My Sync program was robbed po me

[gonjo]

MABR decided that my EaseUs Everysync is a ronsomware and quaranteened it. I tried immediately to recover it and it states  "Can't restore an item marked for deletion on reboot".  How dare the program delete anything without my consent? I have not yet rebooted, How to I save the exe file?  I must have it back, because it was installed as a one time free download.

[1PW]

Hello gonjo and

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.

Thank you for beta testing MBARW and your feedback.

[gonjo]

I have not attempted to report a False Positive. I am begging for instruction how to rescue my software. MABR Ransomware has moved a good working exe file to its quarantine, and would not release it necause  "Can't restore an item marked for deletion on reboot. This action is not acceptable. I should be able to make the final decision if that file is to be deleted or not. Now I am afraid that if I reboot it will be permanently deleted. So I repeat my question: How do I rescue my file from the claws of MABR Ransomware.

Once I am over this crisis I can find time and energy to report False Positive and help others.

[1PW]

Hello gonjo:

It is most regrettable that MBARW Beta has deleted a valuable executable.   If the system in question has a recent System Restore Point, backup, or image, I recommend you restore that file from one of those sources.

If the system lacks the above resources, and version 3.0 was installed, the application can be downloaded from http://download.easeus.com/trial/everysync_trial.exe

Thank you for your patience and understanding.

[tetonbob]

Hello, gonjo. That message says delete but it really means quarantine. As indicated in the "How to report a false positive" link that 1PW provided, the first step is to allow the cleanup reboot. After the reboot, you should be able to restore your file. Also, if you will provide the requested archives, the team can investigate to avoid this happening on this file in the future.

 

Quote

1. Finish the detection process and reboot if asked by Anti-Ransomware.
2. After reboot disable the Anti-Ransomware protection.
3. Restore the file from Quarantine and add it to the exclusions.
4. Find the restored EXE file that was quarantined, right-click on it and click "Send To >> Compressed (Zipped) Folder". Attach this ZIP file also to your report.
5. Create a ZIP of the directory C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware\ and attach it to your post.
6. Create another ZIP of the directoy C:\ProgramData\Malwarebytes\MBAMService\logs\ and attach it to your post.

 

[gonjo]

I am afraid my problem is not yet understood.   I must have back the original executable. I installed that program in a campaign of one day free sharware. It serial was valid for that day only, so I cannot reinstall the program.  As to wht happend and where I stand:

1. immediately after this happened I disabled   MBARW  and went into into quaranteen to restore the file. It refused, and told me it will be deleted on the next reboot. (see attachement)

2. I went to Exclusions but I cannot exclude it because the fille does not exist  (Catch 22).

3. Where do I stand now? If the file is deleted - I lost the software. You, Bob now tell me that the MBRAW does not "mean" deletion. Is it certain? Why should it refuse to "release" it from the quaranteen? If it is not sure, I should be able to reach the quarantine and "rescue" the file from there.  This is the first time I encounter a quaranteen which is stronger than my will. 

4. If this is not resolved I will never ever allow MBARW to "protect" me.

I hope now my predicament is fully understood. 

 

 

 

[John L. Galt]

Hi, gonjo,

I went looking through Easeus's site and I found this:  http://kb.easeus.com/art.php?id=90001

Have you tried registering and entering the license that you received?  Even if it was a one-day giveaway, it is still a valid license, and by doing this you can download the exact version that is gone from your system and then reinstall it with your license and you should be fine.  They also have a Live Chat that you can talk with to make sure this will work.

I also found a GotD where you can download the same version that was given away - https://www.giveawayoftheday.com/easeus-everysync-2-1/

Now, TBH, you're testing βeta software - you should expect things like this to occur.  That is why they made the sticky that clearly states in red:

Quote

As this is the very first beta we do encourage beta users to install the product in non-production environments for testing purposes.

If this computer that you're using is one that you use every day, you're right - you probably should not be testing Anti-Ransomware on it, so you can avoid future problems like this from occurring.  it is not a finished product, and things like this will happen - that is why it is a βeta test.

Post back with what Easeus says.

 

[tetonbob]

gonjo, I do understand what the issue is. To restore the file from quarantine, the removal process must first be allowed to complete. This includes a reboot after the detection. Only after that reboot will you be able to restore the file from quarantine.

 

Also, if you will provide the service log as requested, we can look at the details of the event, and possibly be able to provide a different solution, should the restore have issues.

[gonjo]

OK. It seems that the wording of the Notice was misleading and scared me in vain. What it said was that the file would be deleted permanently after reboot. Actually after reboot, I managed to restore it and all is well.

It's after midnight here, so tomorrow I wil follow the procedure of reporting False Positive. But please stop scaring innocent users....

[gonjo]

Here I am a little belated with the required Zip files for analysis

Malwarebytes Anti-Ransomware.zip

logs.zip

[tetonbob]

Hi gonjo. My apologies for the delay in replying. Thank you for your feedback. We are actually changing that messaging on a restore attempt before the scheduled reboot has taken place in an upcoming Beta release.  The time frame for that release is yet to be determined.

Thanks also for your reports and log files. This file should no longer be detected. If you've added EverySync.exe to the exclusions in Malwarebytes Anti-Ransomware BETA, please do remove from exclusions and let us know if the issue returns. It should not.

 

Thank you for your participation!

 

 

[gonjo]

You did it again. 

The very same false positive, and my backup program is quaranteened.

EasuUS Everysync is not a ransoware.

[1PW]

Hello gonjo:

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 2 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.  Thank you again for beta testing MBARW and your feedback.

[gonjo]

I am sorry, but I won't follow any further procedure. My program has not changed, nor updated to a nev verdsion. So the very same info I sent you before is valid. It is a repeated bug in Malwerbytes. Please see my previous correspondence.

[miekiemoes]

Hi,

This was fixed already but due to some changes that were made to the backend (as the beta is still an ongoing process where improvements are being done), it might have caused it detecting again.

We are sorry for the inconvenience this has caused.

Edited October 28, 2016 by miekiemoes

[gonjo]

Thank you.