Jump to content

Garry's Mod Marking Stuff as Ransomeware

hiitsmexdd

By hiitsmexdd
in Ransomware

 Share

Recommended Posts

hiitsmexdd

hiitsmexdd

Posted
Posted (edited)

Malwarebytes Version: 3.0.6.1469

Component Package Version: 1.0.103

Update Package Version: 1.0.1793

I use Malwarebytes premium.

So, as you may or may not know Garry's Mod is a sandbox game on steam. I am having an issue where when I join servers sometimes the game will crash in the loading screen and Malwarebytes will mark the file as ransomware. Sometimes it states that it is chrome.exe and sometimes it states that it is the HL2.exe process itself located in the Garry's Mod folder. (Which makes sense as many Media player addons use a chromium base as far as I am aware.) I think the anti ransomware component in the Malwarebytes client may be seeing the file encryption system the addons use as malicious, though I am not an expert. For some reason, after being "detected" none of these files actually end up in a quarantine: this is one of the reasons I believe this is a false positive. Also, I have been playing this game for a really really long time and never had any issues whatsoever so I am honestly just looking for a bit of clarity. It's hard to get the exact file path for the problematic component because as I stated none of these files ever end up in the quarantine zone. The one time I fully caught the detection, it stated it was detected as "malware.ransom.agent.generic". Every time I scan after this happens nothing EVER comes up as a detection, this only happens in real time when joining servers.

EDIT - Also, after this happens the game exe switches icons to the default exe icon from the game one and refuses to be edited (deleted or anything) so I have to revalidate the file through steam to set it back to normal. I think malwarebytes may be damaging the exe when it force stops it.

*Just to clarify, all addons were acquired through the steam workshop or in game FastDL, I do not download from untrusted sources and am usually very careful about downloading ANYTHING.

I posted here because I am kinda paranoid and want to know whether it's time for me to format and accept this as a real issue or getting the peace of mind that this is genuinely a false positive. If there are any formatting issues feel free to let me know as I don't post here very much although I do use this product frequently.

Edited by hiitsmexdd
Link to post
Share on other sites
  • 2 weeks later...
hiitsmexdd

hiitsmexdd

Posted
  • Author
Posted (edited)
On 4/24/2017 at 11:24 AM, miekiemoes said:

Thanks.

This will no longer be detected.

Thanks for reporting!!

I just joined another server and had it happen again. It appears to most be happening when I tab out of the game while loading in. :c

EDIT - Also, all the same symptoms of the old issue. Does not shot in reports etc.

Edited by hiitsmexdd
Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hmm, that's interesting. Can you post a new MBAMSERVICE.LOG please? Because the way this mod behaves triggers our antiransomware detection still, so it seems.

Also, I strongly suggest that you add the folder C:\Program Files (x86)\Steam\steamapps to your exclusions in Malwarebytes. This to avoid any interference.

Please make sure you exclude it from both the Antiransomware and Antimalware (option 1).

Thanks!

 

Link to post
Share on other sites
hiitsmexdd

hiitsmexdd

Posted
  • Author
Posted
1 hour ago, miekiemoes said:

Hmm, that's interesting. Can you post a new MBAMSERVICE.LOG please? Because the way this mod behaves triggers our antiransomware detection still, so it seems.

Also, I strongly suggest that you add the folder C:\Program Files (x86)\Steam\steamapps to your exclusions in Malwarebytes. This to avoid any interference.

Please make sure you exclude it from both the Antiransomware and Antimalware (option 1).

Thanks!

 

Yeah, I am willing to do that if I have to in certain circumstances. But it is of course better to iron out the issues so that other people don't get them as well.

I found a log of both bk1 and bk2. Attached both of them for you.

 

MBAMSERVICE.LOG.zip

MBAMSERVICE.LOG (2).zip

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

I see the block is rather an IP detection block here on an IP that is often used for NJRat bots which this mod is also connecting to. So that might explain it.

We unfortunately can't remove this detection for this IP block, as we need to keep our customers protected from this. As long as this siteowner doesn't clean up the malicious traffic, the detection will stay.

So, as I said, in your case, it's a good idea to add to exclusions.

Link to post
Share on other sites
hiitsmexdd

hiitsmexdd

Posted
  • Author
Posted (edited)
54 minutes ago, miekiemoes said:

Hi,

I see the block is rather an IP detection block here on an IP that is often used for NJRat bots which this mod is also connecting to. So that might explain it.

We unfortunately can't remove this detection for this IP block, as we need to keep our customers protected from this. As long as this siteowner doesn't clean up the malicious traffic, the detection will stay.

So, as I said, in your case, it's a good idea to add to exclusions.

The IP Blocks aren't the problem I understand the purpose behind those. It's that only SOMETIMES when connecting to any server it will trigger a Malware.Generic flag.

Also, the IP blocks are for USER GENERATED servers on the GAME Garry's Mod. It is similar to CS:GO in the sense that users can create and manage their own server through a dedicated server box.

EDIT - Just to clear up any possible confusion, this is the game I am talking about. http://store.steampowered.com/app/4000/Garrys_Mod/

Edited by hiitsmexdd
Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Thanks. Yes, it's mainly because the servers it connects to, which we block, causes this additional trigger (behavior) for the file.

In this case, it hasn't deleted the Garrysmod (hl2.exe), but only killed the active process, for safety sake. I'm sure you understand this reasoning. 

That's why, in your case, the best solution is to add that folder to exclusions for detection by Antiransomware.

Link to post
Share on other sites
hiitsmexdd

hiitsmexdd

Posted
  • Author
Posted
On 5/6/2017 at 11:16 PM, miekiemoes said:

Thanks. Yes, it's mainly because the servers it connects to, which we block, causes this additional trigger (behavior) for the file.

In this case, it hasn't deleted the Garrysmod (hl2.exe), but only killed the active process, for safety sake. I'm sure you understand this reasoning. 

That's why, in your case, the best solution is to add that folder to exclusions for detection by Antiransomware.

So as long as I am not connecting to any of the blocked servers I am fine? This is just caused by the overwhelming amount of IP blocks?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.