Can't find quarantined ransomware

[LittleBobbyTables]

I am having the same problem, and I'm relatively sure it's a false positive. The 'quarantined' file (despite there being no logs of it in the reports tab, nor listed in the quarantine tab) seems to get orphaned, with no way to reclaim ownership, modify, move, or delete the file. I'm not sure if this is just what happens to files MWB quarantines, or if it is an additional error.

The program in question is a game, the exe that gets quarantined hasn't been modified since 8/2/2016, and I've been playing it off and on without problems until now. The only recently modified files in the game's directory appear to be output logs and config files.  Restoring the game exe from backup, I can play for awhile, but then it crashes and MWB claims to have quarantined it as generic ransomware, again.

Checking Event Viewer, there was a service logon at the time of crash/'quarantine':

Quote

 

Subject:
    Security ID:        SYSTEM
    Account Name:        THE-SAFEGUARD$
    Account Domain:        WORKGROUP
    Logon ID:        0x3e7

Logon Type:            5

New Logon:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x3a4
    Process Name:        C:\Windows\System32\services.exe

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0
 

=================

Special privileges assigned to new logon.

Subject:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7

Privileges:        SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege

 

I would guess this is whatever service is orphaning my files? In any case, the main problem is MWB saying it has quarantined something, then there being no record of this aside from an inaccessible file and a popup. Casting around the forum, it looks like this was happening in the beta more than a year ago? There does not seem to be any resolution to that thread, either.

 

[dcollins]

Can you please provide the information requested in the following thread:

 

[LittleBobbyTables]

I was mostly just wondering if any solution had been found to the 'quarantined ransomware doesn't show up in the quarantine,' hence why I responded to an existing topic rather than starting a new one. I'd be interested to hear if anyone has had ransomware quarantined and does have it showing up in the quarantine list, to be honest.

Playing game, scene transition, game crashes and this pops up:

 

logs.7z

MB-CheckResult.txt

Addition_S.txt

FRST_S.txt

[dcollins]

Did some digging and discovered this is a known issue. If you look in your mbamservice.log file you'll see a message that says this process was killed, not quarantined. In this case, the notification is incorrect. We have this in our backlog of things to address to reduce this type of confusion.

[LittleBobbyTables]

But why is the exe now completely inaccessible?

[dcollins]

Is the executable file still in the correct location and you just can't run it, or is the executable file gone?

[LittleBobbyTables]

The file is there, but inaccessible because it's not owned by anyone, apparently, and I can't take ownership of it. I tried takeown and icacls as well as navigating through the GUI, but it just says 'access denied' every time, with the GUI saying I don't have permission to view the ownership.

My computer crashed yesterday, and today the exe has returned to normal (I suppose I should whitelist it so it doesn't get killed again), but if MWB only killed the process didn't quarantine the file... I'm confused as to what happened, and thus am not sure how to avoid or fix it should it happen again.

[dcollins]

That is interesting, I'll do some research into it to see what's going on. Glad a restart resolved it for you though

[dcollins]

Update!

This is intended. What actually happened here is that we thought the file in question looked like ransomware, so we tried to reach out to our servers to verify. However that check failed (which you can see in the log) so we mark the file and lock it down until either a restart, or until we can check on the file properly.

[LittleBobbyTables]

Alright, I figured it was something like that, thank you for confirming!