MalwareBytes locks MSYS2 Updates

[HighTide]

Hello MalwareBytes. For the past several days, MalwareBytes has repeatedly identified my installation and upgrading of MSYS2 (specifically pacman.exe) as ransomware. I've had the unusual problem, however, of MalwareBytes causing pacman.exe to ignore my administrator rights completely, and being unable to quarantine or scan the file until a restart is performed. Malwarebytes Anti-Malware does not identify the file as a threat, only MalwareBytes Anti-Rootkit after launching pacman.exe, but does not record any such notification in the logs. If I can trigger the notification again, I will attach a screen shot.

[HighTide]

I was unable to get a screenshot, but I was able to trigger it again. Like before, the program locked and disallowed any modifications/actions until reboot, despite having administrator access. Here is my copy of the program, though it can be obtained through following the fresh installation procedure for MSYS2.

pacman.7z

[thisisu]

Thanks HighTide,

Taking a look now

[thisisu]

This should be resolved now. Let us know if you continue to see this file being flagged as ransomware.

Thanks

[HighTide]

Hello thisisu. I've tried reinstalling MSYS2, but have faced the same exact issues as prior. I've attached a  the notification png, the proof of ignoring admin rights, and the running process after notification. I've also included the directory after the notification, and the pacman.exe file prior to it ignoring my admin rights, but cannot include the current pacman due to it ignoring my admin rights. This was done from a fresh install of MSYS2, with no prior software on the computer. If you can, please advise me on where to go from here. So far, it seems that I'm the only one getting this issue.

notification_reduced.7z

[thisisu]

Hi, the file you attached this time is different than the previous one. The latest one has also been whitelisted. Please retry. If the problem persists, please attach : C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

Thank you

806627abe3f645e040a97fb8b1c6ae84
A49B256A053F217DCD06BE3DC6038284
 

Edited June 17, 2017 by thisisu

[HighTide]

I've tried performing a fresh install twice now, and the issue seems to have subsided. Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions? If not, would anything in the attached logs cause that? Its the only thing that is still bugging me, as I can't figure out why pacman suddenly ignored everything I tried to do.

MBAMSERVICE.LOG

[thisisu]

14 minutes ago, HighTide said:

I've tried performing a fresh install twice now, and the issue seems to have subsided.

Great. Looks good on our end as well as the log you attached shows that the correct file was whitelisted this time.

14 minutes ago, HighTide said:

Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions?

Yes, Malwarebytes was quarantining a file (pacman.exe) that the MSYS2 installer wanted to use.

[HighTide]

Thanks for the help thisisu! Just one last question. Whenever the notification for the Ransom ware quarantined popped up, the file was never actually removed or anything. Rather, its privileges were just changed. Is that how MalwareBytes handles quarentine, or would that be another issue?

[HighTide]

Sorry to revive this, but I never got an answer for my last question. I'm still worried to turn my computer on. Is it normal MalwareBytes procedure to, when quarantining a file, not move the file itself but instead change access permissions? That's what happened on my machine.

[miekiemoes]

Hi HighTide,

That is correct - In your case, the file is safe, but if the AntiRansomware Component can't verify additional checks (because of networking error in your case, as I see in the logs), that's where it takes an additional action and locks the file from running + kills the process, just to make sure, (instead of deleting the file).

That's also why it's always a good idea to add C:\MSYS2\usr\bin\pacman.exe to your exclusions.