Jump to content
jpSimkins

Ampps PHP is Malware.Ransom.Agent.Generic (It's not.... but it got deleted)

Recommended Posts

I have been using this dev environment for years. The only change (a month ago) was to ioncube to allow for the latest version.

 Not sure why, but today, I see that this was stated as ransomware. I really don't believe this is the case. I have noticed a lot of false positives with the app across many devices so this leads me to question every report this gives now. I'm pretty sure this is a false positive so I am posting this here to hope this helps fix more false positives in the future.

I do want to make note, the only thing I did lately was install Oculus rift on my computer. Not sure if that could cause any issues here...

Thanks

report.txt

LOGS.zip

php.zip

Edited by jpSimkins

Share this post


Link to post
Share on other sites

Hi,

Thanks for reporting this. This was a false positive and has been fixed already. It was triggered by our Generic behavior detection for ransomware.

 

Share this post


Link to post
Share on other sites

Hi,

Is there any possibility that there was no internet connection when it detected it again? This because our Antiransomware component also makes use of additional checks in the cloud to make the final verdict. In that case, the file doesn't get deleted, it will only give an alert and kill the running process - this as a safety measure, just in case it's a valid detection.

Can you post your latest mbamservice.log again, so I can see what happened here?

Additionally; I also suggest you whitelist this file from your end as well, just to make sure.

To add the exclusion, open Malwarebytes > Settings > Exclusions tab

Below, click the button: "Add Exclusion"

Then, select "Exclude a File or Folder" (this should be prechecked already by default)

Click Next

You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude.

For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already)

Then click the OK button below.

Edited by miekiemoes

Share this post


Link to post
Share on other sites

I have ran mb-clean-3.1.0.1031.exe and did a fresh install. After about ~15 mins I got the same error. I have attached the log for that.

 

I know how to exclude the issue, I would rather just have it work properly.

 

Thanks

MBAMSERVICE.LOG

Share this post


Link to post
Share on other sites

Hi,

It does seem that you were having a network error here - as I expected:

02/08/18	" 00:28:59.775"	3649580	169c	2438	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	1073	"Received threat detection callback from ARW SDK, ObjectPath=C:\Ampps\php-5.3\php.exe, Sha256Hash=5c2d2349fea9eaf08a96d66b03f1b16106f1dec0daa1ba2a828d0de432e25981"
02/08/18	" 00:28:59.778"	3649580	169c	2438	WARNING	HttpConnection	mb::common::net::HttpConnection::SendRequest	"HttpConnection.cpp"	390	"Network error."

So it can't process any additional checks to determine its final verdict. In that case, Malwarebytes only kills the running process, just to be safe. It doesn't delete the file.

Anything interfering with your internet connection?

It might be best to add this one to exclusions anyway. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.