False Positive and Quarantine Issues

[Rampant]

Hello,

C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe
C:\Program Files\Open Practice 8.0\OP.Home.exe

This program is being stopped on some PC's (but not others)
The full path and file name has been added to quarantine (days ago) but it is still being blocked (It seems to ignore quarantine)
Yes, we have the right path :-) on each PC
As a work around, We disable the MBARW program, open OP.Home then re-enable MBARW
This worries me as I bet the end user will forget to re-enable MBARW and they got infected this morning

Any help would be appreciated

Kind Regards
Shane

FYI: MBARW stopped the Crypto this morning but some files were encrypted on the PC and on a shared server drive
Note: MBARW is NOT installed on the server, only the workstations (we are aware it is BETA)

Files.zip

Malwarebytes Anti-Ransomware.zip

Encrypted Files.zip

[1PW]

Hello Rampant and

Please create the following zipped archive for MBARW developer team analysis:

Create a .zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\

Please attach the above zipped archive to your next reply.  Thank you for beta testing MBARW and your valuable feedback.

[Rampant]

Sorry, I forgot that file. Doh

Shane

logs.zip

[1PW]

Hello Rampant:

Unfortunately it possible that Open Practice 8.0 executables may not have been seen enough to have been examined by many analysis services.  Please create the following zipped archive for MBARW developer team analysis:

Create a .zip archive of the directory C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe

Please attach the above zipped archive to your next reply.

 

Edited May 24, 2016 by 1PW

[Rampant]

Hi,

I already uploaded it yesterday in files.zip.
But I have re added just in case.

Shane

OP.Home.zip

[1PW]

Reference: https://www.virustotal.com/en/file/2d1a1d8671d7fbbc22e4a4c1bb70e040ee5f52531ba1c6df0bbf357f7d4723de/analysis/1463973006/ Unsigned

Hello Rampant:

Available data strongly suggests a false positive and you may wish to retain the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions.  The binary has been uploaded to the developers, please allow the exclusion entry to remain until you are requested to remove it:

                      C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

 

 

[Rampant]

Hello,

We have added C:\Program Files (x86)\Open Practice 8.0\OP.Home.exe into exclusions and it keeps being detected as a virus and being added into quarantine. We can't stop it. The only solution we have found is to disable the MBARW, then open OP.Home.exe then re-enable MBARW. This has been working ok but is not a solution.

Also, as of today, we have one PC that will NOT open OP.Home.exe even if we disable MBARW. We have had to completely remove MBARW for the program to work.

[1PW]

Hello Rampant:

Let's try treating this as a new incident and gather the requested data exclusively from within the first PC.  Hopefully a difference may be discovered.

Please carefully read the locked and pinned topic in this sub-forum, How to report a False Positive and for developer analysis, kindly attach the 3 requested .zip archives to your next reply in this thread.

If an exclusion has not already been entered, a temporary exclusion entry might then be made available to prevent a re-occurrence for your individual system.  Thank you always for beta testing MBARW and your valuable feedback.