msys2 and Pacman (False Positive)

[chuckdee]

I was installing some things in msys2 and hadn't thought to exclude my dev tools directory.  MB incorrectly identified Pacman.exe as ransomware, and removed all rights from the file.  I have added an exclusion, but is there a way to reverse the actions of MB, i.e. make pacman accessible?  Deleting it wouldnt' have been worse than this.  And is there a log of the anti-ransomware's actions?  It took me a while to figure out exactly what it had done, as the alert was not logged.  I've received alerts before on things that were not ransomware, and now I'm worried about what it did in the past, as I was never able to find this information even then.  It tells me real-time detections 350, and that includes websites it blocks, but without a log of those actions, that number is pretty worthless.

 

Version infromation

Malwarebytes: 3.3.1.283

Component Package: 1.0.262

Update Package: 1.0.4232

 

[shadowwar]

Please see this post. This pacman is a linux file correct?

https://forums.malwarebytes.com/topic/217691-another-false-positive-on-linux-on-windows-subsystem/?do=findComment&comment=1220082

 

[chuckdee]

msys2 is not the same as the windows subsystem for linux.  It does some of the same things, but there have been other options that were in place before Microsoft implemented WSL, i.e. Cygwin and msys2.  I think that pacman.exe is a rewrite of pacman, and therefore not a linux file.

[shadowwar]

Ok can you please zip and attach the file here?

And or a virustotal.com scan link?

Thanks.

 

[chuckdee]

Just now, shadowwar said:

Ok can you please zip and attach the file here?

And or a virustotal.com scan link?

Thanks.

 

And I'm just trying to regain access to it, and see logs of what was done in addition.  I've excluded the folder from ransomware detection at this point, so the detection of it shouldn't be an issue.  The issue is malwarebytes' actions and trying to reverse them without losing work.

Pacman has been altered as far as permissions, so I can't do anything with it, even delete it.  This is the problem that I'm trying to solve so I have options.

[shadowwar]

IF you reboot it should be released. Worse case after the reboot you will have to restore it from mbam quarantine.

Edited March 7, 2018 by shadowwar

[chuckdee]

It's not in MBAM quarantine.  Are you saying that if I reboot it should be quarantined?

[shadowwar]

Actually one of our mbarw devs said if you disable antiransomware protection in mbam the perms should be restored.

 

[chuckdee]

Excellent!  Then I can restore antiransomware after I get access?  One of my servers got hit with ransomware, so that's pretty much the only reason I keep it running (though that was an exploit in RDP rather than user error)

[shadowwar]

Yes you can reenable it after you gain access.

 

Also i may have whitelisted this already. You may have a stale cache file. I can verify it once i have the file info.

You can try this to force an update on the cache:

Totally shutdown Malwarebytes. Go here in explorer:

 

C:\ProgramData\Malwarebytes\MBAMService

and delete the following file only.

hubblecache

 

it has no extension.

 

Then you can restart mbam and the cache file will rebuild on the next scan. You only have to do this on repeated detections if we told you we have fixed it already.

[chuckdee]

Thanks!  That worked, and saved me a lot of work!  One last thing... is there anywhere to see logs of what antiransomware does on a block?  It doesn't show up in the protection logs.

[shadowwar]

I think it is here:

C:\ProgramData\Malwarebytes\MBAMService\ArwDetections

Otherwise its in the mbamservice.log located in

C:\ProgramData\Malwarebytes\MBAMService\LOGS

[shadowwar]

That worked as in its no longer detected?

[chuckdee]

Thanks again for all of your help!

 

UPDATE: No... that worked in that it restored access.  I did what I should have done before in regards to adding to the exclusions, so it wouldn't be detected now.

Edited March 7, 2018 by chuckdee

[shadowwar]

No problem. You made it very easy to help you.

Sorry about the fp.