chuckdee Posted March 7, 2018 ID:1222073 Share Posted March 7, 2018 I was installing some things in msys2 and hadn't thought to exclude my dev tools directory. MB incorrectly identified Pacman.exe as ransomware, and removed all rights from the file. I have added an exclusion, but is there a way to reverse the actions of MB, i.e. make pacman accessible? Deleting it wouldnt' have been worse than this. And is there a log of the anti-ransomware's actions? It took me a while to figure out exactly what it had done, as the alert was not logged. I've received alerts before on things that were not ransomware, and now I'm worried about what it did in the past, as I was never able to find this information even then. It tells me real-time detections 350, and that includes websites it blocks, but without a log of those actions, that number is pretty worthless. Version infromation Malwarebytes: 3.3.1.283 Component Package: 1.0.262 Update Package: 1.0.4232 Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222085 Share Posted March 7, 2018 Please see this post. This pacman is a linux file correct? https://forums.malwarebytes.com/topic/217691-another-false-positive-on-linux-on-windows-subsystem/?do=findComment&comment=1220082 Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222088 Share Posted March 7, 2018 msys2 is not the same as the windows subsystem for linux. It does some of the same things, but there have been other options that were in place before Microsoft implemented WSL, i.e. Cygwin and msys2. I think that pacman.exe is a rewrite of pacman, and therefore not a linux file. Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222089 Share Posted March 7, 2018 Ok can you please zip and attach the file here? And or a virustotal.com scan link? Thanks. Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222091 Share Posted March 7, 2018 Just now, shadowwar said: Ok can you please zip and attach the file here? And or a virustotal.com scan link? Thanks. And I'm just trying to regain access to it, and see logs of what was done in addition. I've excluded the folder from ransomware detection at this point, so the detection of it shouldn't be an issue. The issue is malwarebytes' actions and trying to reverse them without losing work. Pacman has been altered as far as permissions, so I can't do anything with it, even delete it. This is the problem that I'm trying to solve so I have options. Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222093 Share Posted March 7, 2018 (edited) IF you reboot it should be released. Worse case after the reboot you will have to restore it from mbam quarantine. Edited March 7, 2018 by shadowwar Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222095 Share Posted March 7, 2018 It's not in MBAM quarantine. Are you saying that if I reboot it should be quarantined? Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222097 Share Posted March 7, 2018 Actually one of our mbarw devs said if you disable antiransomware protection in mbam the perms should be restored. Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222099 Share Posted March 7, 2018 Excellent! Then I can restore antiransomware after I get access? One of my servers got hit with ransomware, so that's pretty much the only reason I keep it running (though that was an exploit in RDP rather than user error) Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222103 Share Posted March 7, 2018 Yes you can reenable it after you gain access. Also i may have whitelisted this already. You may have a stale cache file. I can verify it once i have the file info. You can try this to force an update on the cache: Totally shutdown Malwarebytes. Go here in explorer: C:\ProgramData\Malwarebytes\MBAMService and delete the following file only. hubblecache it has no extension. Then you can restart mbam and the cache file will rebuild on the next scan. You only have to do this on repeated detections if we told you we have fixed it already. Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222108 Share Posted March 7, 2018 Thanks! That worked, and saved me a lot of work! One last thing... is there anywhere to see logs of what antiransomware does on a block? It doesn't show up in the protection logs. Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222109 Share Posted March 7, 2018 I think it is here: C:\ProgramData\Malwarebytes\MBAMService\ArwDetections Otherwise its in the mbamservice.log located in C:\ProgramData\Malwarebytes\MBAMService\LOGS Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222110 Share Posted March 7, 2018 That worked as in its no longer detected? Link to post Share on other sites More sharing options...
chuckdee Posted March 7, 2018 Author ID:1222111 Share Posted March 7, 2018 (edited) Thanks again for all of your help! UPDATE: No... that worked in that it restored access. I did what I should have done before in regards to adding to the exclusions, so it wouldn't be detected now. Edited March 7, 2018 by chuckdee Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 7, 2018 Staff ID:1222112 Share Posted March 7, 2018 No problem. You made it very easy to help you. Sorry about the fp. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now