Jump to content

Malwarebytes breaks Windows subsystem for Linux


oselotti

Recommended Posts

Hi

I noticed that Malwarebytes breaks the Windows subsystem for Linux if I run "sudo apt update && sudo apt upgrade". This is very annoying because I have to reinstall the whole WSL system every time this happens. dpkg is NOT malware, it is a package management tool in Ubuntu. Please see: http://manpages.ubuntu.com/manpages/xenial/man1/dpkg.1.html

Please see the attachment.

mb_dpkg.PNG

Link to post
Share on other sites

Thanks for verifying this, which I reported in "Win10 bash/dpkg blocked" 

 

Link to post
Share on other sites

Here is the file and virustotal results.

https://www.virustotal.com/fi/file/8582bd90af0d750c5b3ff37e5a6b018aebe71baafb215cb82c273d3281c160cf/analysis/1492324780/

Here is the log:

04/15/17	" 14:46:33.476"	1569125	0d90	14ac	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	922	"Received threat detection callback from ARW SDK, ObjectPath=dpkg, Sha256Hash="
04/15/17	" 14:46:33.510"	1569156	0d90	14ac	ERROR	CleanControllerImpl	mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListed	"SignatureWhiteLister.cpp"	74	"No WHITESIGS found in Clean.mbdb"
04/15/17	" 14:46:33.510"	1569156	0d90	14ac	ERROR	CleanControllerImpl	CommonCleanUtils::GetFileHashesAndSize	"CommonCleanUtils.cpp"	311	"GetTripleHash failed for file = 'dpkg'"
04/15/17	" 14:46:33.510"	1569156	0d90	14ac	ERROR	CleanControllerImpl	mb::swissarmyclientutils::SwissArmyShimLoader::GetFileSize	"SwissArmyShimLoader.cpp"	517	"GetFileSize failed for dpkg; status=9"
04/15/17	" 14:46:33.510"	1569156	0d90	14ac	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus	"WhiteListManager.cpp"	231	"White list status (not cached): File 'dpkg'   => Hubble:Error"
04/15/17	" 14:46:33.510"	1569156	0d90	14ac	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	947	"The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=dpkg, id=0x0"
04/15/17	" 14:46:33.542"	1569187	0d90	17c0	WARNING		ArwSDK	""	0	"{Thread: 0x0000120C, Tick: 0x0017F1A3} [KillProcess] The process {PID: 2760} is already stopped."
04/15/17	" 14:46:33.542"	1569187	0d90	17c4	ERROR	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimErrorCallback	"ArwControllerImplHelper.cpp"	379	"Arw SDK Error: ErrorCode = 24, RebootRequired = No, Severity = 1, ErrorMsg = Unable to apply action. {Action: 2; Result: 1 }."

 

dpkg.zip

Link to post
Share on other sites

  • Staff

Couple of questions as i am trying to figure out what is going on here.

Are you running mbam offline?

We have preliminary tested this but have been unable to repro in our testing environments. Could you please send me the full mbam

That said i should of fixed this. Either Mbam will have to be online and or you will have to update the database to get the fix.

Can i also ask for you to do this so we can figure out what is exactly happening?

The MBARW devs/staffers must have good, detailed, documentation for a quality analysis.  Please consider running the following Malwarebytes written data gathering Support Tool:

1.) Download arwlogs.exe to an Administrator desktop of the system in question.

https://malwarebytes.box.com/s/fpbjgxi0cp1feswku3a5d3c92iggv9rp


2.) Right-click the arwlogs.exe icon and select "Run as administrator".  A zipped archive should soon be generated to the Administrator desktop.
3.) Rather than email the archive as the tool directs, please attach the archive to your next reply in this topic.

Please consider left-clicking the "Follow" button, near the upper-right corner of your topic, to receive timely email notifications about updates to your topic.

Although more data may be required, after the requested data is posted, the Malwarebytes' QA & Developer Teams, and staffers can commence their analysis.  Thank you always for your assistance.

 

 

Link to post
Share on other sites

On 17.4.2017 at 3:27 AM, shadowwar said:

Are you running mbam offline?

We have preliminary tested this but have been unable to repro in our testing environments.

No, I run it online. However, I do not remember what database version I had when this happened last time. This problem started appearing after I upgraded to Malwarebytes 3. Also, it does not happen every time I upgrade my WSL installation, only sometimes.

Malwarebytes Premium 3.0.6.1469, Component package 1.0.1.103, Update package 1.0.1753

On 17.4.2017 at 3:27 AM, shadowwar said:

Rather than email the archive as the tool directs, please attach the archive to your next reply in this topic.

I ran that tool and I tried to send the zip archive to you via PM but my archive is 293MB and this forum allows only 29.3MB attachments. Also, I do not like the idea of posting my log archive publicly to this forum, because I do not know what information it contains.

Link to post
Share on other sites

  • 4 weeks later...

Malwarebytes broke my WSL again. I was updating my Ubuntu in Windows subsystem for Linux when Malwarebytes blocked mandb. It is a program that updates the manual page index caches in Ubuntu. I cannot undo this because the quarantine is empty. I guess I have to reinstall the whole WSL-system again.

mandb.PNG.be197b2dd7da9c8f9b3fabdbb3c050d3.PNG

https://www.virustotal.com/fi/file/1b0cc047b00a989db271dd7564a87f5f34f76d2a1528fe3c6ba0ccda6e859f20/analysis/1494610888/

Here is the full log for apt:

$ sudo apt update && sudo apt upgrade
[sudo] salasana henkilölle user:
Nouda:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Nouda:2 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [258 kB]
Nouda:3 http://security.ubuntu.com/ubuntu xenial-security/main Translation-en [109 kB]
Nouda:4 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [110 kB]
Nouda:5 http://security.ubuntu.com/ubuntu xenial-security/universe Translation-en [56,6 kB]
Nouda:6 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [2 752 B]
Löytyi:7 http://archive.ubuntu.com/ubuntu xenial InRelease
Nouda:8 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Nouda:9 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [530 kB]
Nouda:10 http://archive.ubuntu.com/ubuntu xenial-updates/main Translation-en [215 kB]
Nouda:11 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [461 kB]
Nouda:12 http://archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [180 kB]
Nouda:13 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [8 932 B]
Noudettiin 2 135 kt ajassa 21min 41s (1 640 t/s)
Luetaan pakettiluetteloita... Valmis
Muodostetaan riippuvuussuhteiden puu
Luetaan tilatiedot... Valmis
31 packages can be upgraded. Run 'apt list --upgradable' to see them.
[sudo] salasana henkilölle user:
Luetaan pakettiluetteloita... Valmis
Muodostetaan riippuvuussuhteiden puu
Luetaan tilatiedot... Valmis
Käsitellään päivitystä... Valmis
Seuraava paketti on alun perin asennettu automaattisesti, eikä sitä enää tarvita:
  snap-confine
Use 'sudo apt autoremove' to remove it.
Nämä paketit päivitetään:
  apt apt-transport-https apt-utils cloud-init distro-info-data dpkg
  libapt-inst2.0 libapt-pkg5.0 libicu55 libpam-systemd librtmp1 libsystemd0
  libudev1 login logrotate openssh-client openssh-server openssh-sftp-server
  passwd python3-software-properties snap-confine snapd
  software-properties-common sosreport systemd systemd-sysv
  ubuntu-core-launcher udev uidmap unattended-upgrades zlib1g
31 päivitetty, 0 uutta asennusta, 0 poistettavaa ja 0 päivittämätöntä.
Noudettavaa arkistoa 29,1 Mt.
Toiminnon jälkeen käytetään 5 415 k t lisää levytilaa.
Haluatko jatkaa? [K/e] k
Nouda:1 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 dpkg amd64 1.18.4ubuntu1.2 [2 085 kB]
Nouda:2 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 login amd64 1:4.2-3.1ubuntu5.2 [305 kB]
Nouda:3 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 zlib1g amd64 1:1.2.8.dfsg-2ubuntu4.1 [51,2 kB]
Nouda:4 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libapt-pkg5.0 amd64 1.2.20 [707 kB]
Nouda:5 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libapt-inst2.0 amd64 1.2.20 [55,6 kB]
Nouda:6 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 apt amd64 1.2.20 [1 042 kB]
Nouda:7 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 apt-utils amd64 1.2.20 [196 kB]
Nouda:8 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 systemd-sysv amd64 229-4ubuntu17 [12,8 kB]
Nouda:9 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpam-systemd amd64 229-4ubuntu17 [115 kB]
Nouda:10 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libsystemd0 amd64 229-4ubuntu17 [205 kB]
Nouda:11 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 systemd amd64 229-4ubuntu17 [3 623 kB]
Nouda:12 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 udev amd64 229-4ubuntu17 [992 kB]
Nouda:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libudev1 amd64 229-4ubuntu17 [55,3 kB]
Nouda:14 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 ubuntu-core-launcher amd64 2.24.1 [1 564 B]
Nouda:15 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 snap-confine amd64 2.24.1 [1 722 B]
Nouda:16 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 snapd amd64 2.24.1 [9 588 kB]
Nouda:17 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 passwd amd64 1:4.2-3.1ubuntu5.2 [780 kB]
Nouda:18 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 distro-info-data all 0.28ubuntu0.3 [4 048 B]
Nouda:19 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 logrotate amd64 3.8.7-2ubuntu2.16.04.1 [37,8 kB]
Nouda:20 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 apt-transport-https amd64 1.2.20 [26,1 kB]
Nouda:21 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libicu55 amd64 55.1-7ubuntu0.2 [7 659 kB]
.gitfa8646d-1build1) ...
Preparing to unpack .../openssh-sftp-server_1%3a7.2p2-4ubuntu2.2_amd64.deb ...
Unpacking openssh-sftp-server (1:7.2p2-4ubuntu2.2) over (1:7.2p2-4ubuntu2.1) ...Preparing to unpack .../openssh-server_1%3a7.2p2-4ubuntu2.2_amd64.deb ...
Unpacking openssh-server (1:7.2p2-4ubuntu2.2) over (1:7.2p2-4ubuntu2.1) ...
Preparing to unpack .../openssh-client_1%3a7.2p2-4ubuntu2.2_amd64.deb ...
Unpacking openssh-client (1:7.2p2-4ubuntu2.2) over (1:7.2p2-4ubuntu2.1) ...
Preparing to unpack .../software-properties-common_0.96.20.6_all.deb ...
Unpacking software-properties-common (0.96.20.6) over (0.96.20.5) ...
Preparing to unpack .../python3-software-properties_0.96.20.6_all.deb ...
Unpacking python3-software-properties (0.96.20.6) over (0.96.20.5) ...
Preparing to unpack .../sosreport_3.4-1~ubuntu16.04.1_amd64.deb ...
Unpacking sosreport (3.4-1~ubuntu16.04.1) over (3.2+git276-g7da50d6-3ubuntu1) ...
dpkg: error processing archive /var/cache/apt/archives/sosreport_3.4-1~ubuntu16.04.1_amd64.deb (--unpack):
 unable to stat './usr/share/sosreport/sos/plugins/ipsec.py' (which I was about
to install): Permission denied
dpkg: virhe jälkipuhdistuksessa:
  unable to remove backup copy of '/usr/share/sosreport/sos/plugins/navicli.py': Permission denied
dmesg: read kernel buffer failed: Funktion toteutus puuttuu
E: Sub-process /usr/bin/dpkg returned an error code (2)

 

Edited by oselotti
Link to post
Share on other sites

  • 1 month later...

I have normally shut down Malwarebytes when running "sudo apt-get upgrade" in Windows 10 Linux subsystem since it has broken in the past. Forgot to do it now and Malwarebytes once again interfered and left me with broken packages and a Linux subsystem that's no longer working. Tried everything to try and get it to fix/reinstall the packages but no go. So will, once again, have to wipe the Linux subsystem and reinstall and reconfigure what I had.

 

 

p.s.

Just managed to skimp by since there was a backup of the damaged file.
So I first copied that

 

Quote

sudo cp /var/lib/dpkg/status-old /var/lib/dpkg/status

Then I ran 
Quote

sudo apt-get --fix-missing -f upgrade

 
Edited by inquam
Link to post
Share on other sites

  • 6 months later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.