Jump to content

UrBackup Server


Recommended Posts

Uppgraded to MBAM Premium 3.0.4 today---

It is doing a false positive detection on Urbackup server program (I'm using 1.4.14) windows-based client-server backup program.

The file is: urbackup_srv.exe 825kb which can be found: https://www.urbackup.org/downloads/Server/1.4.14/

The sticky post does not indicate how to do logs/report false positive with the MBAM V3....


Link to post
Share on other sites

Hi rgam,

Welcome to the forums.

Thanks for your report. I'm currently not seeing this file detected on our end. The sticky posts will probably be updated soon. Here are some instructions in the meantime on how you can export the log to attach here.

Open Malwarebytes 3.0.4 and click on Reports on the left hand side:


Double-click on the log that has the detection for this file. When you've found it, follow the steps below to export the log to your desktop or some place you can find later.


Then just attach it here so we can review.


Link to post
Share on other sites

The zipped exe triggering the false positive is attached - 

I copied log to clipboard and this is all it shows:




-Log Details-
Protection Event Date: 12/18/16
Protection Event Time: 8:52 AM
Administrator: Yes

-Software Information-
Components Version: 1.0.39
Update Package Version: 1.0.781
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\UrBackupServer\urbackup_srv.exe, No Action By User, [0], [-1],0.0.0



Link to post
Share on other sites

I am not sure if still getting the detection - will have to do a reboot on the affected PC.

As far as adding to ignore list: the instruction to Rightclick the detection result and select to Ignore makes no sense with the Malwarebytes Premium software: What is detection result? The only place I see this is in "Reports" which is a "Ransonware blocked" listing - it does not identify what was blocked. And, right-clicking does nothing. Left-clicking puts a checkmark on the report which enables to View Report or Delete. View Report brings a window which show the protection event, and the threat - identifying the file, but right-clicking does nothing. 


Link to post
Share on other sites

  • Staff

Hi rgam,

The ransomware block is part of our generic detection for ransomware behavior. When you look under "Quarantine" - in case you have quarantined it (which it doesn't look like), you can select to restore.

Also, during detection - in the Scan results, you have the option to uncheck the threat, then click next - where it gives you the option to "Ignore Once", "Ignore Always" or "cancel".

Alternatively: Go to Settings > Exclusions > Add Exclusion and that's where you can add the path to this file to exclusions.

But normally, this shouldn't be flagged as detected anymore though.

Link to post
Share on other sites

  • 4 months later...
On 12/18/2016 at 10:19 PM, rgam said:



False positive again: Urbackup_srv.exe detected as ransomware along with registry key associated with the Urbackup Service.

This is the latest release of the software from 


UrBackup Server 2.1.19 (x86/x64) (Vista/7/8.1/10 + Server editions)

Edited by rgam
Link to post
Share on other sites

Don't know how my last post got quoted being from 12-18, but today, April 19, 2017, I am attempting to report that there is again an issue of False Positive with the latest version of Urbackup Server.

See the post above that has the links to the software.

Link to post
Share on other sites

Pardon my non-compliance, but damn, MBAM Staff sure seems to be incompetent to me: as you can see from this log snippet, not only is it detected, telemetry is sent to your company about the detection...

From the MBAMSERVICE.LOG (and I'm not going to post the whole damn thing on a public forum)!

Yes, I know I can whitelist - but it's not ransomware so why does MBAM think it is?



04/19/17    " 08:57:50.664"    59670663    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    922    "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, Sha256Hash=279fe17fae6bb53ea2eb750bd509375a144305730f466894d54e98926b6f66a5"
04/19/17    " 08:57:50.742"    59670741    0804    12e0    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    74    "No WHITESIGS found in Clean.mbdb"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus    "WhiteListManager.cpp"    231    "White list status (not cached): File 'C:\Program Files\UrBackupServer\urbackup_srv.exe'   => None:Unknown"
04/19/17    " 08:57:51.803"    59671802    0804    12e0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    952    "The detected file is NOT whitelisted, sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\UrBackupServer\urbackup_srv.exe, id=0x0"
04/19/17    " 08:57:59.572"    59679570    0804    00b0    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "ArwCleanupScheduler.cpp"    559    "Received a results callback from ARW SDK - ObjectPath = C:\Program Files\UrBackupServer\urbackup_srv.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
04/19/17    " 08:58:05.231"    59685233    0804    04f0    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1007    "Successfully sent the ransomware data to telemetry server."


Link to post
Share on other sites

  • 1 year later...

It's BACK AGAIN -  Latest version of Urbackup Server for Windows from urbackup.org detected as ransomware -

Lucky I was looking at monitor when message about quarantining popped up, because there is no record of WHAT it quarantined in the program interface, and it does not appear in the list of quarantined stuff. It has messed up one of the most important things - BACKING UP !!! Damn MWB!!


   "applicationVersion" : "",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.374",
   "cpu" : "x86",
   "dbSDKUpdatePackageVersion" : "1.0.5512",
   "detectionDateTime" : "2018-06-16T22:55:49Z",
   "fileSystem" : "NTFS",
   "id" : "985c5c78-71b7-11e8-b25c-001b788070ef",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 7 Service Pack 1",
   "schemaVersion" : 10,
   "sourceDetails" : {
      "type" : "arw"
   "threats" : [
         "linkedTraces" : [

         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanResult" : "whitelisted",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-06-16T22:55:54Z",
            "generatedByPostCleanupAction" : false,
            "id" : "69d6589e-71b8-11e8-af97-001b788070ef",
            "linkType" : "none",
            "objectMD5" : "088cfff67db4b8d6b30a67e3a38bb3b4",
            "objectPath" : "C:\\Program Files\\UrBackupServer\\urbackup_srv.exe",
            "objectSha256" : "ee964188df4e2faa09e4a58a6f3a23884dd5ced3705216a0c59870236806f01a",
            "objectType" : "file",
            "suggestedAction" : {
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isExternalDetection" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "treatAsRootkit" : false,
               "useDDA" : false
         "ruleID" : 392685,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
   "threatsDetected" : 1

Edited by rgam
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.