Jump to content

Help with (much) possible false-positive. (URGENT PLZ!!!)


Recommended Posts

Hi all!

Sorry for the inconvenience. I have an app from my work, it keeps various databases for a laboratory - patients, results, etc.
It got infected by what seems to be GlobeImposter.E4FEBF04 (ransomware), and lost my files. Something I could save.
But I'm facing troubles with the main app. I made a copy from my notebook of the .EXE file, installed on another machine (after run MalwareBytes AND BitDefender). It was okay.
And I make connections via concurrent RDP sessions. I testes 2 PCs and it was fine. When I tested a third one, when I opened my file WINLAB.EXE, MalwareBYtes turned to detect this file as MachineLearning.Anomalous.96% and I'm very worried. If it is true, all machines got infected (even with MalwareBytes AND Bitdefender).
So I'd like to ask for help. I belive it is a false-positive because no size/date difference was seen. I even compiled another time de .EXE file. It opened, but 2 secs after MalwareBytes showed as Anomalous again. It's a Clipper/Harbour project.
I'm on a hurry. Patients are coming and I'm tottaly stopped. PLEASE if someone could help me, I'm very grateful!!!
Regards!

WINLAB susp.rar

Link to post
Share on other sites

  • Staff

Hi,

This is detected by our MachineLearning engine, which helps to protect even better against 0day threats. Unfortunately, as this is a heuristic engine, it's possible False Positives happen. Also see here for more explanation:


Thanks for reporting these, as this helps to finetune the engine, so these won't be detected in the future anymore.

This was a false positive and should be fixed by now. Please give it some time (max 10 minutes) in order to have it populate, so detection won't happen anymore.

 

Link to post
Share on other sites

THANK YOU SO MUCH! It was REALLY FAST!
I'm sending the files you asked.

About this Ransomware, GlobeImposter... do you think it's possible to decrypt my files? I don't have the value they are asking for (0.6 bitcoins), and will it be sure to receive the decryptor?
I tested the apps in NoMoreRansom.ORG, but I was not lucky...

OtherFiles.rar

Link to post
Share on other sites

  • Staff

Thanks for the files. I'll also add this to our goodware repository.

Unfortunately, if the decryptor tool didn't work for Globeimposter, then the only way is to restore from backups, if you have created these. :(

In either way, I suggest you monitor the following thread: https://www.bleepingcomputer.com/forums/t/644166/globeimposter-ransomware-support-crypt-pscrypt-ext-back-fileshtml/page-21 This just in case a decryptor is released for this new variant.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.