Jump to content

Datto Drive / ownCloud Client Flagged As Suspect Application


Recommended Posts

Malwarebytes Team,

I'm a support engineer from Datto and we've released Datto Drive (https://dattodrive.com/) which is our FSS platform which includes a sync client that runs as an active process in the system tray. I was informed by one of our partners that he had run Datto Drive with Malwarebytes' Anti-Ransomware without issue while being on version 0.9.14.361. As soon as an update was performed to 0.9.15.416, it began targeting dattodrive.exe as per the log indicates:

06/08/16    " 08:45:59.867" 428935843   MbCommonSigVerify   08e0    1684    VerifyFile  "FileVerify.cpp"    479 INFO    "Opening C:\Program Files (x86)\dattodrive\dattodrive.exe for verification"
06/08/16    " 08:46:00.901" 428936875   MbCommonSigVerify   08e0    1684    GetCertFromImageHeader32    "FileVerify.cpp"    1073    INFO    "Cert32 address is zero"
06/08/16    " 08:46:00.901" 428936875   MbCommonSigVerify   08e0    1684    VerifyBuffer    "FileVerify.cpp"    883 INFO    "The Certificate is not there!"
06/08/16    " 08:46:00.901" 428936875   MbCommonSigVerify   08e0    1684    VerifyFile  "FileVerify.cpp"    526 INFO    "C:\Program Files (x86)\dattodrive\dattodrive.exe verification status - c000007b - IsMbam = 242"
06/08/16    " 08:46:18.545" 428954531   CleanControllerImpl 08e0    15cc    mb::common::whitelisting::WhiteListManager::IsFileOnlineWhiteListed "WhiteListManager.cpp"  211 DEBUG   "MEPS WL request: {
   ""channel"" : ""release"",
   ""detections"" : [
      {
         ""filepath"" : ""C:\\Program Files (x86)\\dattodrive\\dattodrive.exe"",
         ""filesize"" : 35917454,
         ""md5"" : ""0559351FBCC9E54291661EB2566699F6"",
         ""sha1"" : ""3C0612DA5ECEDD42F582F762DB8BD25264463ABA"",
         ""sha256"" : ""64B119EF61A877D2C66AFEF02B00C2A177BC9BE8908FFF6198D027BFBE803389""
      }
   ],
   ""installation_token"" : ""ku4e4doGhi7pRCwVN1sw1459269036"",
   ""product_build"" : ""consumer"",
   ""product_code"" : ""MBRW-C"",
   ""product_version"" : ""0.9.15""

Running an exclusion would allow the executable to be restored but it has left us perplexed why the executable is picked up as ransomware. Any insight and fix would be appreciate! Feel free to e-mail me at

All the best,

Jeffrey

dattodrive.txt

Edited by AdvancedSetup
email link removed
Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/b5285c641034d059dc18dba1ecb0175be7406e7ce386bb352fe4aef0ad7fa851/analysis/1465423290/ Unsigned

Hello jodolski:

Available data strongly suggests a false positive, and since the following pathname has been entered in MBARW GUI -> Exclusions, and the binary has been uploaded to the developers, please allow the entry to remain until you are requested to remove it:

                      C:\PROGRAM FILES (X86)\DATTODRIVE\DATTODRIVE.EXE

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.  Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites
  • Root Admin

@jodolski

Beta 7 is now out. I'm not sure if it has removed the FP or not so if you or your customer can check that and let us know. I'm told that Beta 8 changes have removed but that won't be available to the public for a while still.

https://forums.malwarebytes.org/topic/184386-malwarebytes-anti-ransomware-beta-7-now-available/

Thank you

Ron

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.