Jump to content

DropBox Detected as Ransomware


kirashi
 Share

Recommended Posts

I just had MBAM Premium detect a DropBox Windows HKLM Registry Key as Ransomware. I was moving files around inside my DropBox folder when this happened, so MBAM probably picked up on the DropBox.exe process "modifying" (AKA Syncing) these files to the cloud en masse, killed the process, and blocked it from executing. I'd like to first say amazing job at blocking Ransomware in its' tracks - um... if it was actually Ransomware. :P

Malwarebytes version: 3.0.6.1469
Component package version: 1.0.103
Update package version: 1.0.1763

dropbox_mbam_ransomware.thumb.png.ca542c18f307576a908d7b29eb427db1.png

No big deal, as I'll just reinstall DropBox and start its' sync process again, and probably whitelist it in MBAM, but I thought I's share in case this has happened to anyone else.

Link to post
Share on other sites

On 4/19/2017 at 4:29 PM, kirashi said:

I just had MBAM Premium detect a DropBox Windows HKLM Registry Key as Ransomware. I was moving files around inside my DropBox folder when this happened, so MBAM probably picked up on the DropBox.exe process "modifying" (AKA Syncing) these files to the cloud en masse, killed the process, and blocked it from executing. I'd like to first say amazing job at blocking Ransomware in its' tracks - um... if it was actually Ransomware. :P

Malwarebytes version: 3.0.6.1469
Component package version: 1.0.103
Update package version: 1.0.1763

dropbox_mbam_ransomware.thumb.png.ca542c18f307576a908d7b29eb427db1.png

No big deal, as I'll just reinstall DropBox and start its' sync process again, and probably whitelist it in MBAM, but I thought I's share in case this has happened to anyone else.

The same happens to me today. Dropbox.exe (clean) detected as Malware.Ransom.Agent.Generic. I will need to reinstall Dropbox and add the app to whitelist in Malwarebytes.

Link to post
Share on other sites

On 4/19/2017 at 9:49 PM, miekiemoes said:

Please go to the following folder: C:\ProgramData\Malwarebytes\MBAMService\logs\

and zip and attach the MBAMSERVICE.LOG to your next post.

I've attached the MBAMService.log file from the affected computer as requested.

To clarify, I was moving things in a folder in my DropBox on my computer, which is a folder I share with other users in the office. This detection occurred on one of the workstations at the office running their own company DropBox account that has access to my shared folder.

I don't know if their installation of MBAM was up-to-date or installed properly when this detection occurred, since they had another "computer expert" come in to fix some things while I was away over the weekend. le sigh When I checked their programs in appwiz.cpl, a lot of programs had different install dates than when I had installed them, including MBAM, so hopefully this computer guy didn't break things and I'm not wasting anyone's time with this issue.

MBAMSERVICE.LOG

MBAMSERVICE.LOG.zip

Link to post
Share on other sites

On 4/24/2017 at 11:03 AM, matrix27 said:

The same happens to me today. Dropbox.exe (clean) detected as Malware.Ransom.Agent.Generic. I will need to reinstall Dropbox and add the app to whitelist in Malwarebytes.

Great to hear! Coincidentally, as I write this, the other 2 workstations at the same business also nuked their Dropbox.exe files from orbit. le sigh I guess that's why they pay me the big buck. <INSERT CANNED LAUGHTER>

Anyway, I'll manually update all the MBAM clients, and add Dropbox.exe to the exclusion list so this can't ever happen again. :) 

Link to post
Share on other sites

Hi, again, So, Dropbox disappeared from my system. So, I reinstalled it and added the C:\Program Files (x86)\Dropbox\Client\Dropbox.exe file to my Exclusions. I began working in Dropbox again and all of a sudden, it got Quarantined again (along with all the Registry Value and Registry Key Types as in the image above), and it was taken off my system. This is a bit of a problem for me, since I backup my work constantly to Dropbox and need to have reliable access to it. I checked for updates to MBAM and the check came back that I was up-to-date. Is there a fix in the works or is there something else I should do? Thank you.

Edited by BambooCrystal
Link to post
Share on other sites

Just happened to me also. I restarted my PC and shortly after Dropbox started indexing, as it always does, I got a pop-up at the lower right of my screen saying Ransomware had just been handled and it showed the path for dropbox.exe. I checked and sure enough, dropbox.exe is gone. Nothing shows in the quarantine or anywhere else I can see on Malwarebytes. Log attached.

Thanks.

Jim

MBAMSERVICE.LOG

Link to post
Share on other sites

  • Staff

Hi,

I suggest you add dropbox.exe as an exclusion for now:

C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exe

Note, dropbox.exe doesn't get deleted, that's why you don't see it in quarantine. It's only the process that gets killed, because it triggered the antiransomware detection because of behavior.

We are working on a fix so this behavior doesn't happen anymore.

Link to post
Share on other sites

Miekiemoes, that is not correct. Dropbox does get deleted. It is not just the process being stopped. This has been posted several times, yet you continue to insist it is not happening. My dropbox was deleted early this morning. It's gone. I attached my log above.

Jim 

 

Link to post
Share on other sites

  • Staff

Hi Jim,

Your log doesn't indicate it has deleted it - only that it had killed the process. I am not saying you are wrong here, I am just looking at the information that is present in the log, as I can't reproduce it either where it deletes dropbox.exe.

In either way, we have the development team looking into this already.

 

Thanks!

 

Link to post
Share on other sites

Hi again,

Just to add to my information in case it helps the developers working on it: I do not have C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exe anywhere on my system- (Dell Laptop). I have a Dropbox folder under Users, but it does not have any .exe files within. And where my .exe Dropbox file "used to be" was under C:\Program Files (x86)\Dropbox\Client\Dropbox.exe  -   which is what I added to MBAM Exclusions, and was later Quarantined as ransomware anyway. It still shows up on the Quarantine window of MBAM, but C:\Program Files (x86)\Dropbox no longer exists on my computer, though I never chose what to do with it on the Quarantine page. 

Nonetheless, thanks for looking into this and I hope this gets resolved soon.  I appreciate all your help.

Link to post
Share on other sites

  • 3 weeks later...

Mike,

I just had the same problem with Malwarebytes v3.0.6 deleting Dropbox.exe.

This same annoying false positive has happened with other legitimate exe files. What a problem Malwarebytes has created with this bloatware version!

I have reinstalled & added an exclusion for C:\Program Files (x86)\Dropbox\Client\Dropbox.exe. 

The log filename MBAMSERVICE.LOG you request does not seem to be on my PC. What else might it be called?

WORKAROUND:

I will roll back to the good and simple version 2.21 (which requires a clean uninstall to eliminate the required update nag dialog to version 3).  You should continue to offer 2.2.1 with a big warning on your sales site, especially for those of us who are Premium paid customers. For the benefit of others suffering from this bug, please see instructions I received from Malwarebytes support below:

_______________________________________________________________________________________________

Hi. Welcome to Malwarebytes support, my name is Fernando and I’ll be assisting you today. 

Unfortunately we do not currently have a fix for the bug you are experiencing. Our engineers are hard at work to track down and fix most critical issues since the release of Malwarebytes 3.0. In the meantime we are advising users with the option to revert back to version 2.2.1 until we have a formal fix for these bugs.

Please follow the steps below to revert to version 2.2.1 and let me know if you need any additional assistance.

Step 1: Clean:

  1. Uninstall Malwarebytes 3.0 from the Windows Control Panel.
    • If you do not see this program skip this part.
  2. Reboot your computer
  3. After the reboot, please download and run the MBAM-clean tool From the link below:
  4. Reboot your computer

Step 2: Installation:

  1. Download and Run the Malwarebytes 2.2.1 installer from the link below
  2. Locate and double click the file, mbam-setup-2.2.1.1043.exe, to run the installer:
    • Be sure to check your downloads folder if you do not see the file
  3. Press Accept, then follow this prompts on the installer window.
  4. Malwarebytes will open automatically to the new welcome screen.
  5. If you have a premium subscription for either Malwarebytes Anti-Malware Proceed to Activation.

Step 3: Activation: Premium Subscribers Only

  1. If you do not already have your license key on hand, You can obtain your license info here.
  2. Press the Activate button in the top right.
    • If you only see a My Account button in the top right your license has already migrated over. Please click My Account to verify.
  3. Copy and Paste your License info to the appropriate boxes.
    • If your activation info has an ID press theI also have an IDlink
  4. Click the Activate button to activate your Malwarebytes 2.2.1 Premium license

Please let me know whether or not this solves your issue or if you have any further questions. Your patience and understanding are much appreciated.
 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.