Jump to content
BlackHawk

FP for Cybereason RansomFree

Recommended Posts

After getting a detection for the registry entry below I did some searching and found this to be what I believe is a FP.

Registry Data: 1
PUM.Optional.NoDrives, 
HKU\S-1-5-21-1203251696-3052442490-1221746648-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NODRIVES, 

I say this is a FP after reading the two links below...

1. http://www.geekstogo.com/forum/topic/366881-infection-by-pumoptionalnodrives-and-more/

2. https://www.bleepingcomputer.com/forums/t/638875/rogue-folder-and-file-on-hardisk/

Please let me know what you think, and if it's a FP, please make a fix. Thank you so much!!

Share this post


Link to post
Share on other sites

Hi,

This is no False Positive. It's a detection for Potentially Unwanted Modification (PUM). In this case, there's a policy set where drives are hidden. This policy is often set by Malware as well, hence why we need to alert the user with this.

In case the user is aware that this policy has been set, then (s)he can add to exclusions or change in settings to not detect PUM detections anymore.

In case the user isn't aware of this policy, then it's better to have Malwarebytes fix it.

Share this post


Link to post
Share on other sites

Thank you for the reply. Did you read the two links I posted? They indicate that in my particular case it seems that Cybereason RansomFree (a legitimate program) is putting this entry in and it gets flagged wrongly. In my case the only way to rid this detection is to uninstall Cybereason. Allowing Malwarebytes to delete the entry does no good as it's recreated upon reboot every time.

A few quotes from the two links I posted...

Infection by PUM.Optional.NoDrives

Quote from the Geeks to Go GeekU forum Moderator... " Cybereason RansomFree is the source of the Malwarebytes Anti-Malware detection, along with the randomly named files/folders. You can therefore safely ignore both."

"The folders are created by RansomFree as one of the methods use by the product to detect the presence of file encrypting ransomware.You can therefore safely ignore the folders or uninstall RansomFree."

" There are some ransomware protection software which deliberately create dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap folders and files...patterns of files and hidden virtual files that ransomware is attracted to and the feature is more commonly referred to as "Entrapment Protection".Ransomfree by Cybereason and CryptoMonitor by Nathan (DecrypterFixer) (but no longer supported) were among the first tools to include this feature."

Share this post


Link to post
Share on other sites

Hmm... it seems you are saying if the legitimate security program by Cybereason made the entry I can allow it, but if it didn't I should delete it?

Share this post


Link to post
Share on other sites

Yes, legitimate programs, as in above might set this key as well. Unfortunately, Malwarebytes can't know whether this is set by a legitimate program or by Malware, hence why we alert the user anyway.

So in your case, just allow it (whitelist) and/or select to not detect PUM.

Share this post


Link to post
Share on other sites

Over the past couple of weeks I kept receiving a PUM with the following entry each time I ran a Malwarebytes scan:

Registry Data: 1
PUM.Optional.NoDrives, HKU\S-1-5-21-61187059-1334297750-2548552277-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives, 1, Good: (0), Bad: (1),,[61b45a1081280c2af6d6a7c9db28a25e]

It was really causing me a lot of worry, as I just didn't know why or how it had come to be.  After seeing BlackHawk's post regarding Cybereason's RansomeFree program, which I had also installed on my laptop, I contacted Cybereason and they advised me that they deploy "Bait Files" as part of the program and gave me a list of Registry Keys that are added after installing RansomeFree.  As a consequence, I decided to uninstall this program from my laptop and now Malwarebytes scans it without anything being detected at all - much to my relief!

In case there are other Malwarebytes users who encounter the same or similar problem, the list of Registry Keys that RansomeWare adds after installing that program are as follows:

HKLM\SOFTWARE\Classes\Installer\Features\D56E43FF70F87194B8D9BFF7712ECBE4
HKLM\SOFTWARE\Classes\Installer\Products\D56E43FF70F87194B8D9BFF7712ECBE4
HKLM\SOFTWARE\Classes\Installer\Products\D56E43FF70F87194B8D9BFF7712ECBE4\SourceList
HKLM\SOFTWARE\Classes\Installer\Products\D56E43FF70F87194B8D9BFF7712ECBE4\SourceList\Media
HKLM\SOFTWARE\Classes\Installer\Products\D56E43FF70F87194B8D9BFF7712ECBE4\SourceList\Net
HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\9E4330FE38DBE8A4F8683FDFD80FEE44
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\9E4330FE38DBE8A4F8683FDFD80FEE44
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C7CE3A53200A5F55B19EBAB55D43461
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23CBE849A945CF959972AA4F21D9A382
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3874A0A20E36EE554A4DDD576974F42E
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\43FAFE586F024D9598D172154C8E1AB7
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\523EFE58DDFD15C51BBFD5F0F2C7C7F9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5419EE71D7B7CF8589B3455DE25CC244
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\542E31395F9F2265399F80699893B089
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\57CD6827966C9E25299132D88EBC176A
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\66739F86C026F5850B639B226C25A5E9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F56072E57D55B15098D814AEE488B6D
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7CF73813E97629352935F769B32938D7
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D3FE91E3979793558BE853E9F60DFCB
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\924DD49765E71EE55A862FD81EFA74AD
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\954418F07006810588EF98B5A0E46188
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A61FD7A3B2DFED757A0F3A581B45DCA8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D56E43FF70F87194B8D9BFF7712ECBE4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D56E43FF70F87194B8D9BFF7712ECBE4\Features
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D56E43FF70F87194B8D9BFF7712ECBE4\InstallProperties
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D56E43FF70F87194B8D9BFF7712ECBE4\Patches
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D56E43FF70F87194B8D9BFF7712ECBE4\Usage
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF5C0CE8-D766-48B4-95EF-C598AE40DCE7}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1E8D4AA3-D39B-4FC8-B6FB-2E3144A0119E}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1E8D4AA3-D39B-4FC8-B6FB-2E3144A0119E}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF5C0CE8-D766-48B4-95EF-C598AE40DCE7}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cybereason RansomFree Autostart
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cybereason RansomFree Keepalive
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FF34E65D-8F07-4917-8B9D-FB7F17E2BC4E}
HKLM\SYSTEM\ControlSet001\Services\CybereasonRansomFree
HKLM\SYSTEM\CurrentControlSet\Services\CybereasonRansomFree
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\8a
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000150A0C
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000160A0C
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170A0C
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000002710E2
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000029121A
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000820FE2
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000830FE2
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Classes\Local Settings\MuiCache\8a
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Cybereason
HKU\S-1-5-21-883495937-1710221880-2480596416-1194\Software\Cybereason\RansomFree
HKU\S-1-5-21-883495937-1710221880-2480596416-1194_Classes\Local Settings\MuiCache\8a
HKU\S-1-5-21-883495937-1710221880-2480596416-1194_Classes\Local Settings\MuiCache\8a\52C64B7E
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache\8a
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache\8a\52C64B7E

I hope that this will prove helpful - and many thanks BlackHawk.  If it hadn't been for your post I would never have solved my problem.:)

Share this post


Link to post
Share on other sites

I dont see the key that they set in the list. A pum is just a setting that differs from what is the normal windows out of box setting.

We have no way of telling if malware, a legit program or a user set this. That why we call it a potentially unwanted modification or PUM.

You can set this to ignore in mbam if your explorer view is fine.

More info on what they key does that is detected by mbam.

 

https://technet.microsoft.com/en-us/library/cc938267.aspx

 

 

Share this post


Link to post
Share on other sites

Many thanks for the information Shadowwar.  I'm not very computer literate and that's why I was so worried about the PUM.  It hasn't recurred since I uninstalled RansomeFree, so somehow I do think that this program was the cause of it.  Perhaps there was something in the various "Bait Files" it set that prompted the PUM.  In any event, I've stopped worrying now as my laptop seems to be clear of any viruses or malware.

Edited by Autumnwatch

Share this post


Link to post
Share on other sites

I have this same issue with Malwarebytes wanting to quarantine Optional.NoDrives registry setting since I installed RansomFree.  Cyberreason have confirmed that it sets that registry key, so for me, it's a false positive.

However, how does one whitelist this in Malwarebytes? (I can't see any option to whitelist a registry entry)

Share this post


Link to post
Share on other sites

Hi,

In order to exclude, when the scan is done, uncheck the detection and click "Next"

59c21016b0581_2017-09-2008_48_56-MalwarebytesPremium3.2.2.png.ff1389c1428a31714817e9ca67cb29d0.png

Then you'll see a new window open where it will ask what to do with this. In your case, you need to select: "Ignore Always".

59c210949e886_2017-09-2008_49_17-MalwarebytesPremium3.2.2.png.e0033c40d4cbcb0b2d6b29a7b01ce01b.png

Share this post


Link to post
Share on other sites

Thanks miekiemoes.  Unfortunately I don't see that view in the Scan tab. In the Scan section I have one page (no tabs at the top) which shows a summary of the scan. There are no individual threats displayed. The only place I can see the individual threats where they are selectable is in the quarantine tab, which doesn't give me the option to whitelist them.

malwarebytes-scan.jpg

malwarebytes-quarantine.jpg

Share this post


Link to post
Share on other sites

Hi,

When the key gets recreated by Ransomfree, if you do a scan, it will then detect it again. That's where you need to add the exclusion on.

Alternatively, you can also disable PUM detections from the scan settings. Settings > protection > Potential Threat Protection > Potentially Unwanted Modifications, set to Ignore detections.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.