Jump to content
jjenni

our app is getting snagged

Recommended Posts

hello,

our company writes an app that for some reason when our auto update routine runs our app main exe file is being caught by Malwarebytes as ransomware and it says it is quarantined but I cant find it in quarantine or in the logs to try and figure out what is going on here.

can someone please contact me as soon as possible to resolve this issue.

 

thank you.

 

Share this post


Link to post
Share on other sites

Hi,

This is a detection by our Antiransomware component where it might find this process suspicious. In your case, it's most probably being killed as an active process only if it's not being quarantined (since you can't find it in quarantine). So the file didn't get deleted, only killed/stopped as a running process.This mostly happens when there's no internet connection available,  so an additional check in the cloud can't be done either on the suspicious process to give a final determination whether the file might be goodware or malware. That's why Malwarebytes kills the process only (a better safe than sorry approach).

Is your PC connected to the internet? Or is it blocking any malwarebytes related traffic?

Also, can you zip and attach the detected file here?

 

Thanks!

 

Share this post


Link to post
Share on other sites

there is the problem. everything gets killed and our actual .exe no longer exists in our folder. 

I have asked for one of our developers to come to my office to maybe explain what they are doing with the update routine that seems to get caught up even though the alert references our .exe file and that file is actually deleted from the folder.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

This is curious, as it should be in the unquarantine if it actually gets deleted.

We would need more info, so can you zip and attach the MBAMService.LOG, this so I can have a look why it was detected and what happened there.

You can find this log in the following folder: C:\ProgramData\Malwarebytes\MBAMService\LOGS

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Hi,

This is the file I would need: C:\ICS\Sparkle6170\WashConnect.exe

This so we can have a look and adjust detection. Unfortunately, we can't do this without that file.

Thanks!!

Share this post


Link to post
Share on other sites

do you have another way for me to get it to you other than the forum upload ?

 

Share this post


Link to post
Share on other sites

Yes, you can send me a private message instead here.

Also note, everything you upload here can only be accessed by staff and not public and I can also always delete it :) (or you can)

Share this post


Link to post
Share on other sites
Posted (edited)

here you go then we can delete when done.

when I just scan it with Malwarebytes nothing is found.

 

 

Edited by miekiemoes
sample removed

Share this post


Link to post
Share on other sites

Thanks a lot!

This really helps us to finetune detection. We have fixed this in a meanwhile, so it shouldn't be detected anymore. 

In case it's still detected, it's because it's cached for you, so in that case, Quit malwarebytes from the systemtray.
Then navigate to the following folder:

C:\ProgramData\Malwarebytes\MBAMService

In there, locate the file HubbleCache and delete it.

Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore.

Also, the reason why you couldn't find it in quarantine is because it was triggered during updating. So it was actually deleted by the "updating" already (by the program), so that explains why it wasn't quarantined and the file wasn't there, because the updating actually deleted the file and we detected before the replacing of the new file.

Share this post


Link to post
Share on other sites

thank you for the help.

our end users do they need to delete the cache file or will it just update itself over time  ?

Share this post


Link to post
Share on other sites

The change should be effective as of now (for every new user). If they had this detection before and it's still detecting, then yes, the hubblecache should be deleted.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.