Jump to content

Apache24 httpd.exe flagged as ransom agent. Is this correct or false pos?

tommalia

By tommalia
in Ransomware

 Share

Recommended Posts

  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted (edited)

Hi,

This looks like a false positive indeed, so I suggest you unquarantine it.

Can you also zip and attach the httpd.exe file, so we can have a look? 

Thanks!

 

Edited to add - this should have been fixed already. Can you verify please, so this is no longer detected?

Edited by miekiemoes
Link to post
Share on other sites
tommalia

tommalia

Posted
  • Author
Posted

I took the chance and unquarentined it last night.  Interesting to note that I have the directory the file is in under version control (Subversion working directory) since I first installed Apache there several years ago and Subversion is reporting that the httpd.exe file is unchanged from the copy that was originally installed.  So, I'm pretty confident that the httpd.exe file didn't get malissiously swapped out or edited in some way since it was downloaded from Apache website.

I als added the exe to the list of programs to be excluded from scanning last night.  However, when I checked this morning, my website was down again and MWB had a report (I'll past it below) that it found another Malware.Ransom.Agent and it was this httpd.exe program again... interstingly, this time it didn't quarentine the file, but apparently it did, somehow, shut it down because httpd.exe is not running and the server reverted to IIS7 as the listener on port 80.  Fortunately my particular business is not that dependent on my website being up 24/7 but it's still pretty frustrating that MWB is messing with such an industry standard program as Apache HTTP.... Also seems odd that when I google the combination, I don't see ANY other posts anyway about problems with MWB playing nice with Apache.  I would have thought more people would have experienced similar problems.

I'm attaching the requested zipped copy of the httpd.exe program for your inspection.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/18/17
Protection Event Time: 5:24 PM
Log File: c7ce31c9-9cb7-11e7-9e53-0025903439ed.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2836
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, D:\ProgramFiles\Apache\Apache24\bin\httpd.exe, Quarantined, [0], [392685],0.0.0


(end)

httpd.zip

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

I just checked your file and it was indeed fixed already.

The reason why it probably got "killed" (and not deleted) was because this machine probably didn't have an Internet connection, so additional queries on this file couldn't be performed to determine status. That's why Malwarebytes takes the "better safe than sorry" approach in this case, especially since it has behavior we often see with ransomware and/or similar suspicious behavior - hence why we kill the process then.

Note, with behavior detection, there's always a chance for False positives, and especially httpd.exe is occasionally causing this. So that's why I suggest excluding the D:\ProgramFiles\Apache\Apache24\bin\httpd.exe file from Ransomware detection. Because most probably, a next update to Apache *might* trigger this again if not excluded.

Hope this helps.

Link to post
Share on other sites
tommalia

tommalia

Posted
  • Author
Posted

Thank you for your assistance.

Just to make sure I've done this correct, to exclude httpd.exe from ransomware detection, do I use the "Exclude an Application that Connects to the Internet" option? That's the option I tried last night... thought it seems to have killed the process on me anyway.

 

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

No, as you need to exclude it from scanning rather, not from the internet.

To add the exclusion, open Malwarebytes > Settings > Exclusions tab

Below, click the button: "Add Exclusion"

Then, select "Exclude a File or Folder" (this should be prechecked already by default)

Click Next

You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude.

For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already)

Then click the OK button below.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.