Jump to content

False Positive and Quarantine Issues


Rampant
 Share

Recommended Posts

Hello,

C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe
C:\Program Files\Open Practice 8.0\OP.Home.exe

This program is being stopped on some PC's (but not others)
The full path and file name has been added to quarantine (days ago) but it is still being blocked (It seems to ignore quarantine)
Yes, we have the right path :-) on each PC
As a work around, We disable the MBARW program, open OP.Home then re-enable MBARW
This worries me as I bet the end user will forget to re-enable MBARW and they got infected this morning

Any help would be appreciated

Kind Regards
Shane

FYI: MBARW stopped the Crypto this morning but some files were encrypted on the PC and on a shared server drive
Note: MBARW is NOT installed on the server, only the workstations (we are aware it is BETA)

Files.zip

Malwarebytes Anti-Ransomware.zip

Encrypted Files.zip

Link to post
Share on other sites

Hello Rampant and :welcome:

Please create the following zipped archive for MBARW developer team analysis:

Create a .zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\

Please attach the above zipped archive to your next reply.  Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Hello Rampant:

Unfortunately it possible that Open Practice 8.0 executables may not have been seen enough to have been examined by many analysis services.  Please create the following zipped archive for MBARW developer team analysis:

Create a .zip archive of the directory C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe

Please attach the above zipped archive to your next reply.

 

Edited by 1PW
Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/2d1a1d8671d7fbbc22e4a4c1bb70e040ee5f52531ba1c6df0bbf357f7d4723de/analysis/1463973006/ Unsigned

Hello Rampant:

Available data strongly suggests a false positive and you may wish to retain the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions.  The binary has been uploaded to the developers, please allow the exclusion entry to remain until you are requested to remove it:

                      C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

 

 

Link to post
Share on other sites

Hello,

We have added C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe into exclusions and it keeps being detected as a virus and being added into quarantine. We can't stop it. The only solution we have found is to disable the MBARW, then open OP.Home.exe then re-enable MBARW. This has been working ok but is not a solution.

Also, as of today, we have one PC that will NOT open OP.Home.exe even if we disable MBARW. We have had to completely remove MBARW for the program to work.

Link to post
Share on other sites

Hello Rampant:

Let's try treating this as a new incident and gather the requested data exclusively from within the first PC.  Hopefully a difference may be discovered.

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.  Thank you always for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.