Jump to content

New FDM Installer trips MBARW, but nothing shows in quarantine


John L. Galt
 Share

Recommended Posts

Hi, all,

Just got a popup regarding the newest Free Download Manager 5.1.6 Beta installer.  During the installer it showed me a popup that it was ransomware, and killed the rest of the installation, but nothing shows in quarantine.

I've added the installer to the exclusion list but ti still persists, because of a .tmp file created in the %TEMP% folder.  Furthermore, after capturing the screenshot below, I went to look at the file, and it was still in the temp location, but as I was viewing it it abruptly disappeared.

I am going to disable protection, run the installer, and capture the .tmp file to post as well.  As I mentioned, neither time did it actually show up in the quarantine section of the app.

What else do you need from me?

56f1ff553b4b1_MBARWFP1.PNG.12901f589a5b6

Edited by John L. Galt
Added screenshot
Link to post
Share on other sites

Hello John:

I'll send you the usual canned response so an archive analysis can see what else is relevant.

"Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the requested archives to your next reply in this thread."

Thank you John.

 

Link to post
Share on other sites

Here we go.

Files as requested for analysis:

The Free Download Manager 5.1.6 Beta setup executable is over 40 MB in size, and even trying to compact it in 7z left it too large.  I've added the actual .tmp file that MBZRW was flagging, and I'm uploading the archived setup.exe to my Google Drive account.  Will link it here when it is available.

Malwarebytes Anti-Ransomware.7z

MBAMSERVICE.7z

FDM 5.1.6β setup_x64.tmp.7z

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839/analysis/

Hello John:

Available data does suggest a false positive and you may wish to make the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions:

D:\Users\nkyad\AppData\Local\Temp\is-GCC5S.tmp\FDM 5.1.6? setup_x64.tmp

Thank you and we will need to wait and see what the developer team wants to do.

Link to post
Share on other sites

Yup, did that already, but it still tripped MBARW.  But that is expected, container for that file is always named differently every time the Setup.exe extracts the .tmp file for the purpose of installing.

I finally just had to disable protection, install the DLM, and then re-enable protection.

I suspect that other FPs based upon installer .tmp files with similar naming scheme methodologies employed will produce similar results.

IOW,

Quote

D:\Users\nkyad\AppData\Local\Temp\is-GCC5S.tmp\FDM 5.1.6? setup_x64.tmp

The bold faced part always changes.  And thus, setting an exclusion never works.

Link to post
Share on other sites

Thanks for looking into the entire issue for me.  Hopefully this helps with others with similar installation-related issues.

I'm about to install Microsoft Office 365 Home Premium, be back if that throws up an error as well.

Thanks again for your help :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.