HighTide Posted June 16, 2017 ID:1136321 Share Posted June 16, 2017 Hello MalwareBytes. For the past several days, MalwareBytes has repeatedly identified my installation and upgrading of MSYS2 (specifically pacman.exe) as ransomware. I've had the unusual problem, however, of MalwareBytes causing pacman.exe to ignore my administrator rights completely, and being unable to quarantine or scan the file until a restart is performed. Malwarebytes Anti-Malware does not identify the file as a threat, only MalwareBytes Anti-Rootkit after launching pacman.exe, but does not record any such notification in the logs. If I can trigger the notification again, I will attach a screen shot. Link to post Share on other sites More sharing options...
HighTide Posted June 16, 2017 Author ID:1136342 Share Posted June 16, 2017 I was unable to get a screenshot, but I was able to trigger it again. Like before, the program locked and disallowed any modifications/actions until reboot, despite having administrator access. Here is my copy of the program, though it can be obtained through following the fresh installation procedure for MSYS2. pacman.7z Link to post Share on other sites More sharing options...
thisisu Posted June 17, 2017 ID:1136363 Share Posted June 17, 2017 Thanks HighTide, Taking a look now Link to post Share on other sites More sharing options...
thisisu Posted June 17, 2017 ID:1136364 Share Posted June 17, 2017 This should be resolved now. Let us know if you continue to see this file being flagged as ransomware. Thanks Link to post Share on other sites More sharing options...
HighTide Posted June 17, 2017 Author ID:1136369 Share Posted June 17, 2017 Hello thisisu. I've tried reinstalling MSYS2, but have faced the same exact issues as prior. I've attached a the notification png, the proof of ignoring admin rights, and the running process after notification. I've also included the directory after the notification, and the pacman.exe file prior to it ignoring my admin rights, but cannot include the current pacman due to it ignoring my admin rights. This was done from a fresh install of MSYS2, with no prior software on the computer. If you can, please advise me on where to go from here. So far, it seems that I'm the only one getting this issue. notification_reduced.7z Link to post Share on other sites More sharing options...
thisisu Posted June 17, 2017 ID:1136371 Share Posted June 17, 2017 (edited) Hi, the file you attached this time is different than the previous one. The latest one has also been whitelisted. Please retry. If the problem persists, please attach : C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG Thank you 806627abe3f645e040a97fb8b1c6ae84 A49B256A053F217DCD06BE3DC6038284 Edited June 17, 2017 by thisisu Link to post Share on other sites More sharing options...
HighTide Posted June 17, 2017 Author ID:1136383 Share Posted June 17, 2017 I've tried performing a fresh install twice now, and the issue seems to have subsided. Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions? If not, would anything in the attached logs cause that? Its the only thing that is still bugging me, as I can't figure out why pacman suddenly ignored everything I tried to do. MBAMSERVICE.LOG Link to post Share on other sites More sharing options...
thisisu Posted June 17, 2017 ID:1136385 Share Posted June 17, 2017 14 minutes ago, HighTide said: I've tried performing a fresh install twice now, and the issue seems to have subsided. Great. Looks good on our end as well as the log you attached shows that the correct file was whitelisted this time. 14 minutes ago, HighTide said: Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions? Yes, Malwarebytes was quarantining a file (pacman.exe) that the MSYS2 installer wanted to use. Link to post Share on other sites More sharing options...
HighTide Posted June 18, 2017 Author ID:1136542 Share Posted June 18, 2017 Thanks for the help thisisu! Just one last question. Whenever the notification for the Ransom ware quarantined popped up, the file was never actually removed or anything. Rather, its privileges were just changed. Is that how MalwareBytes handles quarentine, or would that be another issue? Link to post Share on other sites More sharing options...
HighTide Posted June 22, 2017 Author ID:1137468 Share Posted June 22, 2017 Sorry to revive this, but I never got an answer for my last question. I'm still worried to turn my computer on. Is it normal MalwareBytes procedure to, when quarantining a file, not move the file itself but instead change access permissions? That's what happened on my machine. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted June 23, 2017 Staff ID:1137769 Share Posted June 23, 2017 Hi HighTide, That is correct - In your case, the file is safe, but if the AntiRansomware Component can't verify additional checks (because of networking error in your case, as I see in the logs), that's where it takes an additional action and locks the file from running + kills the process, just to make sure, (instead of deleting the file). That's also why it's always a good idea to add C:\MSYS2\usr\bin\pacman.exe to your exclusions. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now