Jump to content

msys2 and Pacman (False Positive)


chuckdee
 Share

Recommended Posts

I was installing some things in msys2 and hadn't thought to exclude my dev tools directory.  MB incorrectly identified Pacman.exe as ransomware, and removed all rights from the file.  I have added an exclusion, but is there a way to reverse the actions of MB, i.e. make pacman accessible?  Deleting it wouldnt' have been worse than this.  And is there a log of the anti-ransomware's actions?  It took me a while to figure out exactly what it had done, as the alert was not logged.  I've received alerts before on things that were not ransomware, and now I'm worried about what it did in the past, as I was never able to find this information even then.  It tells me real-time detections 350, and that includes websites it blocks, but without a log of those actions, that number is pretty worthless.

 

Version infromation

Malwarebytes: 3.3.1.283

Component Package: 1.0.262

Update Package: 1.0.4232

 

Link to post
Share on other sites

msys2 is not the same as the windows subsystem for linux.  It does some of the same things, but there have been other options that were in place before Microsoft implemented WSL, i.e. Cygwin and msys2.  I think that pacman.exe is a rewrite of pacman, and therefore not a linux file.

Link to post
Share on other sites

Just now, shadowwar said:

Ok can you please zip and attach the file here?

And or a virustotal.com scan link?

Thanks.

 

And I'm just trying to regain access to it, and see logs of what was done in addition.  I've excluded the folder from ransomware detection at this point, so the detection of it shouldn't be an issue.  The issue is malwarebytes' actions and trying to reverse them without losing work.

Pacman has been altered as far as permissions, so I can't do anything with it, even delete it.  This is the problem that I'm trying to solve so I have options.

pacman.png.888faac50cf7039aeb19cd44e11d92eb.pngpacman2.png.e6532ad508958ada165931d0c4a3bf9b.png

Link to post
Share on other sites

  • Staff

Yes you can reenable it after you gain access.

 

Also i may have whitelisted this already. You may have a stale cache file. I can verify it once i have the file info.

You can try this to force an update on the cache:

Totally shutdown Malwarebytes. Go here in explorer:

 

C:\ProgramData\Malwarebytes\MBAMService

and delete the following file only.

hubblecache

 

it has no extension.

 

Then you can restart mbam and the cache file will rebuild on the next scan. You only have to do this on repeated detections if we told you we have fixed it already.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.