Jump to content
ottchris

False positive executables WORKSHELF & SBE

Recommended Posts

Two unrelated executables (and two associated registry entries) suddenly quarantined in the early hours of this morning. As far as I am aware neither has recently been modified and bth are run every day. Here is the report: 

-Log Details-
Protection Event Date: 7/21/18
Protection Event Time: 1:07 AM
Log File: 00bd97f0-8c7a-11e8-919e-00ff21366bd3.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.5993
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 2
Malware.Ransom.Agent.Generic, C:\PROGRAM FILES (X86)\WINSTEP\WORKSHELF.EXE, Quarantined, [0], [392685],0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Creative\Sound Blaster E-Series\Sound Blaster E-Series Control Panel\SBE.exe, Quarantined, [0], [392685],0.0.0

End

Following quarantine, I observed upload activity which appeared to be from Malwarebytes so I suspect you already have the files in question but I have also included them in the attached zip file.

MBReport20180721.zip

Share this post


Link to post
Share on other sites

Hi,

Thanks for reporting. Are you still experiencing issues with these being detected? They were already whitelisted when I looked them up. If there is still a problem, please attach C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

  • 9EA23CB45EFF8CEF2EBEF047010A7B2A
  • 1227278576F8963B2A40C4564A78D923

Share this post


Link to post
Share on other sites

Thanks for the very quick response. I made a judgement call (as one of the applications is borderline critical) to reboot a basic system, restore the items from quarantine and then temporarily close MB while I posted the report here. I will now run MB, make sure it is up to date, scan the files and report back.

Best Regards,

Chris 

Share this post


Link to post
Share on other sites
27 minutes ago, ottchris said:

Thanks for the very quick response. I made a judgement call (as one of the applications is borderline critical) to reboot a basic system, restore the items from quarantine and then temporarily close MB while I posted the report here. I will now run MB, make sure it is up to date, scan the files and report back.

Best Regards,

Chris 

Both now scanned negative. Slightly odd as all the version numbers (Components, Update Package etc) are unchanged between the latest scan and the original "Ransomware blocked" report (timestamped 1:07 am).

Anyway, many thanks again for the super fast response.

Best Regards,

Chris

PS. It occurs to me that the whitelisting may have been the outcome of the automatic 'post-detection' upload I observed. If that is the case it begs the question of how the whitelisting mechanism is updated?

Edited by ottchris
Afterthought added.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.