Jump to content

false positive cygwin rm.exe


ingber
 Share

Recommended Posts

I attach log_mbarw.zip and logs.zip .  I was trying to delete s folder using cygwin64/bin/rm.exe and the file was flagged as ransomware.   I do not seem to be able to restore it from quarantine.  I cannot get any response from a right-click to add to the logs.  I will have to uninstall mbarw and get back my rm.exe from the cygwin site.

logs.zip

log_mbarw.zip

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/9B39AE931FF26D45664C8DE5DAF8631EB68CAE8D36009BDE5F601029EB2C2866/analysis/ Unsigned

Hello ingber:

Available data does suggest a false positive and, if it has not already been done, you may wish to make the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions:

                        C:\cygwin64\bin\rm.exe

At any time, a development team member, QA team member or staffer may request the above temporary exclusion be altered/removed.

Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

  • 3 weeks later...

Same problem.

This time I DID have this file under Exclusions, but this was ignored?

 

I could not restore from Quarantine when MBARW raised its windows -- something about could not restore a file marked for deletion.

 

After reboot, I could restore the file this time, but it had incorrect owner (SYSTEM) which I had to correct.

 

Logs are attached.

 

mbamlogs.zip

mbarw.zip

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/cdf9d15de3ff97c2a652e06e197b1967db638b30e911612bef7f3153f7433d81/analysis/ Unsigned

Hello ingber:

Although the available data strongly suggests a false positive, a successful file comparison between today's submission, and that of 5-April-2016 could not be made.

                      C:\cygwin64\bin\rm.exe

At any time, a MBARW development team member, QA team member or Staffer may post further instructions or requests.  Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

To add to what 1PW is saying:

12 minutes ago, 1PW said:

Although the available data strongly suggests a false positive, a successful file comparison between today's submission, and that of 5-April-2016 could not be made.

This is why Anti-Ransomware flagged that file again - it was not the same file from before.  No, wait, hear me out.

The file name was the same, but other statistics of the file had changed - version number, date, size, etc. - one or more of those attributes had changed since the time that you added the file to Anti-Ransomware's Exclusions list.  It checked the file when scanning, found that the name was there, but then upon further analysis it realized that the file had changed since you had added it to the exclusion list, so it did not exclude it (in order to err on the side of caution).

This behavior is pretty standard, and it actually is geared to saving the end user a headache in case ransomware attempts to mimic a legitimate file that you have previously marked for exclusion.

Files like that one (and in fact, mos of the files in cygwin) that get updated regularly will probably hit this problem over and over again - it is not because the Anti-Ransomware is faulty - it is by design.  What you will need to do with this current Beta is remember to add that file as an exclusion every time it gets updated by Cygwin.

This may change in future builds or after integration, but for now, on βeta 6, this is what we have to do.

Link to post
Share on other sites

John:

 

Hi.  Yes, that file was updated 12 Apr 16.

 

Thanks.

 

Lester

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.