Jump to content

MalwareBytes locks MSYS2 Updates


HighTide

Recommended Posts

Hello MalwareBytes. For the past several days, MalwareBytes has repeatedly identified my installation and upgrading of MSYS2 (specifically pacman.exe) as ransomware. I've had the unusual problem, however, of MalwareBytes causing pacman.exe to ignore my administrator rights completely, and being unable to quarantine or scan the file until a restart is performed. Malwarebytes Anti-Malware does not identify the file as a threat, only MalwareBytes Anti-Rootkit after launching pacman.exe, but does not record any such notification in the logs. If I can trigger the notification again, I will attach a screen shot.

Link to post
Share on other sites

I was unable to get a screenshot, but I was able to trigger it again. Like before, the program locked and disallowed any modifications/actions until reboot, despite having administrator access. Here is my copy of the program, though it can be obtained through following the fresh installation procedure for MSYS2.

pacman.7z

Link to post
Share on other sites

Hello thisisu. I've tried reinstalling MSYS2, but have faced the same exact issues as prior. I've attached a  the notification png, the proof of ignoring admin rights, and the running process after notification. I've also included the directory after the notification, and the pacman.exe file prior to it ignoring my admin rights, but cannot include the current pacman due to it ignoring my admin rights. This was done from a fresh install of MSYS2, with no prior software on the computer. If you can, please advise me on where to go from here. So far, it seems that I'm the only one getting this issue.

notification_reduced.7z

Link to post
Share on other sites

Hi, the file you attached this time is different than the previous one. The latest one has also been whitelisted. Please retry. If the problem persists, please attach : C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

Thank you

806627abe3f645e040a97fb8b1c6ae84
A49B256A053F217DCD06BE3DC6038284
 

Edited by thisisu
Link to post
Share on other sites

I've tried performing a fresh install twice now, and the issue seems to have subsided. Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions? If not, would anything in the attached logs cause that? Its the only thing that is still bugging me, as I can't figure out why pacman suddenly ignored everything I tried to do.

MBAMSERVICE.LOG

Link to post
Share on other sites

14 minutes ago, HighTide said:

I've tried performing a fresh install twice now, and the issue seems to have subsided.

Great. Looks good on our end as well as the log you attached shows that the correct file was whitelisted this time.

14 minutes ago, HighTide said:

Would you say that the previous attempts by MalwareBytes were what was causing pacman.exe to lock up and ignore administrator actions?

Yes, Malwarebytes was quarantining a file (pacman.exe) that the MSYS2 installer wanted to use.

Link to post
Share on other sites

Thanks for the help thisisu! Just one last question. Whenever the notification for the Ransom ware quarantined popped up, the file was never actually removed or anything. Rather, its privileges were just changed. Is that how MalwareBytes handles quarentine, or would that be another issue?

Link to post
Share on other sites

Sorry to revive this, but I never got an answer for my last question. I'm still worried to turn my computer on. Is it normal MalwareBytes procedure to, when quarantining a file, not move the file itself but instead change access permissions? That's what happened on my machine.

Link to post
Share on other sites

  • Staff

Hi HighTide,

That is correct - In your case, the file is safe, but if the AntiRansomware Component can't verify additional checks (because of networking error in your case, as I see in the logs), that's where it takes an additional action and locks the file from running + kills the process, just to make sure, (instead of deleting the file).

That's also why it's always a good idea to add C:\MSYS2\usr\bin\pacman.exe to your exclusions.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.