Jump to content

Recommended Posts

I am frankly getting annoyed. I like Malwarebytes, but recently I have had nothing but trouble from the software.

Over the last few weeks, every time I have used the in-game updater of Factorio (http://www.factorio.com), it would flag the file as a threat and destroy the file. Oh, the file is still there, it's just not accessible. I can't delete it, I can't nuke it, I can't overwrite it, it's perpetually locked by Malwarebytes. Even after a reboot, the file is still there. OK, after uninstalling (!) Malwarebytes I was allowed to remove the file. Reinstall Malwarebytes, and from now on I will have to update manually.

Today I was happily playing Kerbal Space Program when I had a crash (unfortunately, this happens at times) which Malwarebytes *immediately* identified as a "ransomware". Okay...? Nothing in the quarantine list, file still exists in the folder. Trying to run it gives me this error:

4db99Xk.png

Attempting a delete gives me

7ff85eN.png

which is immediately followed by

jbf2T3S.png

No go. File is there, locked, unable to be deleted.

Here are the relevant lines in the MBAMSERVICE.LOG:

06/30/17	" 17:57:24.321"	64668062	4fe0	493c	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	1028	"Received threat detection callback from ARW SDK, ObjectPath=S:\Games\Kerbal Space Program\KSP 1.3.0 - Astrotech\KSP_x64.exe, Sha256Hash=b2409d86ec6954319a1c71f328bc4bbf21084cefb6d429360346f529ad54b57b"
06/30/17	" 17:57:24.546"	64668296	4fe0	493c	ERROR	HttpConnection	mb::common::net::HttpConnection::SendRequest	"HttpConnection.cpp"	390	"Network error."
06/30/17	" 17:57:24.546"	64668296	4fe0	493c	ERROR	HttpConnection	mb::common::net::HttpConnection::LogExceptionDetails	"HttpConnection.cpp"	1472	"Exception details: text=No message received"
06/30/17	" 17:57:24.546"	64668296	4fe0	493c	ERROR	CleanControllerImpl	mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed	"HubbleWhiteLister.cpp"	398	"Error code -9 returned in PUT to Hubble"
06/30/17	" 17:57:24.546"	64668296	4fe0	493c	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus	"WhiteListManager.cpp"	248	"White list status (not cached): File 'S:\Games\Kerbal Space Program\KSP 1.3.0 - Astrotech\KSP_x64.exe'   => Hubble:Error"
06/30/17	" 17:57:24.546"	64668296	4fe0	493c	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	1053	"The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=S:\Games\Kerbal Space Program\KSP 1.3.0 - Astrotech\KSP_x64.exe, id=0x1"

Also uploaded the complete log here: https://gist.github.com/7a717e77bf75df540e4c48828ecae6dd

In there I also see that it is suspecting 7zWrapper, as well as ckan.exe (Kerbal Space Program open source utility used by thousands in the community). 

 

Now, here's the deal: I pay good money for the tool, but meet only frustration. I have tried to add exclusions (for the Factorio problem above), but they are promptly ignored. What gives? Switch to another product that may be a bit more lenient and risk infection? Be forced to UNINSTALL Malwarebytes every time there is a false positive?

Patience is running thin.

Link to post
Share on other sites

  • Staff

Hi,

 

Just to give a little insight - our Antiransomware protection is behavior detection in order to protect ransomware 0-day with success. Unfortunately, it happens once in a while that our behavior detection detects something it shouldn't. We apologize for this.

I've looked at your logs and took action where needed, so above shouldn't be detected anymore. I suggest you also whitelist the folder: "S:\Games\Kerbal Space Program\" in Malwarebytes, since the files inside *might* trigger future ransomware behavior.

Thanks and sorry for the inconvenience this has caused you.

 

Edited to add - Please reboot, so you get full access to your "locked" files again.

Edited by miekiemoes
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.