Jump to content

Files deleted, not quarantined. Cannot restore.


GeekFreak
 Share

Recommended Posts

I've had 2 false positives so far and reported both. I'm glad you guys are working on this.

However, when it says the files are moved to Quarantine, they are actually just being deleted as far as I can tell.

Nothing is listed in the Quarantine tab at the time of the infection alert, nor after a reboot, nor after turning protection off.

Are the files gone forever, or is there a way to actually recover them?

Thanks!
(I'm running 0.9.16.484 on Windows 10)

Link to post
Share on other sites

Thanks for replying tetonbob.

I actually have no Quarantine directory in that location?! Should I create an empty directory? Is that directory created at installation or at the time an infection is discovered.

 Directory of C:\ProgramData\Malwarebytes\MBAMService

05/20/2016  12:13 PM    <DIR>          .
05/20/2016  12:13 PM    <DIR>          ..
06/21/2016  08:17 AM    <DIR>          ArwDetections
06/17/2016  04:58 PM    <DIR>          config
05/20/2016  12:05 PM    <DIR>          ctlrupdate
05/20/2016  12:04 PM    <DIR>          db
05/20/2016  12:05 PM    <DIR>          instlrupdate
06/21/2016  08:17 AM    <DIR>          logs
06/21/2016  08:18 AM    <DIR>          tmp
               0 File(s)              0 bytes
               9 Dir(s)  394,755,948,544 bytes free

I've had 2 detection events... one posted here:

 

and one posted here:

There's only a single log file in the directory. It's attached.

Thanks for taking a look!

logs.zip

Link to post
Share on other sites

  • Staff

Thanks, GeekFreak. We're looking into this.

About this:

Quote

I actually have no Quarantine directory in that location?! Should I create an empty directory? Is that directory created at installation or at the time an infection is discovered.

The \Quarantine directory is created as needed by the application, not during installation.

Have the files in question actually be removed from your system? They no longer exist in their original locations?

C:\PROGRA~2\ADVANC~1\patchman\11\lnsscomm.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.6965.2058\OfficeClickToRun.exe

Link to post
Share on other sites

The flagged files and several upstream directories do not exist.

"C:\Program Files (x86)\Advanced Monitoring Agent" (aka  C:\PROGRA~2\ADVANC~1) currently has 80 files and folders, but contains no "patchman" folder nor a folder called "11" nor a file called "lnsscomm.exe"

The "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates" folder is empty. There is no "16.0.6965.2058" subdirectory nor a "OfficeClickToRun.exe" file.

So the number of superdirectories removed is not even consistent. In one case, it removed the flagged file and the containing folder. In the other case it removed the flagged file, the containing folder and an additional containing folder!

Side note:

I just used Agent Ransack to search my entire drive for "lnsscomm" or "officeclick" and, while lnsscomm is nowhere to be found, there are 2 additional instances of "OfficeClickToRun.exe" on my hard drive that are different sizes from each other and have different modified dates. They are found here:

C:\Program Files\Common Files\microsoft shared\ClickToRun

C:\Program Files\Microsoft Office 15\ClientX64

but i don't think these have much to do with the issue. These are all legit Microsoft Office files. MBAR just flagged one of the three.

 

 

Link to post
Share on other sites

  • Staff

Has a complete reboot of the machine been preformed since the quarantine of these files? Sometimes with Windows 10 or 8 they have a option to sleep instead, and it may be a good idea to simply use the start menu to reboot to see if these files are either back in place, or in a new quarantine folder. Thanks!

Link to post
Share on other sites

tetonbob, in "Programs and Features" it's listed as "Advanced Monitoring Agent GP" by "Remote Monitoring Services". It's a tool installed and used by our outside monitoring company. It also pushes occasional patches, which I'm guessing was happening when MBAR flagged it.

Decrypterfixer, yes, thanks. I had disabled Windows 10  "fast startup" under "Control Panel\All Control Panel Items\Power Options\System Settings". The folder has yet to appear after several reboots.

Link to post
Share on other sites

  • Staff

GeekFreak,

I have went through all your logs and have determined the cause of your issue.

The good news is, nothing is actually wrong with your system, and nothing was actually removed!

What happened was that both of the applications that triggered a event with MBARW were actually updater applications, that there normal routine is to simply run in the background, quickly update files, and then remove itself.

So what happened is MBARW detected activity that seemed like ransomware, and then before MBARW could preform additional checks and Whitelisting, the updater application removed itself (like it is suppose to, as it is only a temporary updater application). This caused MBARW to simply take the detection before into account, and attempted to kill it and quarantine it, and notify the user. 

So actually in the end, nothing was killed or removed by MBARW and everything is functioning as it should. 

 

Thank you very much for using our BETA and also reporting this issue to our thread, because now we will be able to create a fix for this and detect when a application removes itself in the way your apps did :). Users like yourself is what is making MBARW even greater! 

Link to post
Share on other sites

Decrypterfixer, it sounds like a reasonable explanation.

I wanted to see if these updaters are actually removing themselves after installation, so I spot checked a few other PCs (none running MBARW) and some of them have the files and directories and some don't. But they are different OSs (Win7, 8.1 and 10) with different update schedules, so I can't find any exactly the same. But where the "patchman" folder and the "11" folder and the "lnsscomm.exe" file do exist, the patchman folder is over 150MB and contains over 1000 files and folders.

But I'm not too concerned because, being updates, if the update applied successfully, then the deleted updater files is fine. And if the update didn't succeed, it will probably just update the next time around. If you need me to check anything more thoroughly, please let me know.

Anyway, I'm glad you can add the functionality into MBARW to detect when files delete themselves and still react accordingly. As you said, this will help make MBARW greater. Thanks for your help and good luck in the ongoing fight!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.