Jump to content

Recommended Posts

MABR decided that my EaseUs Everysync is a ronsomware and quaranteened it. I tried immediately to recover it and it states  "Can't restore an item marked for deletion on reboot".  How dare the program delete anything without my consent? I have not yet rebooted, How to I save the exe file?  I must have it back, because it was installed as a one time free download.

Link to post
Share on other sites

Hello gonjo and :welcome:

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.

Thank you for beta testing MBARW and your feedback.

Link to post
Share on other sites

I have not attempted to report a False Positive. I am begging for instruction how to rescue my software. MABR Ransomware has moved a good working exe file to its quarantine, and would not release it necause  "Can't restore an item marked for deletion on reboot. This action is not acceptable. I should be able to make the final decision if that file is to be deleted or not. Now I am afraid that if I reboot it will be permanently deleted. So I repeat my question: How do I rescue my file from the claws of MABR Ransomware.

Once I am over this crisis I can find time and energy to report False Positive and help others.

Link to post
Share on other sites

Hello gonjo:

It is most regrettable that MBARW Beta has deleted a valuable executable.   If the system in question has a recent System Restore Point, backup, or image, I recommend you restore that file from one of those sources.

If the system lacks the above resources, and version 3.0 was installed, the application can be downloaded from http://download.easeus.com/trial/everysync_trial.exe

Thank you for your patience and understanding.

Link to post
Share on other sites

  • Staff

Hello, gonjo. That message says delete but it really means quarantine. As indicated in the "How to report a false positive" link that 1PW provided, the first step is to allow the cleanup reboot. After the reboot, you should be able to restore your file. Also, if you will provide the requested archives, the team can investigate to avoid this happening on this file in the future.

 

Quote
  1. Finish the detection process and reboot if asked by Anti-Ransomware.
  2. After reboot disable the Anti-Ransomware protection.
  3. Restore the file from Quarantine and add it to the exclusions.
  4. Find the restored EXE file that was quarantined, right-click on it and click "Send To >> Compressed (Zipped) Folder". Attach this ZIP file also to your report.
  5. Create a ZIP of the directory C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware\ and attach it to your post.
  6. Create another ZIP of the directoy C:\ProgramData\Malwarebytes\MBAMService\logs\ and attach it to your post.

 

Link to post
Share on other sites

I am afraid my problem is not yet understood.   I must have back the original executable. I installed that program in a campaign of one day free sharware. It serial was valid for that day only, so I cannot reinstall the program.  As to wht happend and where I stand:

1. immediately after this happened I disabled   MBARW  and went into into quaranteen to restore the file. It refused, and told me it will be deleted on the next reboot. (see attachement)

2. I went to Exclusions but I cannot exclude it because the fille does not exist :( (Catch 22).

3. Where do I stand now? If the file is deleted - I lost the software. You, Bob now tell me that the MBRAW does not "mean" deletion. Is it certain? Why should it refuse to "release" it from the quaranteen? If it is not sure, I should be able to reach the quarantine and "rescue" the file from there.  This is the first time I encounter a quaranteen which is stronger than my will. 

4. If this is not resolved I will never ever allow MBARW to "protect" me.

I hope now my predicament is fully understood. 

 

 

 

27-04-2016 17-57-12.jpg

Link to post
Share on other sites

Hi, gonjo,

I went looking through Easeus's site and I found this:  http://kb.easeus.com/art.php?id=90001

Have you tried registering and entering the license that you received?  Even if it was a one-day giveaway, it is still a valid license, and by doing this you can download the exact version that is gone from your system and then reinstall it with your license and you should be fine.  They also have a Live Chat that you can talk with to make sure this will work.

I also found a GotD where you can download the same version that was given away - https://www.giveawayoftheday.com/easeus-everysync-2-1/

Now, TBH, you're testing βeta software - you should expect things like this to occur.  That is why they made the sticky that clearly states in red:

Quote

As this is the very first beta we do encourage beta users to install the product in non-production environments for testing purposes.

If this computer that you're using is one that you use every day, you're right - you probably should not be testing Anti-Ransomware on it, so you can avoid future problems like this from occurring.  it is not a finished product, and things like this will happen - that is why it is a βeta test.

Post back with what Easeus says.

 

Link to post
Share on other sites

  • Staff

gonjo, I do understand what the issue is. To restore the file from quarantine, the removal process must first be allowed to complete. This includes a reboot after the detection. Only after that reboot will you be able to restore the file from quarantine.

 

Also, if you will provide the service log as requested, we can look at the details of the event, and possibly be able to provide a different solution, should the restore have issues.

Link to post
Share on other sites

OK. It seems that the wording of the Notice was misleading and scared me in vain. What it said was that the file would be deleted permanently after reboot. Actually after reboot, I managed to restore it and all is well. :)

It's after midnight here, so tomorrow I wil follow the procedure of reporting False Positive. But please stop scaring innocent users....:angry:

Link to post
Share on other sites

  • Staff

Hi gonjo. My apologies for the delay in replying. Thank you for your feedback. We are actually changing that messaging on a restore attempt before the scheduled reboot has taken place in an upcoming Beta release.  The time frame for that release is yet to be determined.

Thanks also for your reports and log files. This file should no longer be detected. If you've added EverySync.exe to the exclusions in Malwarebytes Anti-Ransomware BETA, please do remove from exclusions and let us know if the issue returns. It should not.

 

Thank you for your participation!

 

 

Link to post
Share on other sites

  • 5 months later...

Hello gonjo:

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 2 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.  Thank you again for beta testing MBARW and your feedback.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.