Seriously, you quarantined c:\php\php-cgi.exe?

[kahml]

I have a copy of my web site on my computer for local development before I port it to production.

I had an update to make and could not get the local version launced - Error 500 FastCGI PHP component.

Did the usual search through Google and couldn't seem to find out what what going on.

So I looked in the PHP folder to see about the details on the file php-cgi.exe.  It wasn't there?!?

I unzipped from the original and everything started working.

Later in the evening, I saw an alert from Malwarebytes that it was protecting me - and sure enough, it had quarantined the file.

The dashboard shows this as Malware.Ransom.Agent.Generic and I am flabbergasted (but I also saw the original quarantine from several weeks ago).

Not intuitive was the way to restore this; and unfortunately, I have no way of knowing if this is now "whitelisted" as a result - or if I have to manually exclude it.

[djacobson]

@kahml that detection looks like a shuriken FP. If it was marked as delete on reboot, that reboot needs to take place in order to restore. Pieces of the detection are saved in a sandbox, then the original is deleted during the reboot, the restore function will rebuild it from the sandbox once the machine is back up. The FP should be fixed but it would still be a good idea to manually exclude such a critical process for your web server.

Edited November 17, 2017 by djacobson
grammar

[kahml]

OK, I guess.

First:  I have no idea what "shuriken FP" means.  Could you please translate into more generic but meaningful?

Second:  Where, in the web console, would I find whether this had been "marked as delete on reboot"?

Third:  How would I know that Malwarebytes Endpoint Protection was going to take action on this exe file when Malwarebytes for Business didn't bother with it, nor did Webroot, nor did SentinelOne in order to exclude it?

Forth:  Unanswered is the question:  if I restore from quarantine, does that automatically whitelist the file, or must a manual exclusion be created?

Thanks!

[djacobson]

My apologies, shuriken is our signature-less machine learning based detection engine. You will come to know you are seeing detection like this when there is the suffix "generic" in the detection.

Whether an item is only quarantined or quarantined and marked for delete on reboot is not something you can choose, rather that is decided by our Malware Research team directly and written into how the program handles the detected threats.

Restoring an item does not white-list it. White-listing can be done by our research team if a false positive is opened with them through us in support or directly on the FP section of this forum - https://forums.malwarebytes.com/forum/122-false-positives/

The item can also be placed into your exclusion area of the product to manually white-list it on your end.

Edited November 17, 2017 by djacobson