct their encryption can they? Just want to make sure just in case.

False Positive.zip

[1PW]

Hello suspicious_bucket and

 

At the date/time of the following analysis, the file in question appears to be harmless per https://www.virustotal.com/en/file/c9f00f7fd0cd2823b5a9393fe314d38f010d98be2394c77da093de07ff96bbe3/analysis/1457671934/.

However, it appears as if Malwarebytes Anti-Ransomware (MBARW) appears to be installed on a Microsoft Windows Server. The MBARW developers have not approved the use of MBARW on any Microsoft Windows Server. Additionally the use of MBARW in any commercial/enterprise/production environment is strongly discouraged at this time.

 

Ransomware can't infect legitimate programs and then conduct their encryption can they?

 

Although the expertise of an anti-malware professional is called for, in my non-authoritative opinion, malware can be injected into otherwise legitimate executables leading to any manner of infection.

 

I will request for you a professional opinion from an authoritative source regarding the above question.

 

Thank you.

[David H. Lipman]

The important thing here is that this is a Beta and a Beta should not be used on production computers as its use can lead to unexpected detriment.

 

As for MBARW it is falsely flagging an encyclopedic size list of executeables which is not good.

 

As for the file in question, a legitimate file can have malicious code prepended, appended or cavity injected.  This can be by a file infecting virus or by a trojan that patches or "trojanizes" a legitimate file.  In the case of a file infecting virus, it is indiscriminate in what legitimate files it wants to infect.  In the case of a trojan that patches or "trojanizes" a legitimate file, it targets specific files whose preponderance are those that are specifically a part of the Windows Operating System.

 

As for cryptographic malware ( Cryptovirology ), the vast majority are trojans and not viruses and to my knowledge none "trojanizes" legitimate files.  Therefore while it is possible for Ransomware to infect legitimate programs it is highly unlikely.

[suspicious_bucket]

Thank you very much for your responses.

 

1. It makes a lot of sense that for "trojanizing" or appending malicious code to legitimate files would largely target common operating system files as these would be the most common files across a larger number of environments. Thank you for clearing that up for me.

 

2. I understand the risks of this software being used in a production environment, but the use of this software has saved my tail more than once in a production environment. The reason it's used in this type of environment is due to the fact that it is being used in a terminal server environment where the terminal server has office and people may download/run attachments with malicious files.

 

This has already happened once and has ended up corrupting a number of our files. Luckily we had a recent backup of our files that was unaffected.

 

Can you let me know what major risks I am running with running this software in a production environment?

[David H. Lipman]

Since it is a Beta that's hard to quantify.  Anything from breaking an application to corrupting the OS is possible. 

There is also a greater, but unlikely, risk of an exploitable vulnerability.