UrBackup Server

[rgam]

Uppgraded to MBAM Premium 3.0.4 today---

It is doing a false positive detection on Urbackup server program (I'm using 1.4.14) windows-based client-server backup program.

The file is: urbackup_srv.exe 825kb which can be found: https://www.urbackup.org/downloads/Server/1.4.14/

The sticky post does not indicate how to do logs/report false positive with the MBAM V3....

 

[thisisu]

Hi rgam,

Welcome to the forums.

Thanks for your report. I'm currently not seeing this file detected on our end. The sticky posts will probably be updated soon. Here are some instructions in the meantime on how you can export the log to attach here.

Open Malwarebytes 3.0.4 and click on Reports on the left hand side:

Double-click on the log that has the detection for this file. When you've found it, follow the steps below to export the log to your desktop or some place you can find later.

Then just attach it here so we can review.

Thanks!

[rgam]

The zipped exe triggering the false positive is attached - 

I copied log to clipboard and this is all it shows:

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/18/16
Protection Event Time: 8:52 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.781
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\UrBackupServer\urbackup_srv.exe, No Action By User, [0], [-1],0.0.0

(end)

urbackup_srv.zip

[rgam]

(Sorry, I see now that I should have put this in the 'Ransomware' section of the false positive reports -- mbam is preventing this exe from running at system startup - it should run at system startup - as opposed to detecting it on a scan.)

[thisisu]

Hi,

No problem. I'll move the thread to the appropriate subsection. Someone who works on the anti-ransomware portions of MBAM will be able to assist you further.

[miekiemoes]

Hi rgam,

Are you still getting this detection? Because normally it shouldn't be detected.

Can you also add this file to your ignore list? (Rightclick the detection result and select to Ignore).

Thanks!

 

[rgam]

I am not sure if still getting the detection - will have to do a reboot on the affected PC.

As far as adding to ignore list: the instruction to Rightclick the detection result and select to Ignore makes no sense with the Malwarebytes Premium software: What is detection result? The only place I see this is in "Reports" which is a "Ransonware blocked" listing - it does not identify what was blocked. And, right-clicking does nothing. Left-clicking puts a checkmark on the report which enables to View Report or Delete. View Report brings a window which show the protection event, and the threat - identifying the file, but right-clicking does nothing. 

 

[rgam]

2 minutes ago, rgam said:

 

 

I would add: this file is run as part of startup of pc, as SYSTEM user - not an ordinary user, so there is no detection pop-up.

[miekiemoes]

Hi rgam,

The ransomware block is part of our generic detection for ransomware behavior. When you look under "Quarantine" - in case you have quarantined it (which it doesn't look like), you can select to restore.

Also, during detection - in the Scan results, you have the option to uncheck the threat, then click next - where it gives you the option to "Ignore Once", "Ignore Always" or "cancel".

Alternatively: Go to Settings > Exclusions > Add Exclusion and that's where you can add the path to this file to exclusions.

But normally, this shouldn't be flagged as detected anymore though.

[rgam]

On 12/18/2016 at 10:19 PM, rgam said:

 

 

False positive again: Urbackup_srv.exe detected as ransomware along with registry key associated with the Urbackup Service.

This is the latest release of the software from 

https://www.urbackup.org/download.html#server_windows

UrBackup Server 2.1.19 (x86/x64) (Vista/7/8.1/10 + Server editions)

Edited April 19, 2017 by rgam

[rgam]

Don't know how my last post got quoted being from 12-18, but today, April 19, 2017, I am attempting to report that there is again an issue of False Positive with the latest version of Urbackup Server.

See the post above that has the links to the software.

[miekiemoes]

Hi,

We would need an additional log here as I can't reproduce detection.

Please go to the following folder: C:\ProgramData\Malwarebytes\MBAMService\logs\

and zip and attach the MBAMSERVICE.LOG to your next post.

 

Thanks!

[rgam]

Pardon my non-compliance, but damn, MBAM Staff sure seems to be incompetent to me: as you can see from this log snippet, not only is it detected, telemetry is sent to your company about the detection...

From the MBAMSERVICE.LOG (and I'm not going to post the whole damn thing on a public forum)!

Yes, I know I can whitelist - but it's not ransomware so why does MBAM think it is?

 

Quote

04/19/17    " 08:57:50.664"    59670663    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    922    "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, Sha256Hash=279fe17fae6bb53ea2eb750bd509375a144305730f466894d54e98926b6f66a5"
04/19/17    " 08:57:50.742"    59670741    0804    12e0    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    74    "No WHITESIGS found in Clean.mbdb"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus    "WhiteListManager.cpp"    231    "White list status (not cached): File 'C:\Program Files\UrBackupServer\urbackup_srv.exe'   => None:Unknown"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    952    "The detected file is NOT whitelisted, sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, id=0x0"
04/19/17    " 08:57:59.572"    59679570    0804    00b0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "ArwCleanupScheduler.cpp"    559    "Received a results callback from ARW SDK - ObjectPath = C:\Program Files\UrBackupServer\urbackup_srv.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
04/19/17    " 08:58:05.231"    59685233    0804    04f0    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1007    "Successfully sent the ransomware data to telemetry server."

 

[miekiemoes]

Hi, our ransomware component is based upon generic behavior detection. The telemetry is sent, so it helps us to analyse why some files are triggered by this detection, which helps us to finetune the program.

I just looked it up, and this was fixed already. 

[rgam]

It's BACK AGAIN -  Latest version of Urbackup Server for Windows from urbackup.org detected as ransomware -

Lucky I was looking at monitor when message about quarantining popped up, because there is no record of WHAT it quarantined in the program interface, and it does not appear in the list of quarantined stuff. It has messed up one of the most important things - BACKING UP !!! Damn MWB!!

 

7D9A12C5F7F89BDBF401FDBF6B9D903BD5206301BA82470C20305BB89408B5CC
{
   "applicationVersion" : "3.5.1.2522",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.374",
   "cpu" : "x86",
   "dbSDKUpdatePackageVersion" : "1.0.5512",
   "detectionDateTime" : "2018-06-16T22:55:49Z",
   "fileSystem" : "NTFS",
   "id" : "985c5c78-71b7-11e8-b25c-001b788070ef",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 7 Service Pack 1",
   "schemaVersion" : 10,
   "sourceDetails" : {
      "type" : "arw"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanResult" : "whitelisted",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-06-16T22:55:54Z",
            "generatedByPostCleanupAction" : false,
            "id" : "69d6589e-71b8-11e8-af97-001b788070ef",
            "linkType" : "none",
            "objectMD5" : "088cfff67db4b8d6b30a67e3a38bb3b4",
            "objectPath" : "C:\\Program Files\\UrBackupServer\\urbackup_srv.exe",
            "objectSha256" : "ee964188df4e2faa09e4a58a6f3a23884dd5ced3705216a0c59870236806f01a",
            "objectType" : "file",
            "suggestedAction" : {
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isExternalDetection" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "treatAsRootkit" : false,
               "useDDA" : false
            }
         },
         "ruleID" : 392685,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Edited June 16, 2018 by rgam

[thisisu]

Sorry for the inconvenience. I've whitelisted this latest file so this particular file shouldn't be detected again.

088CFFF67DB4B8D6B30A67E3A38BB3B4