Jump to content

Can't find quarantined ransomware

Recommended Posts

I am having the same problem, and I'm relatively sure it's a false positive. The 'quarantined' file (despite there being no logs of it in the reports tab, nor listed in the quarantine tab) seems to get orphaned, with no way to reclaim ownership, modify, move, or delete the file. I'm not sure if this is just what happens to files MWB quarantines, or if it is an additional error.

The program in question is a game, the exe that gets quarantined hasn't been modified since 8/2/2016, and I've been playing it off and on without problems until now. The only recently modified files in the game's directory appear to be output logs and config files.  Restoring the game exe from backup, I can play for awhile, but then it crashes and MWB claims to have quarantined it as generic ransomware, again.

Checking Event Viewer, there was a service logon at the time of crash/'quarantine':



    Security ID:        SYSTEM
    Account Name:        THE-SAFEGUARD$
    Account Domain:        WORKGROUP
    Logon ID:        0x3e7

Logon Type:            5

New Logon:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x3a4
    Process Name:        C:\Windows\System32\services.exe

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0


Special privileges assigned to new logon.

    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7

Privileges:        SeAssignPrimaryTokenPrivilege


I would guess this is whatever service is orphaning my files? In any case, the main problem is MWB saying it has quarantined something, then there being no record of this aside from an inaccessible file and a popup. Casting around the forum, it looks like this was happening in the beta more than a year ago? There does not seem to be any resolution to that thread, either.


Link to post
Share on other sites

I was mostly just wondering if any solution had been found to the 'quarantined ransomware doesn't show up in the quarantine,' hence why I responded to an existing topic rather than starting a new one. I'd be interested to hear if anyone has had ransomware quarantined and does have it showing up in the quarantine list, to be honest.

Playing game, scene transition, game crashes and this pops up:






Link to post
Share on other sites

Did some digging and discovered this is a known issue. If you look in your mbamservice.log file you'll see a message that says this process was killed, not quarantined. In this case, the notification is incorrect. We have this in our backlog of things to address to reduce this type of confusion.

Link to post
Share on other sites

The file is there, but inaccessible because it's not owned by anyone, apparently, and I can't take ownership of it. I tried takeown and icacls as well as navigating through the GUI, but it just says 'access denied' every time, with the GUI saying I don't have permission to view the ownership.

My computer crashed yesterday, and today the exe has returned to normal (I suppose I should whitelist it so it doesn't get killed again), but if MWB only killed the process didn't quarantine the file... I'm confused as to what happened, and thus am not sure how to avoid or fix it should it happen again.

Link to post
Share on other sites


This is intended. What actually happened here is that we thought the file in question looked like ransomware, so we tried to reach out to our servers to verify. However that check failed (which you can see in the log) so we mark the file and lock it down until either a restart, or until we can check on the file properly.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.