Jump to content
rgam

UrBackup Server

Recommended Posts

Uppgraded to MBAM Premium 3.0.4 today---

It is doing a false positive detection on Urbackup server program (I'm using 1.4.14) windows-based client-server backup program.

The file is: urbackup_srv.exe 825kb which can be found: https://www.urbackup.org/downloads/Server/1.4.14/

The sticky post does not indicate how to do logs/report false positive with the MBAM V3....

 

Share this post


Link to post
Share on other sites

Hi rgam,

Welcome to the forums.

Thanks for your report. I'm currently not seeing this file detected on our end. The sticky posts will probably be updated soon. Here are some instructions in the meantime on how you can export the log to attach here.

Open Malwarebytes 3.0.4 and click on Reports on the left hand side:

a.png

Double-click on the log that has the detection for this file. When you've found it, follow the steps below to export the log to your desktop or some place you can find later.

b.png

Then just attach it here so we can review.

Thanks!

Share this post


Link to post
Share on other sites

The zipped exe triggering the false positive is attached - 

I copied log to clipboard and this is all it shows:

 

 


Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/18/16
Protection Event Time: 8:52 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.781
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\UrBackupServer\urbackup_srv.exe, No Action By User, [0], [-1],0.0.0


(end)

urbackup_srv.zip

Share this post


Link to post
Share on other sites

(Sorry, I see now that I should have put this in the 'Ransomware' section of the false positive reports -- mbam is preventing this exe from running at system startup - it should run at system startup - as opposed to detecting it on a scan.)

Share this post


Link to post
Share on other sites

Hi,

No problem. I'll move the thread to the appropriate subsection. Someone who works on the anti-ransomware portions of MBAM will be able to assist you further.

Share this post


Link to post
Share on other sites

Hi rgam,

Are you still getting this detection? Because normally it shouldn't be detected.

Can you also add this file to your ignore list? (Rightclick the detection result and select to Ignore).

Thanks!

 

Share this post


Link to post
Share on other sites

I am not sure if still getting the detection - will have to do a reboot on the affected PC.

As far as adding to ignore list: the instruction to Rightclick the detection result and select to Ignore makes no sense with the Malwarebytes Premium software: What is detection result? The only place I see this is in "Reports" which is a "Ransonware blocked" listing - it does not identify what was blocked. And, right-clicking does nothing. Left-clicking puts a checkmark on the report which enables to View Report or Delete. View Report brings a window which show the protection event, and the threat - identifying the file, but right-clicking does nothing. 

 

Share this post


Link to post
Share on other sites
2 minutes ago, rgam said:

 

 

I would add: this file is run as part of startup of pc, as SYSTEM user - not an ordinary user, so there is no detection pop-up.

Share this post


Link to post
Share on other sites

Hi rgam,

The ransomware block is part of our generic detection for ransomware behavior. When you look under "Quarantine" - in case you have quarantined it (which it doesn't look like), you can select to restore.

Also, during detection - in the Scan results, you have the option to uncheck the threat, then click next - where it gives you the option to "Ignore Once", "Ignore Always" or "cancel".

Alternatively: Go to Settings > Exclusions > Add Exclusion and that's where you can add the path to this file to exclusions.

But normally, this shouldn't be flagged as detected anymore though.

Share this post


Link to post
Share on other sites
On 12/18/2016 at 10:19 PM, rgam said:

 

 

False positive again: Urbackup_srv.exe detected as ransomware along with registry key associated with the Urbackup Service.

This is the latest release of the software from 

https://www.urbackup.org/download.html#server_windows

UrBackup Server 2.1.19 (x86/x64) (Vista/7/8.1/10 + Server editions)

Edited by rgam

Share this post


Link to post
Share on other sites

Don't know how my last post got quoted being from 12-18, but today, April 19, 2017, I am attempting to report that there is again an issue of False Positive with the latest version of Urbackup Server.

See the post above that has the links to the software.

Share this post


Link to post
Share on other sites

Hi,

We would need an additional log here as I can't reproduce detection.

Please go to the following folder: C:\ProgramData\Malwarebytes\MBAMService\logs\

and zip and attach the MBAMSERVICE.LOG to your next post.

 

Thanks!

Share this post


Link to post
Share on other sites

Pardon my non-compliance, but damn, MBAM Staff sure seems to be incompetent to me: as you can see from this log snippet, not only is it detected, telemetry is sent to your company about the detection...

From the MBAMSERVICE.LOG (and I'm not going to post the whole damn thing on a public forum)!

Yes, I know I can whitelist - but it's not ransomware so why does MBAM think it is?

 

Quote

04/19/17    " 08:57:50.664"    59670663    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    922    "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, Sha256Hash=279fe17fae6bb53ea2eb750bd509375a144305730f466894d54e98926b6f66a5"
04/19/17    " 08:57:50.742"    59670741    0804    12e0    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    74    "No WHITESIGS found in Clean.mbdb"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus    "WhiteListManager.cpp"    231    "White list status (not cached): File 'C:\Program Files\UrBackupServer\urbackup_srv.exe'   => None:Unknown"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    952    "The detected file is NOT whitelisted, sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, id=0x0"
04/19/17    " 08:57:59.572"    59679570    0804    00b0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "ArwCleanupScheduler.cpp"    559    "Received a results callback from ARW SDK - ObjectPath = C:\Program Files\UrBackupServer\urbackup_srv.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
04/19/17    " 08:58:05.231"    59685233    0804    04f0    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1007    "Successfully sent the ransomware data to telemetry server."

 

Share this post


Link to post
Share on other sites

Hi, our ransomware component is based upon generic behavior detection. The telemetry is sent, so it helps us to analyse why some files are triggered by this detection, which helps us to finetune the program.

I just looked it up, and this was fixed already. 

Share this post


Link to post
Share on other sites

It's BACK AGAIN -  Latest version of Urbackup Server for Windows from urbackup.org detected as ransomware -

Lucky I was looking at monitor when message about quarantining popped up, because there is no record of WHAT it quarantined in the program interface, and it does not appear in the list of quarantined stuff. It has messed up one of the most important things - BACKING UP !!! Damn MWB!!

 

7D9A12C5F7F89BDBF401FDBF6B9D903BD5206301BA82470C20305BB89408B5CC
{
   "applicationVersion" : "3.5.1.2522",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.374",
   "cpu" : "x86",
   "dbSDKUpdatePackageVersion" : "1.0.5512",
   "detectionDateTime" : "2018-06-16T22:55:49Z",
   "fileSystem" : "NTFS",
   "id" : "985c5c78-71b7-11e8-b25c-001b788070ef",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 7 Service Pack 1",
   "schemaVersion" : 10,
   "sourceDetails" : {
      "type" : "arw"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanResult" : "whitelisted",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-06-16T22:55:54Z",
            "generatedByPostCleanupAction" : false,
            "id" : "69d6589e-71b8-11e8-af97-001b788070ef",
            "linkType" : "none",
            "objectMD5" : "088cfff67db4b8d6b30a67e3a38bb3b4",
            "objectPath" : "C:\\Program Files\\UrBackupServer\\urbackup_srv.exe",
            "objectSha256" : "ee964188df4e2faa09e4a58a6f3a23884dd5ced3705216a0c59870236806f01a",
            "objectType" : "file",
            "suggestedAction" : {
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isExternalDetection" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "treatAsRootkit" : false,
               "useDDA" : false
            }
         },
         "ruleID" : 392685,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Edited by rgam

Share this post


Link to post
Share on other sites

Sorry for the inconvenience. I've whitelisted this latest file so this particular file shouldn't be detected again.

088CFFF67DB4B8D6B30A67E3A38BB3B4

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.