Jump to content

Flagging "launch_leds.exe" as ransomware


TonyCummins

Recommended Posts

Tony please submit the exe in question to the link below for false positive analysis

Please upload referencing the case#00000000 to our file site below:

https://www.malwarebytes.com/support/business/businessfileupload/

Additionally we can exclude this in the meantime by adding the following to wildcard exclusions

C:\Program Files (x86)\Zuercher Suite\*

Please let me know if the issues persist with this in place

 

Many Thanks

Link to post
Share on other sites

39 minutes ago, KDawg said:

Tony please submit the exe in question to the link below for false positive analysis

Please upload referencing the case#00000000 to our file site below:

https://www.malwarebytes.com/support/business/businessfileupload/

Additionally we can exclude this in the meantime by adding the following to wildcard exclusions

C:\Program Files (x86)\Zuercher Suite\*

Please let me know if the issues persist with this in place

 

Many Thanks

Thanks KDawg,  file zipped and sent and exclusion added

Link to post
Share on other sites

  • 2 months later...
  • 2 months later...
12 hours ago, djacobson said:

@TonyCummins is this still happening to you?

Hi djacobson,

Actually i still had the exclusion in place and never removed it. That said, last week we had a software update which changed the launch_leds.exe file.......it renamed the old launcher folder as .old...created a new launcher folder and placed the new exe in there...1 of my main dispatch machines picked it up and flagged as ransomware and deleted. I had a hell of a time troubleshooting it and getting it back up reinstalled and running. Re added the exclusion and it seems to be holding and not getting flagged for now

Capture.PNG.a00a20c24aff46934747478830cfb955.PNG

Link to post
Share on other sites

Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.

Link to post
Share on other sites

  • 2 weeks later...
On 4/13/2018 at 12:06 PM, djacobson said:

Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.

Im having some other issues related to leds...my end users are reporting the software program becoming unresponsive..slow...locking up...needed a full computer restart to get out from under it. Im seeing the following events in our around the software is having issues....

 

2018-04-22 23:11:29,719-06:00 [33] ERROR MB3Service Error applying ScanExclusionType_Folder:I: to ARW controller
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at ArwControllerCOMLib.IArwController.AddExclusion(_ArwExclusionType type, String pData)
   at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()

2018-04-22 23:11:29,719-06:00 [33] ERROR MB3Service Error applying ScanExclusionType_File:C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe to ARW controller
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at ArwControllerCOMLib.IArwController.AddExclusion(_ArwExclusionType type, String pData)
   at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()


2018-04-22 23:11:29,703-06:00 [33] ERROR MB3Service Error clearing ARW exclusions
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at ArwControllerCOMLib.IArwController.ClearExclusions()
   at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()

2018-04-22 23:11:29,236-06:00 [23] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at AEControllerCOMLib.IAEController.SetAeOption(_AeOptionName optionName, Int32 option)
   at EAMBAMPlugin.MBAMPlugin.ProcessAdvancedAntiExploitTechniques()

Link to post
Share on other sites

On 4/13/2018 at 12:06 PM, djacobson said:

Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.

 

**Update**
So, finally got a hold of support and he noticed that the exclusions i had in place from previous support tech was incorrect. 

These where the errors he picked up from his end:

2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to Scan controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to RTP controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to ARW because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to Scan controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to RTP controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO  MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to ARW because it was not valid for the type



In order to have the correct exclusion in place I needed to remove the “Folder by Path” and change that to “Exclude files or folders by wildcards (Windows)” and use the following     C:\Program Files (x86)\Zuercher Suite\*

Hopefully this will bring to an end to my issues.

Link to post
Share on other sites

Great catch by that agent. The folder by path function can be used for that path if you leave the wildcard off the end. Ignoring folder by path already implies everything within that folder, making the wildcard unneeded. Save the wildcard usage for items in the middle of the path string. MBMC needed the * to the end of a path, so I know it is a hard habit to break :) 

Link to post
Share on other sites

43 minutes ago, djacobson said:

Great catch by that agent. The folder by path function can be used for that path if you leave the wildcard off the end. Ignoring folder by path already implies everything within that folder, making the wildcard unneeded. Save the wildcard usage for items in the middle of the path string. MBMC needed the * to the end of a path, so I know it is a hard habit to break :) 

So all i need to do know is figure out is whats going on with these events:

 

2018-05-01 12:58:59,720-06:00 [27] ERROR MB3Service Error clearing ARW exclusions
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at ArwControllerCOMLib.IArwController.ClearExclusions()
   at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()

 

2018-05-01 12:58:59,637-06:00 [22] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
   at AEControllerCOMLib.IAEController.SetAeOption(_AeOptionName optionName, Int32 option)
   at EAMBAMPlugin.MBAMPlugin.ProcessAdvancedAntiExploitTechniques()
 

Link to post
Share on other sites

I asked because you will see that first one often on server's since ARW is disabled for servers, you will also see it on other machines where ARW cannot apply an exclusion for a path that doesn't exist on that particular machine, this is normal and a non-critical failure.

The MBAE portion looks unable to apply one of its techniques, hard to say which one with just this log excerpt. The mbamservice log may help identify the particular technique that is not loading, which could be a failure, or it could be a technique that is not supported on this machine, and is being automatically disabled. I would bring this up to the agent whom you have working on your exclusion ticket.

Link to post
Share on other sites

On 5/1/2018 at 3:23 PM, djacobson said:

I asked because you will see that first one often on server's since ARW is disabled for servers, you will also see it on other machines where ARW cannot apply an exclusion for a path that doesn't exist on that particular machine, this is normal and a non-critical failure.

The MBAE portion looks unable to apply one of its techniques, hard to say which one with just this log excerpt. The mbamservice log may help identify the particular technique that is not loading, which could be a failure, or it could be a technique that is not supported on this machine, and is being automatically disabled. I would bring this up to the agent whom you have working on your exclusion ticket.

Did as you suggested with the support agent and this is what i got back....

Quote

The error regarding mbae is ok, it just fails to start some protection alyer, then start again later and it enable the protection layer ( I have the ame error on my side and my agent is working fine).

For the other error I am waiting for a feedback from the dev, as i don't know what to think of them.

I will keep you updated

 

Link to post
Share on other sites

  • 3 weeks later...

Just as an update, i just received this from tech support on my open case...19 days later

 

Quote

You asked about the log errors "ERROR MBAMPlugin Unable to apply setting for "L1WPM". They happen because the MBAMPlugin tries to apply the settings before Anti-Exploit service is started. I checked the logs and all these happen right after restarting the endpoint. Anti-Exploit logs show that the Anti-Exploit is loaded properly right after these errors.

Here are couple examples:

2018-05-01 09:17:26,213-06:00 [6 ] INFO  BoomerangHandler Nebula Event name:event.machine.shutdown

2018-05-01 09:18:42,885-06:00 [25] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.

mbamservice-ApiNA(113) - 2018/05/01 - 09:19:10 - #3# - MbaeInitialize: 1.11.4.94 - OS: Windows 7 Service Pack 1 - English - x64 -

mbamservice-ProtectionNA(293) - 2018/05/01 - 09:19:20 - #3# - Malwarebytes Anti-Exploit Driver is running -     

And second one:

2018-05-01 09:28:15,407-06:00 [31] INFO  BoomerangHandler Nebula Event name:event.machine.shutdown

2018-05-01 09:29:32,464-06:00 [23] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.

mbamservice-ApiNA(113) - 2018/05/01 - 09:30:00 - #3# - MbaeInitialize: 1.11.4.94 - OS: Windows 7 Service Pack 1 - English - x64 -

mbamservice-ProtectionNA(293) - 2018/05/01 - 09:30:00 - #3# - Malwarebytes Anti-Exploit Driver is running -

I hope I was able to answer your question.

 

Link to post
Share on other sites

  • 4 months later...

@djacobson  @KDawg  This got caught again on one of my end users and disabled the software.
This software is a CAD / Dispatch in car software that my deputies use to run NCIC queries...to have my deputy out in the field and be without the in car software is unacceptable!!

As you can see from screen shot, the manual exclusions are still in my exclusion list.

In order to fix his issue i had to have him drive back to our facility, me drive in from home. Remove the policy from the endpoint to stop it flagging the repair / install., uninstall the corrupted software and re download and install. I left the endpoint without protection overnight as i didn't want a repeat of it getting flagged and quarantined again.

This is unacceptable behavior of the endpoint protection when i have manual exclusion rules in place AND support assured me the cloud exclusions are in place and correct.

Capture.PNG

Capture.PNG

Link to post
Share on other sites

Tony,

I want to apologize again for this situation, I can see how seriously it is affecting you.

We would need logs from the problem endpoint before uninstalling to determine how this may have happened.

With the exclusion in place and once again re-activated we should not be getting the block perhaps this machine did not receive the update once you re-enabled the exclusion. Logs would help us determine for sure.

https://support.malwarebytes.com/docs/DOC-1818

 Many Thanks

 

Link to post
Share on other sites

1 minute ago, KDawg said:

Tony,

I want to apologize again for this situation, I can see how seriously it is affecting you.

We would need logs from the problem endpoint before uninstalling to determine how this may have happened.

With the exclusion in place and once again re-activated we should not be getting the block perhaps this machine did not receive the update once you re-enabled the exclusion. Logs would help us determine for sure.

https://support.malwarebytes.com/docs/DOC-1818

 Many Thanks

 

I will try get logs from the offending machine when he comes back on shift. 

The exclusion was not re activated...as u can see its been in place (manual one) since May 1st when support showed me how to correctly add it to the entire Zuercher folder.

Link to post
Share on other sites

1 minute ago, djacobson said:

I forgot if we had to use any wildcards on your setup Tony, but a reminder that wildcard use will render the exclusion un-usable to ARW aka Behavior Protection.

832532833_ignorelistmatrix.png.56b28eb2ea7b1392a6f1af96eb0530c7.png

 

No I was not aware of that! I was instructed to use wildcards by tech support in a ticket i created back in May. You think they would have known.....
So remove the wildcard exclusion and exclude by file path? 

C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe)

Also, the deputy is off shift that was having the exclusions ignored....probably because they where excluded by wildcards? So still haven't been able to grab those log files.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.