Jump to content

PUP quaranteen and quick shutdown...

dont_touch_my_buffer
 Share

Recommended Posts

dont_touch_my_buffer

dont_touch_my_buffer

Posted
Posted

The system in question is Windows 8.1 Professional, 64-bit OS...

After starting up this system, the uncontrollable startup scan had found a PUP in my download folder:

5933f6d6c6dda_PUPquaranteen.jpg.f64bbb8ad2df63bdfe392a0a8490a0c0.jpg

The file in question had been in the download folder for about a week, I am not certain why MB had found it today?

Promptly, MB had quarantined the file in question, which is fine. What is not fine is that MB restarted the PC, after popping up a red warning in the system tray. The warning could not be captured, since it had been displayed for less than second and the system reboot started.

Looking at the logs showed that MB had modified "Lsa" registry entries:

Quote

06/04/17    " 06:14:31.712"    726390    0784    0808    INFO    CleanControllerImpl    Cleaner::RebuildSystemRegistryValues    "Cleaner.cpp"    436    "Rebuilding system registry values."
06/04/17    " 06:14:31.712"    726390    0784    0808    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, from 'scecli^^' to 'scecli'."
06/04/17    " 06:14:31.712"    726390    0784    0808    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, from '""""^^' to '""""'."
06/04/17    " 06:14:31.712"    726390    0784    0808    INFO    CleanControllerImpl    Cleaner::RebuildRegistryValueEx    "Cleaner.cpp"    419    "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages, from 'msv1_0^^' to 'msv1_0'."

Couple of questions:

  • Is there any ways to stop system scanning at start up?
  • Why a PUP detection results in a system shutdown, without giving time for saving documents and other work related programs?
  • What is the purpose for rewriting LSA registry settings and can it be disabled?
Link to post
Share on other sites
dcollins

dcollins

Posted
Posted (edited)
  • Is there any ways to stop system scanning at start up?
    Yes. Go to Settings -> Scan Schedule and open up your scheduled scans. Under the advanced options, uncheck the box that says "Recover missed tasks". This will stop the scan from running at startup.
  • Why a PUP detection results in a system shutdown, without giving time for saving documents and other work related programs?
    If you look in the same scheduled scans as above, under advanced, there should be two additional checkbox. "Quarantine all threats automatically" and "Restart computer when required for threat removal". Are these checked?
  • What is the purpose for rewriting LSA registry settings and can it be disabled?
    Based on what was performed, it looks like we detected a change that is common to the pup we removed and reset the LSA keys back to what they should be. Currently there is no way to stop specific actions related to cleaning a PUP
Edited by dcollins
Link to post
Share on other sites
dont_touch_my_buffer

dont_touch_my_buffer

Posted
  • Author
Posted
6 hours ago, dcollins said:

Yes. Go to Settings -> Scan Schedule and open up your scheduled scans. Under the advanced options, uncheck the box that says "Recover missed tasks". This will stop the scan from running at startup.

If you look in the same scheduled scans as above, under advanced, there should be two additional checkbox. "Quarantine all threats automatically" and "Restart computer when required for threat removal". Are these checked?

In my scheduled scan, these options had already been configured:

5934c649805ed_Scanschedule.jpg.8168a3b2f0e8d6e3c7669fb046df3298.jpg

With real-time protections via number of different security protection active, I am not a believer of scheduling scans frequently There's little reason to do so, especially with SSD drive....

6 hours ago, dcollins said:

Based on what was performed, it looks like we detected a change that is common to the pup we removed and reset the LSA keys back to what they should be. Currently there is no way to stop specific actions related to cleaning a PUP

I understand why modifying the LSA keys cannot be stopped. Seeing how MB did it and the local authentication of the end user did not break, I guess it's OK.

What I don't understand is why a dormant PUP in the download folder triggers this? It's not like that this PUP had been installed, active and detected by the scan As the matter of fact, the file in question is an archived/compressed file that had been downloaded about a week ego. Ever since it's been sitting there dormant, I forgot about it until MB detected the file as PUP.

Interestingly, MB did not flag this file a week ego, when it was downloaded and saved. Go figure..

 

Link to post
Share on other sites
dcollins

dcollins

Posted
Posted

Can you upload your scan report? It may be a new file we added to our database and the scan report will let me look up when we added it. This will also allow me to lookup why we cleaned the LSA keys based on just finding the installer.

For the scan that found this, it was a scheduled scan or was it a manual scan?

Link to post
Share on other sites
dont_touch_my_buffer

dont_touch_my_buffer

Posted
  • Author
Posted
21 hours ago, dcollins said:

For the scan that found this, it was a scheduled scan or was it a manual scan?

It was neither... As stated previously, my scheduled scan runs on 15th of every month and I did not initiate a manual scan on June 04. I only do manual scan after major version updates and/or suspicions arise.The fact that MWB initiated on its own still troubles me. Yeah, I like to control what's going on on my system... :rolleyes:

What is the file you are looking for?

TIA...

Link to post
Share on other sites
dcollins

dcollins

Posted
Posted

Under the reports section, there should be a few reports (RTP detections, scans, web blocks, etc will all generate a new report). Can you find the report that relates to this file and then export it to a document?

Or you can just run mb-check which will grab a list of all of the reports and I can dig through them. The latest version can be found at https://downloads.malwarebytes.com/file/mb3_check

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.