Realtime scanner detects my software -during installation- as ransomware (if first installed, no problem)

[ThomasSchulzMS]

Since my post in "False Positives - Ransomware" seemingly has been ignored for a full week now, I am posting here after suggestion from Mike Cingolani from Malware

...

We found out from a customer that when installing the current version of A1 Sitemap Generator - one of the temporary files generated during installation is flagged and quarantined (sitemap-setup.tmp)

Starting mbam.exe with /developer command line does not help much as the false positive is no reported when doing a right click scan. 

(And I have been unable to find any log by mbam after the quarantine during the installation.)

 

You can download the tool from here

 http://www.microsystools.com/products/sitemap-generator/

 

You can find latest report by virus total report 

URL (0 / 64)

https://www.virustotal.com/en/url/05bd8f7aa4017f809a984b73ea8cc83b0b8691088dcfdd6488ca76783c57a02d/analysis/1487695458/

Download (0 / 58)

https://www.virustotal.com/en/file/a683208a09a8ff6415a5530f09437d313c6fe749d0586818f57ae9e9e7110852/analysis/1487695464/

 

For reference: 

• The installer + all the executables are signed.
• Executables are created in Delphi 2007, Delphi 2010 to Delphi XE2
• 3 executables are included installed during installation.
• The "best" depending on OS and 32/64bit is then selected as default sitemap.exe during installation which the desktop shortcuts etc. use.
• Installer is InnoSetup.

 

...

 

If you want - here is the original report by my customer:

https://webhelpforums.net/sitemap-generator/malwarebytes-v3-0-6-quarantines-sitemap-setup-tmp-as-ransomeware/
 

Quote

 

Those who have the latest "Malwarebytes" v3.0.6 installed will encounter this issue upon installing an update to "A1 Sitemap Generator".

Since the "sitemap-setup.tmp" file is (incorrectly) detected by Malwarebytes as Ransomware and automatically quarantined, the update to A1 Sitemap Generator therefore does not complete properly.

The solution I found was to "Quit Malwarebytes" (right-click icon in taskbar) and then run the "sitemap-setup.exe" file once again. The install routine will complete properly, as usual. Then you can load Malwarebytes again and run latest version of A1 Sitemap Generator without issue.

 

 

My original post is here:

 

[thisisu]

Hi,

Sorry for the delay. Taking a look at this now.

[thisisu]

Hi,

I wasn't able to reproduce the detection so I'll need some additional information. Can you or your customer provide the log that shows the detection?

Check the following directory: C:\ProgramData\Malwarebytes\MBAMService\ArwDetections

This file should also show the detection: C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

Quote

 installing an update to "A1 Sitemap Generator".

When I launch A1 Sitemap Generator and use Help ==> Updates....

And click the following link:

Download and try the newest release - version 8.0.0. This doesn't reproduce the detection either so if you could elaborate here as well that'd help me identify where the problem is. Once again, my apologies for the delayed response. Thanks!

 

[thisisu]

I think I may have identified and resolved this in the meantime. If you or your customer are still seeing this false positive, please follow the above instructions and attach the relevant logs. Thanks!

Edited March 1, 2017 by thisisu

[ThomasSchulzMS]

Thank you for looking into this. The problem only occurs during installation by the realtime scanner. I did repeat the problem earlier today (was trying to see if the most recent version of InnoSetup installer would solve the problem), but I will make sure i am using newest version of MalwareBytes, restart the computer and look for the log (!)
 

[ThomasSchulzMS]

The problem is still there.

 

Using 3.0.6 (Trial) with updates "Up to date" on Windows 10 Pro (fully updated)

Download from

http://www.microsystools.com/products/sitemap-generator/

Specificly Windows version:

http://www.microsystools.com/products/sitemap-generator/sitemap-setup.exe

Ran installer 

...

I have run multiple tests, and it seems not to always be at he same point it kicks ind - but it always kicks in at latest at the end / just after of the installation. 

... Here is snippets from most various recent test (just now) from file C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

While I guess a white listing solution could suffice, most of my software is built around the same code, installer etc. so my guess is all my software will suffer from this issue.

If i is an InnoSetup installer related issue, the problem must be much more widespread than simply limited to me.

...
 

03/01/17    " 02:40:33.213"    842000    05f0    1468    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "ArwCleanupScheduler.cpp"    531    "Received a results callback from ARW SDK - ObjectPath = C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
03/01/17    " 02:40:33.947"    842734    05f0    1624    INFO    ArwController    CArwController::SendThreatFileToServerCallback    "ArwController.cpp"    910    "Successfully sent the detected file and info to server."
03/01/17    " 02:40:34.989"    843781    05f0    1624    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1007    "Successfully sent the ransomware data to telemetry server."
03/01/17    " 02:40:36.945"    845734    05f0    1624    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1126    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ARW\mbarwind.arw. Trying to make a copy of it..."
03/01/17    " 02:40:36.991"    845781    05f0    1624    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1126    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\logs\MBAMSERVICE.log. Trying to make a copy of it..."
03/01/17    " 02:40:41.589"    850375    05f0    1624    INFO    ArwController    CArwController::SendThreatFileToServerCallback    "ArwController.cpp"    910    "Successfully sent the detected file and info to server."
03/01/17    " 02:40:41.629"    850421    05f0    1624    INFO    ArwController    CArwController::SubmitToCleanNotification    "ArwController.cpp"    871    "Successfully submitted detection results for cleaning."
03/01/17    " 02:40:41.644"    850437    05f0    13c0    INFO    CleanControllerImpl    Cleaner::Clean    "Cleaner.cpp"    54    "Start of clean, client '', detection results 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\0c104c72-fe20-11e6-8519-00248c156224.json'"
03/01/17    " 02:40:42.966"    851750    05f0    13c0    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    72    "No WHITESIGS found in Clean.mbdb"
03/01/17    " 02:40:50.906"    859687    05f0    13c0    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed    "WhiteListManager.cpp"    163    "White list status (not cached): File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'  => None"
03/01/17    " 02:40:50.906"    859687    05f0    13c0    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManagerCache::IsObjectWhiteListed    "WhiteListManagerCache.cpp"    55    "White list status from cache: File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'  => None"
03/01/17    " 02:40:50.906"    859687    05f0    13c0    INFO    Actions    ActionsManager::GetDetectedThreats    "ActionsManager.cpp"    412    "Getting detected threats from actions"
03/01/17    " 02:41:14.320"    883109    05f0    13c0    INFO    CleanControllerImpl    DOREngine::PreCleanIsRebootRequired    "DOREngine.cpp"    117    "Must reboot, special file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe"
03/01/17    " 02:41:14.320"    883109    05f0    13c0    INFO    CleanControllerImpl    QuarantineEngine::QuarantineFile    "QuarantineEngine.cpp"    373    "Quarantining C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe"
03/01/17    " 02:41:14.400"    883187    05f0    13c0    INFO    CleanControllerImpl    Cleaner::RemediateAndWriteMetadata    "Cleaner.cpp"    307    "Starting cleaning of File C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe"
03/01/17    " 02:41:14.400"    883187    05f0    13c0    INFO    CleanControllerImpl    RemovalEngine::RemoveFile    "RemovalEngine.cpp"    1151    "Cleaning file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe, anti-rootkit = false"
03/01/17    " 02:41:14.597"    883390    05f0    13c0    INFO    CleanControllerImpl    RemovalEngine::DeleteFileAPI    "RemovalEngine.cpp"    1338    "Deleting file 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe', resolved path = 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'"
03/01/17    " 02:41:15.617"    884406    05f0    13c0    INFO    CleanControllerImpl    RemovalEngine::LogCleanResult    "RemovalEngine.cpp"    1511    "Succeeded cleaning file C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe"
03/01/17    " 02:41:15.617"    884406    05f0    13c0    INFO    CleanControllerImpl    QuarantineEngine::CopyMetadataToQuarantine    "QuarantineEngine.cpp"    134    "Copying quarantine metadata for C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe"
03/01/17    " 02:41:15.628"    884421    05f0    13c0    INFO    CleanControllerImpl    QuarantineEngine::LogQuarantineResult    "QuarantineEngine.cpp"    617    "Succeeded quarantining File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'"
03/01/17    " 02:41:15.628"    884421    05f0    13c0    INFO    CleanControllerImpl    Cleaner::RebuildSystemRegistryValues    "Cleaner.cpp"    436    "Rebuilding system registry values."
03/01/17    " 02:41:15.631"    884421    05f0    13c0    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, from 'scecli^^' to 'scecli'."
03/01/17    " 02:41:15.631"    884421    05f0    13c0    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, from 'kerberos^msv1_0^schannel^wdigest^tspkg^pku2u^livessp^^' to 'kerberos^msv1_0^schannel^wdigest^tspkg^pku2u^livessp'."
03/01/17    " 02:41:15.632"    884421    05f0    13c0    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages, from 'msv1_0^^' to 'msv1_0'."
03/01/17    " 02:41:16.045"    884828    05f0    13c0    INFO    CleanControllerImpl    mb::swissarmyclientutils::SwissArmySDKWrapper::ScheduleDeleteFile    "SwissArmySDKWrapper.cpp"    181    "Scheduling delete file: 'C:\Users\Thomas Schulz\Downloads\sitemap-setup.exe'"
03/01/17    " 02:41:16.074"    884859    05f0    13c0    INFO    CleanControllerImpl    Cleaner::ExecutePostCleanupActions    "Cleaner.cpp"    563    "Executing post-cleanup actions"
03/01/17    " 02:41:16.074"    884859    05f0    13c0    INFO    Actions    ActionsManager::ProcessThreatActions    "ActionsManager.cpp"    630    "Executing post cleanup actions"
03/01/17    " 02:41:17.402"    886187    05f0    13c0    INFO    CleanControllerImpl    Cleaner::Clean    "Cleaner.cpp"    254    "Completed clean from client , detection results C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\0c104c72-fe20-11e6-8519-00248c156224.json, status DORRequired"
03/01/17    " 02:41:19.093"    887875    05f0    136c    ERROR    HttpConnection    mb::common::net::HttpConnection::SendRequest    "HttpConnection.cpp"    229    "HTTP request failed, status code: 500"
03/01/17    " 02:41:19.093"    887875    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::GetAuthenticatedURLForUpload    "CloudControllerImplHelper.cpp"    1335    "Error code 500 returned in POST to Cosmos"
03/01/17    " 02:41:19.093"    887875    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::UploadARWData    "CloudControllerImplHelper.cpp"    793    "Failed to obtain upload URL from Cosmos"
03/01/17    " 02:41:19.093"    887875    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::ProcessARWUploads    "CloudControllerImplHelper.cpp"    675    "Failed to send detection data with UUID: 0cf1d692fe2011e688e200248c156224"

03/01/17    " 02:44:34.821"    1083609    05f0    1460    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    922    "Received threat detection callback from ARW SDK, ObjectPath=X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, Sha256Hash=14278f7f7d5ed510f51d59d914eca6fe2dde6a51b86fa649d1661372680830bf"
03/01/17    " 02:44:34.846"    1083640    05f0    1460    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    72    "No WHITESIGS found in Clean.mbdb"
03/01/17    " 02:44:34.846"    1083640    05f0    1460    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed    "WhiteListManager.cpp"    163    "White list status (not cached): File 'X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp'  => Hubble/MEPS"
03/01/17    " 02:44:34.846"    1083640    05f0    1460    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    940    "The detected file is whitelisted, ignoring this detection! ObjectPath=X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, Type = 3"
03/01/17    " 02:44:37.557"    1086343    05f0    1468    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "ArwCleanupScheduler.cpp"    531    "Received a results callback from ARW SDK - ObjectPath = X:\AppData\Local\Temp\is-2F68I.tmp\sitemap-setup (1).tmp, RegObjectPath = , ActionTaken=ARW_ACTION_ALLOW_NONE, Result = ARW_RESULT_SUCCESS, RebootRequired = No"
03/01/17    " 02:44:38.051"    1086843    05f0    1460    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    922    "Received threat detection callback from ARW SDK, ObjectPath=C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe, Sha256Hash=a683208a09a8ff6415a5530f09437d313c6fe749d0586818f57ae9e9e7110852"
03/01/17    " 02:44:38.118"    1086906    05f0    1460    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed    "SignatureWhiteLister.cpp"    72    "No WHITESIGS found in Clean.mbdb"
03/01/17    " 02:44:38.660"    1087453    05f0    1624    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1007    "Successfully sent the ransomware data to telemetry server."
03/01/17    " 02:44:39.079"    1087875    05f0    1460    ERROR    HttpConnection    mb::common::net::HttpConnection::SendRequest    "HttpConnection.cpp"    229    "HTTP request failed, status code: 500"
03/01/17    " 02:44:39.079"    1087875    05f0    1460    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::HubbleWhiteLister::IsFileWhiteListed    "HubbleWhiteLister.cpp"    187    "Error code 500 returned in PUT to Hubble"
03/01/17    " 02:44:39.079"    1087875    05f0    1460    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::IsObjectWhiteListed    "WhiteListManager.cpp"    163    "White list status (not cached): File 'C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe'  => HubbleError"
03/01/17    " 02:44:39.079"    1087875    05f0    1460    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    947    "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Users\Thomas Schulz\Downloads\sitemap-setup (1).exe, id=0x9"
03/01/17    " 02:44:39.263"    1088046    05f0    1624    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1126    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ARW\mbarwind.arw. Trying to make a copy of it..."
03/01/17    " 02:44:39.313"    1088109    05f0    1624    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1126    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\logs\MBAMSERVICE.log. Trying to make a copy of it..."
03/01/17    " 02:44:40.051"    1088843    05f0    052c    WARNING        ArwSDK    ""    0    "{Thread: 0x00001464, Tick: 0x00109D4B} [KillProcess] The process {PID: 1096748626800} is already stopped."
03/01/17    " 02:44:44.200"    1092984    05f0    1624    INFO    ArwController    CArwController::SendThreatFileToServerCallback    "ArwController.cpp"    910    "Successfully sent the detected file and info to server."

 

03/01/17    " 02:45:39.300"    1148093    05f0    136c    ERROR    HttpConnection    mb::common::net::HttpConnection::SendRequest    "HttpConnection.cpp"    229    "HTTP request failed, status code: 500"
03/01/17    " 02:45:39.300"    1148093    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::GetAuthenticatedURLForUpload    "CloudControllerImplHelper.cpp"    1335    "Error code 500 returned in POST to Cosmos"
03/01/17    " 02:45:39.300"    1148093    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::UploadARWData    "CloudControllerImplHelper.cpp"    793    "Failed to obtain upload URL from Cosmos"
03/01/17    " 02:45:39.300"    1148093    05f0    136c    ERROR    CloudCtrlImpl    CloudControllerImplHelper::ProcessARWUploads    "CloudControllerImplHelper.cpp"    675    "Failed to send detection data with UUID: 1075169efe2011e6b8ad00248c156224"

 

Edited March 1, 2017 by ThomasSchulzMS

[ThomasSchulzMS]

 

What happens near the end is that people can choose to open various sibling product pages. Default is that all check boxes are unchecked so nothing launched.

 

Then, at the very end / last page, the installer defaults to 
- open/run the just installed program
- open the "like" page in default browser

It appears opening a browser from inside the installer triggers 
 

03/01/17    " 03:10:05.158"    2613953    05f0    3e1c    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2084    "App Injected (Google Chrome (and plug-ins))"

03/01/17    " 03:11:17.245"    2686031    05f0    3e1c    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2084    "App Injected (Microsoft Edge (and add-ons))"

It is worth nothing my installer uses some simple scripting for e.g. deciding which checkboxes to show and similar. Maybe somehow that is related to the problem.

The false positive detection also seems to trigger for a another sibling tool as well, so it is probably save to say all or most of my software is affected by this problem.

Edited March 1, 2017 by ThomasSchulzMS

[thisisu]

Hi,

Please attach the entire logs for review.

[ThomasSchulzMS]

Okay - attaching here

I renamed the json files with .txt file extension in

C:\ProgramData\Malwarebytes\MBAMService\ArwDetections

since I am not allowed to attach json

 

And also attached

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

 

6e55580c-fdc4-11e6-b7db-00248c156224.json.txt

08f4df9a-fe1f-11e6-bde7-00248c156224.json.txt

b85e84d6-fe1f-11e6-b28b-00248c156224.json.txt

0c104c72-fe20-11e6-8519-00248c156224.json.txt

72c90940-fe20-11e6-ab3d-00248c156224.json.txt

MBAMSERVICE.LOG

[thisisu]

Thank you for the logs. Allow us some time to review them and we'll get back to you when we have a potential solution.

[shadowwar]

This should be resolved now. Please let us know if not.

 

Thanks!

[ThomasSchulzMS]

Hi,

I appears solved. I had planned on testing more of my tools with the newest version of InnoSeup to be sure - but that process got delayed, but I am planning on hopefully getting around that today!

[ThomasSchulzMS]

Problem appears fully solved. I even tried using Inno Setup 5.9 (unsigned) of one of my sibling tools - it works now - thank you!

[thisisu]

Thanks for letting us know