DigiKam removed as Ransomware

[Sargon]

Malwarebytes, I believe falsely, identified Digikam (digiKam-5.5.0-01-Win64.exe install package) as Ransomware. DigiKam was downloaded from https://www.digikam.org/download/ on 10/10/17, installed and seems to be working fine for a whole day of usage without Malwarebytes being alarmed.

In DigiKam, when I began the task of tagging a selected group of 344 JPG files with a single keyword tab, the process got through 10 or 15 files before it appeared to crash. (no trace of program, and no messages). In about 10 seconds, Malwarebytes issued a notification that it had detected Ransomware and had stopped the program, and named DigiKam. Indeed, no attempt to run DigiKam again worked.

No messages about the incident were in Malwarebytes quarantine log.

Has this been noted elsewhere? Where are the logs that show this incident? How can I tell Malwarebytes to no longer do this?

Thanks in advance.

[miekiemoes]

Hi,

It looks like it only killed the active process based upon suspicious activity (since the action you are describing - tagging JPG file - which is tampering with it, what Ransomware also does).
In your case, it seems it hasn't deleted the program/file (otherwise it would show in your unquarantine).

This happens in some cases when there's a problem with connecting to the internet during the scan, as it can't finish additional checks on the file to make a final verdict.
So that's where malwarebytes makes the "better safe than sorry" decision and kills the process, just in case it's ransomware indeed.

What you can do in this case is, create an exclusion in Malwarebytes for this file.

* To add the exclusion, open Malwarebytes > Settings > Exclusions tab
* Below, click the button: "Add Exclusion"
* Then, select "Exclude a File or Folder" (this should be prechecked already by default)
* Click Next
* You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude.
* For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already)
*Then click the OK button below.

Mind to zip and attach the MBAMService.LOG file as well, this so I can have a look what exactly happened in your case.

You can find the log here: C:\ProgramData\Malwarebytes\MBAMService\LOGS

Thanks!

[Sargon]

Miekiemoes,

Thanks for the quick reply.

The attempt to exclude the file (digikam.exe) from further detection in Malwarebytes,resulted ina windows file permission error: "You don't have permission to open this file.", when trying to select that file in the Malwarebytes/Exclusions/File or Folder dialog box.  This same error was encountered by me after Malwarebytes removed DigiKam.  I could attempt a reinstall (perhaps upgrading from the 5.5 version of DigiKam to 5.6 or 5.7, but am unsure if I would encounter the same permission issue on the identical .exe file name installed in the same folder. (C:\Program Files\digiKam)

The zip file of logs you requested is attached.  Some entries copied here for reference.

Thanks

-----snippets from mbamservice.txt ------
 

Spoiler

10/10/17    " 18:30:42.276"    149347385    05e4    0cf4    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    1056    "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\digiKam\digikam.exe, Sha256Hash=91687d294705a92a9d234a49c1f3942b01e3eb04dfba37ace4f70f567c681340"
10/10/17    " 18:30:42.982"    149348103    05e4    0cf4    ERROR    HttpConnection    mb::common::net::HttpConnection::SendRequest    "HttpConnection.cpp"    297    "HTTP request failed, status code: 502"
10/10/17    " 18:30:42.982"    149348103    05e4    0cf4    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed    "HubbleWhiteLister.cpp"    398    "Error code 502 returned in PUT to Hubble"
10/10/17    " 18:30:42.984"    149348103    05e4    0cf4    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus    "WhiteListManager.cpp"    248    "White list status (not cached): File 'C:\Program Files\digiKam\digikam.exe'   => Hubble:Error"
10/10/17    " 18:30:43.011"    149348118    05e4    0cf4    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    1081    "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\digiKam\digikam.exe, id=0x0"
10/10/17    " 18:30:45.387"    149350505    05e4    0b68    WARNING        ArwSDK    ""    0    "{Thread: 0x00000CF8, Tick: 0x08E6E869} [KillThread] The thread {PID:6368; TID: 6360} is already stopped."
10/10/17    " 18:32:45.065"    149470173    05e4    0d68    INFO    ArwController    CArwController::TelemetryDataCallback    "ArwController.cpp"    1060    "Successfully sent the ransomware data to telemetry server."
10/10/17    " 18:32:47.467"    149472576    05e4    0d68    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1177    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ARW\mbarwind.arw. Trying to make a copy of it..."
10/10/17    " 18:32:47.514"    149472623    05e4    0d68    WARNING    7zWrapper    mb::common::sevenzip::SevenZipWrapper::CreateZipArchive    "7zWrapper.cpp"    1177    "Could not open file: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\logs\MBAMSERVICE.log. Trying to make a copy of it..."
10/10/17    " 18:32:48.356"    149473465    05e4    0d68    INFO    ArwController    CArwController::SendThreatFileToServerCallback    "ArwController.cpp"    963    "Successfully sent the detected file and info to server."
10/10/17    " 18:43:12.748"    150097859    05e4    117c    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2129    "App Injected (Mozilla Firefox (and add-ons))"
10/10/17    " 18:43:13.789"    150098904    05e4    1ed4    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2129    "App Injected (Mozilla Firefox (and add-ons))"
10/10/17    " 18:55:01.551"    150806665    05e4    117c    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2129    "App Injected (Mozilla Firefox (and add-ons))"

 

 

mbupdatr.zip

Edited October 11, 2017 by miekiemoes
edited to reduce font size and use a spoiler for the log contents

[miekiemoes]

Hi,

You might need a reboot first before adding this exclusion, as this file is currently still in a locked state (because of malwarebytes locking it).

It seems like you indeed had an internet connection error during the further analysis of the file. In either way, in a meanwhile, I already whitelisted this one as well.

[Sargon]

Miekiemoes,

Again, thanks for great support.

A reboot fixed the permission error, and the prescribed solution for establishing an exclusion also worked.

The program is functioning again.

The matter is resolved.

Thanks,

Sargon

[miekiemoes]

Glad to hear and glad I could help

[civilgeek]

In mid-March and again April 26, 2019 Malware bytes flagged my DigiKam 6.1.0 as ransomware. It quarantined both the exe file and the desktop shortcut with no warning and no messages afterward. One of the DigiKam team suggested that an antivirus might be behaving this way. Today I looked in the quarantine list and noted that Malwarebytes had indeed quarantined the program file. This seems strange to me because DigiKam has been available for many years, and I've used it for many years.

I suspect that the Malwarebytes flag may be partially responsible for DigiKam behavior that prevents me from tagging images, marking pick data or marking color labels.  The files show no signs of having accepted the changes in status; new tags specifically are not accepted in the DigiKam environment.

I did add exclusions for both the DigiKam folder and the exe file, rebooted and tried again to no avail.

Wierd!

[civilgeek]

I have also added the other exe files in the DigiKam program folder. Must I also add all the various dll files that are in use?

I very much wish to use this program. Someone suggested that software developers may have to pay to be white-listed. DigiKam is open-source through KDE, and their developers have said they would never have the money to pay for this. I wonder if this is so.

MalwareBytes flag DigiKam as ransomware.txt

[miekiemoes]

Hi,

Can you zip and attach this exact digikam.exe file?

And no, developers don't have to pay to be white-listed  

[civilgeek]

Here is a zip file with only the digikam.exe file.

You can find the downloads at https://www.digikam.org/download/

I hope you can help me unravel this distraction from other enjoyable and productive tasks.

digikam.zip

[miekiemoes]

Hi, 

The above is whitelisted already.

 

 

[civilgeek]

I wonder if the stand alone photo editor showfoto.exe  is similarly whitelisted. I am including a zip of the exe file.

showfoto.zip

[miekiemoes]

Hi,

I can't reproduce detection on above file. Did it trigger a detection for you?

[civilgeek]

No. I have not had a problem. Because showfoto is a sister to DigiKam, which gave me problems earlier this year, I thought it worthwhile to ask about it.