Jump to content

False positive - setup.exe (Cygwin 32-bit)


Recommended Posts

Anti-Ransomware BETA has flagged "setup.exe" as ransomware, and quarantined it.  setup.exe is the Cygwin installer/updater; it connects to selected mirrors of the Cygwin package repository, downloads requested or updated packages, and installs them.

At the time MBARW quarantined the file, I was updating my Cygwin installation (setup.exe was running).

I am following your procedure for restoring the file and reporting a false positive.  I scanned the file with MBAM and (for what it's worth) Symantec Endpoint Protection.  Neither found anythying amiss with the setup.exe file.  I therefore conclude that this is a false positive.

Per your procedure, which I actually read this time  ;-) , THREE PK-ZIP archives are attached to this post:

 * The setup.exe file. Please note, the actual filename is "setup-2.874.exe"; over the years I have gotten in the habit of appending the version number to the filename when I download an updated copy.

* The Malwarebytes Anti-Ransomware directory and all its contents.

* The MBAMService\logs directory and all its contents.

Please note, in order to successfully archive the logs directory using 7-Zip, I had to first stop the "MB3Service" service.  This should perhaps be added to the instructions.

Thank you.

setup-x86-2.874.exe.zip

Malwarebytes Anti-Ransomware.zip

logs.zip

Link to post
Share on other sites

Addendum to "false positive" report:

After adding the setup program to my exclusion list and re-enabling the Anti-Ransomware tool, I ran the Cygwin setup program again.  The setup program checked the SHA sums of the packages it downloaded in the previous session, then started updating packages, and MBARW reported it has detected ransomware activity and quarantined the setup program again, even though the file is in my exclusion list.

As soon as I post this message, I will reboot my system as requested by MBARW.  I will not remove the Cygwin setup program from quarantine until I hear from you folks.

Thanks!

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/a79e4f57ce98a4d4bacb8fbb66fcea3de92ef30b34ab8b76e11c8bd3b426fd31/analysis/1461942488/ Unsigned

Hello swwright and welcome back:

It's an oddity that your system has triggered on each of these two (dash.exe) different Cygwin executables when thousands of other Cygwin users must exist.

Available data strongly suggests a false positive and, since the following pathname has been entered in MBARW GUI -> Exclusions, and the binary has been uploaded to the developers, please allow the entry to remain until you are requested to remove it:

                                      E:\Cygwin\install\setup-x86-2.874.exe

Hopefully the Cygwin setup.exe file can be whitelisted very soon.

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Another oddity: although setup.exe was quarantined again (I see the two files in the Quarantine folder), the setup file was not removed from the Cygwin\install folder this time.  Possible bug?  Activity says quarantine it, presence in exclusion list says don't remove it.  So it is "partially quarantined"?

Link to post
Share on other sites
2 hours ago, 1PW said:

Reference: https://www.virustotal.com/en/file/a79e4f57ce98a4d4bacb8fbb66fcea3de92ef30b34ab8b76e11c8bd3b426fd31/analysis/1461942488/ Unsigned

Hello swwright and welcome back:

It's an oddity that your system has triggered on each of these two (dash.exe) different Cygwin executables when thousands of other Cygwin users must exist.

Available data strongly suggests a false positive and, since the following pathname has been entered in MBARW GUI -> Exclusions, and the binary has been uploaded to the developers, please allow the entry to remain until you are requested to remove it:

                                      E:\Cygwin\install\setup-x86-2.874.exe

Hopefully the Cygwin setup.exe file can be whitelisted very soon.

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

No, it's not so odd if you consider the overlap among cygwin + mbarw users?  My wife had the same problem on her x64 PC with setup-x86_64.exe .  After reboot the files was able to be restored, but as with my previous false positive with cygwin r,.exe, mbarw out the file back with elevated SYSTEM user and permissions -- not good, and has to be changed by an Administrator.

 

I'll try to get her logs, but my executable is attached.  There is zero zdiff with my setup and her setup file, but I understand that mbarw also checks dates, etc.

 

Lester

 

setup-x86_64.zip

Link to post
Share on other sites

Sorry, I am in a bit of a hurry.  My last post is full of typos, but I thought it important to at least comment.

Link to post
Share on other sites

A final note:

After several days of watching this topic, I gave up, downloaded a fresh copy of the Cygwin 32-bii installer, and ran it (as Administrator, per my usual practice).  There were, as it happens, numerous updates waiting, and the run took over a half hour.  Time for MBARW to intervene was plenteous.  MBARW did nothing and the update proceeded without issue.

This time I left the filename alone (foregoing my usual practice of revising the filename "setup.exe" to "setup-2.874.exe" or whatever the current version number is).

I surmise that MBARW "knows" about Cygwin's "setup.exe" but was "concerned" about something claiming to be Cygwin that had an unfamiliar name (setup-2.874.exe").  This may explain why I alone among all Cygwin users had this issue.

I should note that "setup.exe" is in the MBARW exclusion list.  However, last time "setup-2.874.exe" was in the exclusion list and it was STILL noticed and quarantined.

I should note also that I have no way of knowing what updates, if any, were applied to my copy of MBARW in the last few days; therefore I know not whether the filename was a factor or if MBARW was "fixed".  The application makes no information available about the currency of its database or algorithms or whatever.  I would hope this will be addressed when the product goes live.

Link to post
Share on other sites

Well, my last note was not final after all.

This morning I ran the Cygwin installer to do an update.  Again, there were numerous update including an update to the GCC compiler, which I use a lot.  So I proceeded with the update.  And while packages were being downloaded, Malwarebytes AntiRansomware grabbed "setup.exe" by the throat and tossed it in the jail (quarantine).

This is getting annoying.

OK, having ranted a bit, let's get to the point: I had noted in an earlier post that perhaps MBARW was picking on Cygwin because I had renamed the installer to include the current version (for purposes of keeping track of my own software).  This turns out not to be the case.  "E:\Cygwin\install\setup.exe" was quarantined even though I did not change the name this time.

AND: SETUP.EXE WAS QUARANTINED IN SPITE OF THE FACT THAT IT IS IN MY EXCLUSION LIST!

Anybody care to tell me what's going on here?  I'm pretty sure that one of these two statements must be correct: (1) setup.exe is being falsely identified as ransomware; or (2) setup.exe does contain ransomware and was infected at Cygwin.com before I downloaded it.

I'm betting on #1, because (a) the Cygwin folks are pretty careful about what they put up on their site, and (b) I appear to be one of only two people that has this problem (and ingber noted that it only happened on ONE of his machines, and the Cygwin installer was byte-for-byte indentical on both machines).  It follows that MBARW is not consistent from machine to machine.  And there is no way to know what updates were applied to which instance of MBARW, as far ask I know.

Link to post
Share on other sites

Hello swwright:

Because the files in question may not be identical to those of the past, please give the developers an opportunity to see all the archived data called for below.

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

Thank you for beta testing MBARW and your feedback.

Link to post
Share on other sites

Sigh.  OK, here are all the files: The gotten-out-of-jail "setup.exe", the logs, the Anti-Ransomware folder, and, just for kicks, the quarantine folder (done before getting setup.exe out of jail, and containing two quarantined files: setup.exe and a setup-2.874.exe which had been quarantined earlier and left there).  The last item is a 7-Zip archive, the others are PK-ZIP format.  The logs is called logsCopy.zip because I had to make a copy of the folder (the other choice being stop your service so that 7-Zip didn't think the current log was in use).

I should note that after I broke setup.exe out of jail, I downloaded a fresh copy of the Cygwin installer and compared the two files (using WinMerge, which does a byte-by-byte compare).  They are dentical.  Whatever you guys thought is ransomware is precisely what Cygwin is currently distributing to all Cygwin users.  The lack of any other complaints about the Cygwin installer is (loose logic though it be) evidence to me that Cygwin is not distributing malware.

Malwarebytes Anti-Ransomware.zip

setup-x86.zip

logsCopy.zip

Quarantine.7z

Link to post
Share on other sites

Hello swwright:

I agree that the current setup-x86.exe file is a successful match to the earlier one.  The only difference I see is the filename for the MBARW dashboard's exclusion entry:

             E:\Cygwin\install\setup-x86.exe  versus  E:\Cygwin\install\setup-x86-2.874.exe

You may be sure that the MBARW Beta development team is aware, and the issue is being investigated.

Thank you.

 

 

 

Link to post
Share on other sites

You are correct.  I have consistently written "setup.exe" in this thread, but the filename is "setup-x86.exe".  This may have caused confusion, and I apologize.  There's nothing like incorrect data to help an investigation     8-(

 

Link to post
Share on other sites

Hello swwright:

No need for an apology.  It is realized a filename can be renamed ad nauseum.  It's all good.

The key is that the two executables are successful matches.

Thank you.

Link to post
Share on other sites
  • 1 month later...

Discovered this morning (29 June) that a new version of MBARW was released on 10 June.  Updated MBARW.  Tested it by updating Cygwin (there were about a dozen updated packages, plenty of opportunity to trigger a reaction).

No reaction from MBARW.  The Cygwin update proceeded without incident.

I believe you have fixed the Cygwin updater false positive bug.

Thank you!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.