Jump to content

false positive and exclusion ignored


Recommended Posts

Hi,

I tested with Version: 0.9.15.416.

For my nigthly backupjob i use ln.exe, a commandlinetool for creating hardlink in ntfs (http://schinagl.priv.at/nt/ln/ln.html)

I copied ln.exe in %SystemRoot%/system32.

While the 1st backupjob the ln.exe i recognized as ransomeware and obvisously deleted.

I rebooted my system and put back the ln.exe and made an exclusion in MBARW.

Next time it´s recognized again and its deleted agein.

What´s wrong?

 

moe5k

 

 

 

 

Link to post
Share on other sites

Hello moe5k and :welcome:

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.

Thank you for beta testing MBARW and your feedback.

Link to post
Share on other sites
8 minutes ago, 1PW said:

Hello moe5k and :welcome:

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.

Thank you for beta testing MBARW and your feedback.

Hi 1PW,

thx for your answer.

I followed these instructions now ... here are the zip-files.

moe5k

ln.zip

logs.zip

Malwarebytes Anti-Ransomware.zip

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/ac16c5887b475e8f532842b790b59d3b030c26166170664e02082efff7864189/analysis/1461585653/ Unsigned

Hello moe5k:

Available data strongly suggests a false positive and, since the following pathname has been entered in MBARW GUI -> Exclusions, and the binary has been uploaded to the developers, please allow the entry to remain until you are requested to remove it:

                                                 C:\Windows\system32\ln.exe

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Hello moe5k:

The MBARW Beta development team are aware of some exclusions not performing as intended and are working on its solution.

In the meantime, please keep the recommended exclusion in place until requested by devs/staff to remove it.

Thank you.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.