updating anti-ransomware program

[seagull]

I came to the forum looking for instructions about how to check if a quarantined item is a real threat or a false positive.

I have version 0.9.15.416 (which I now understand is old).

How can I update the program? What happens to files in quarantine when I uninstall this version and install the latest version?

Thanks.

[1PW]

Hello seagull and

The procedure to check a quarantined file is to follow the reporting instructions below as best you can.  MBARW Beta6 (v0.9.15.416) is the version all beta testers should be at as I send this post.

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.

Thank you for beta testing MBARW and your feedback.

[seagull]

Sorry - I'm far from an expert at this so I have another question before I follow the steps you requested.

Since I'm not sure this IS a false positive (how can we ever be sure about that?), is it safe to restore the file from quarantine?

[1PW]

Hello seagull:

Thank you for the good question.

After you have attached the requested archive data (.zip files) and posted your next reply, a preliminary analysis can be undertaken and a recommendation will be issued in a reply to your topic.

Thank you again.

[seagull]

Sorry - me again.

The reason I asked the question is that removing the file from quarantine is one of the first steps in the instructions. Here is what's written in the relevant forum:

1. Finish the detection process and reboot if asked by Anti-Ransomware.
2. After reboot disable the Anti-Ransomware protection.
3. Restore the file from Quarantine and add it to the exclusions.
4. Find the restored EXE file that was quarantined, right-click on it and click "Send To >> Compressed (Zipped) Folder". Attach this ZIP file also to your report.

My question was is step 3 really safe.

[1PW]

Hello seagull:

No apology is necessary and your concerns are appreciated.  At your discretion, you may consider leaving the unspecified executable in quarantine.  A tentative analysis is perhaps possible, with somewhat lesser confidence, if you attach the following:

Create a .zip archive of the directory C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware\
Create another .zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\

Please attach the above zipped archives to your next reply.  Thank you again.

[seagull]

Here are the files.

Thanks

MBAMSERVICE.zip

mbarwind.zip

[1PW]

Hello seagull:

Please specify the full pathname of the filename you saw placed in quarantine.

Thank you.

 

[seagull]

The path is c:\Program Files\WindowsApps\king.com.CandyCrushSaga_1.750.3.0_x86_kgqvnymyfvs32\candycrushsaga.exe

Thanks:

[1PW]

Reference: https://www.virustotal.com/en/file/562937AC01AF8673EB0374F0FC9C2C82DE59BB3A7E0CC7D7A19773056892F186/analysis/ Unsigned

Hello seagull:

The binary in question was uploaded to the developers on 16-May-2016.  Available data strongly suggests a false positive and, if it has not already been done, you may wish to make the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions:

          C:\Program Files\WindowsApps\king.com.CandyCrushSaga_1.750.3.0_x86__kgqvnymyfvs32\candycrushsaga.exe

That system's MBARW Beta6 (v0.9.15.416) is up-to-date and if it were to be thoroughly uninstalled/installed, the contents of MBARW Beta6's quarantine would have been deleted.  The executable in question may be restored from quarantine as long as the pathname above is soon entered in the exclusion entries list,  At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.

Thank you for beta testing MBARW and your valuable feedback.

Edited May 22, 2016 by 1PW

[seagull]

Thanks for your amazing, fast help.

Seagull

[1PW]

Hello seagull:

You are very welcome.