Jump to content

FP for Cybereason RansomFree


Recommended Posts

After getting a detection for the registry entry below I did some searching and found this to be what I believe is a FP.

Registry Data: 1

I say this is a FP after reading the two links below...

1. http://www.geekstogo.com/forum/topic/366881-infection-by-pumoptionalnodrives-and-more/

2. https://www.bleepingcomputer.com/forums/t/638875/rogue-folder-and-file-on-hardisk/

Please let me know what you think, and if it's a FP, please make a fix. Thank you so much!!

Link to post
Share on other sites

  • Staff


This is no False Positive. It's a detection for Potentially Unwanted Modification (PUM). In this case, there's a policy set where drives are hidden. This policy is often set by Malware as well, hence why we need to alert the user with this.

In case the user is aware that this policy has been set, then (s)he can add to exclusions or change in settings to not detect PUM detections anymore.

In case the user isn't aware of this policy, then it's better to have Malwarebytes fix it.

Link to post
Share on other sites

Thank you for the reply. Did you read the two links I posted? They indicate that in my particular case it seems that Cybereason RansomFree (a legitimate program) is putting this entry in and it gets flagged wrongly. In my case the only way to rid this detection is to uninstall Cybereason. Allowing Malwarebytes to delete the entry does no good as it's recreated upon reboot every time.

A few quotes from the two links I posted...

Infection by PUM.Optional.NoDrives

Quote from the Geeks to Go GeekU forum Moderator... " Cybereason RansomFree is the source of the Malwarebytes Anti-Malware detection, along with the randomly named files/folders. You can therefore safely ignore both."

"The folders are created by RansomFree as one of the methods use by the product to detect the presence of file encrypting ransomware.You can therefore safely ignore the folders or uninstall RansomFree."

" There are some ransomware protection software which deliberately create dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap folders and files...patterns of files and hidden virtual files that ransomware is attracted to and the feature is more commonly referred to as "Entrapment Protection".Ransomfree by Cybereason and CryptoMonitor by Nathan (DecrypterFixer) (but no longer supported) were among the first tools to include this feature."

Link to post
Share on other sites

  • Staff

Yes, legitimate programs, as in above might set this key as well. Unfortunately, Malwarebytes can't know whether this is set by a legitimate program or by Malware, hence why we alert the user anyway.

So in your case, just allow it (whitelist) and/or select to not detect PUM.

Link to post
Share on other sites

  • 3 weeks later...

Over the past couple of weeks I kept receiving a PUM with the following entry each time I ran a Malwarebytes scan:

Registry Data: 1
PUM.Optional.NoDrives, HKU\S-1-5-21-61187059-1334297750-2548552277-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives, 1, Good: (0), Bad: (1),,[61b45a1081280c2af6d6a7c9db28a25e]

It was really causing me a lot of worry, as I just didn't know why or how it had come to be.  After seeing BlackHawk's post regarding Cybereason's RansomeFree program, which I had also installed on my laptop, I contacted Cybereason and they advised me that they deploy "Bait Files" as part of the program and gave me a list of Registry Keys that are added after installing RansomeFree.  As a consequence, I decided to uninstall this program from my laptop and now Malwarebytes scans it without anything being detected at all - much to my relief!

In case there are other Malwarebytes users who encounter the same or similar problem, the list of Registry Keys that RansomeWare adds after installing that program are as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF5C0CE8-D766-48B4-95EF-C598AE40DCE7}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1E8D4AA3-D39B-4FC8-B6FB-2E3144A0119E}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1E8D4AA3-D39B-4FC8-B6FB-2E3144A0119E}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF5C0CE8-D766-48B4-95EF-C598AE40DCE7}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cybereason RansomFree Autostart
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cybereason RansomFree Keepalive
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\8a
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Classes\Local Settings\MuiCache\8a
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-21-883495937-1710221880-2480596416-1194_Classes\Local Settings\MuiCache\8a
HKU\S-1-5-21-883495937-1710221880-2480596416-1194_Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache\8a
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache\8a\52C64B7E

I hope that this will prove helpful - and many thanks BlackHawk.  If it hadn't been for your post I would never have solved my problem.:)

Link to post
Share on other sites

  • Staff

I dont see the key that they set in the list. A pum is just a setting that differs from what is the normal windows out of box setting.

We have no way of telling if malware, a legit program or a user set this. That why we call it a potentially unwanted modification or PUM.

You can set this to ignore in mbam if your explorer view is fine.

More info on what they key does that is detected by mbam.





Link to post
Share on other sites

Many thanks for the information Shadowwar.  I'm not very computer literate and that's why I was so worried about the PUM.  It hasn't recurred since I uninstalled RansomeFree, so somehow I do think that this program was the cause of it.  Perhaps there was something in the various "Bait Files" it set that prompted the PUM.  In any event, I've stopped worrying now as my laptop seems to be clear of any viruses or malware.

Edited by Autumnwatch
Link to post
Share on other sites

  • 1 month later...

I have this same issue with Malwarebytes wanting to quarantine Optional.NoDrives registry setting since I installed RansomFree.  Cyberreason have confirmed that it sets that registry key, so for me, it's a false positive.

However, how does one whitelist this in Malwarebytes? (I can't see any option to whitelist a registry entry)

Link to post
Share on other sites

Thanks miekiemoes.  Unfortunately I don't see that view in the Scan tab. In the Scan section I have one page (no tabs at the top) which shows a summary of the scan. There are no individual threats displayed. The only place I can see the individual threats where they are selectable is in the quarantine tab, which doesn't give me the option to whitelist them.



Link to post
Share on other sites

  • Staff


When the key gets recreated by Ransomfree, if you do a scan, it will then detect it again. That's where you need to add the exclusion on.

Alternatively, you can also disable PUM detections from the scan settings. Settings > protection > Potential Threat Protection > Potentially Unwanted Modifications, set to Ignore detections.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.